Wednesday, December 22, 2021

Office 365 receives Multi-Tier Cloud Security (MTCS) SS584:2020 Level-3 Certification (2021)

Multi-Tier Cloud Security (MTCS) SS584:2020 Overview


MTCS, a cloud security standard, was developed by the Information Technology Standards Committee (ITSC) in Singapore and published in November 2013 for its first version. The ITSC promotes and facilitates national programs to standardize IT and communications, and Singapore's participation in international standardization activities. Since 2014, Microsoft became one of the first cloud service providers that has received the MTCS certification, for both Microsoft Azure cloud platform and Office 365 services.


In November 2021, Microsoft again successfully attained the Multi-Tier Cloud Security (MTCS) Standard for Singapore Level-3 High Impact certification for Office 365 family of services, this time with the renewed version SS 584:2020. Office 365 services included in scope are:


  • Exchange Online
  • SharePoint
  • Information Protection
  • Microsoft Teams (including Azure Communication Services)
  • Skype for Business
  • Office Online
  • Office Services Infrastructure
  • Microsoft/Office 365 Suite user experience
  • Delve/Loki

MTCS certification blog image.png


This renewed SS 584:2020 standard was approved and published in October 2020. Compared with the last SS 584:2015 standard, the renewed version has major updated requirements including:


  1. List of applicability and compensatory controls with justifications.
  2. Detailed Risk Assessment Requirements that may apply to cloud services.
  3. Third-party providers must receive compliance or attestations to international standards and provide access to the evidence associated.
  4. Security hardening requirements and service availability for Edge Node services that are used for performance enhancement.


By providing the implementation details of the management and technical controls in place along with their supporting evidence, Office 365 was able to demonstrate how its information systems can support the Level 3 confidentiality, integrity, and availability requirements from the standard. This Level 3 certification means that in-scope Office 365 cloud services can host high-impact data for regulated organizations with much stricter security requirements. It's required for certain cloud solution implementations by the Singapore government.


Certification is valid for three years with a yearly surveillance audit conducted:


To whom does the standard apply?


It applies to businesses in Singapore that purchase cloud services requiring compliance with the MTCS standard.


What are the differences between MTCS security levels?


MTCS has a total of 535 controls that cover three levels of security:

  • Level 1 is low cost with a minimum number of required baseline security controls. It is suitable for website hosting, testing and development work, simulation, and non-critical business applications.
  • Level 2 addresses the needs of most organizations that are concerned about data security with a set of more stringent controls targeted at security risks and threats to data. Level 2 is applicable for most cloud usage, including mission-critical business applications.
  • Level 3 is designed for regulated organizations with specific requirements and those willing to pay for stricter security requirements. Level 3 adds a set of security controls to supplement those in Levels 1 and 2. They address security risks and threats in high-impact information systems using cloud services, such as hosting applications with sensitive information and in regulated systems.


How do I get started with my organization's own compliance effort?


The MTCS Certification Scheme provides guidance on audit controls and security requirements.


Can I use Microsoft's compliance in my organization's certification process?


Yes. If you have a requirement to certify your services built on these Microsoft cloud services, you can use the MTCS certification to reduce the impact of auditing your IT infrastructure. However, you are responsible for engaging an assessor to evaluate your implementation for compliance, and for the controls and processes within your own organization.


Continue the conversation by joining us in the Microsoft 365 Tech Community! Whether you have product questions or just want to stay informed with the latest updates on new releases, tools, and blogs, Microsoft 365 Tech Community is your go-to resource to stay connected

Posted at