SSPA will no longer allow exemptions of Section J-Security (18 controls) for SOC2 reports

Microsoft’s SSPA and SOC2 Reports Exemptions


If your company deals with SSPA and SOC2 for security assurance, you need to read this now! 


Starting December 2021, Microsoft will no longer accept SOC2 reports to allow exemptions from conducting Section J – Security, consisting of 18 key controls. Previously, if you had successfully completed the American Institutes of Certified Public Accountants (AICPA) SOC2 – Security report, Microsoft allowed you to leverage this for an exemption when completing your annual Microsoft Supplier Security and Privacy Assurance (SSPA) assessment. 


This notice was sent out last November 2020 but is being reaffirmed to make sure that everyone involved in the SSPA program will be reminded that changes will take effect in December 2021. Section J is 18 out of 53 controls which is ⅓ of the SSPA controls. This means your organization will now need to conduct an independent SSPA assessment of those 18 security controls even if you have a SOC2 report.


What happens now? 


Suppliers can choose between two viable options for independent security assurance. You can go for either an Independent Assessment conducted by a Preferred Assessor or you can choose to go for an ISO 27001 certification or if applicable to your organization a PCI DSS. 


Since the SOC2 Type 2 report does not map closely to the specific security standards in the Microsoft Supplier Data Protection Requirements (DPR), it can no longer be used as a tool to apply SOC2 exemptions for Section J – Security (18 controls) by SSPA suppliers. Instead, suppliers can use SOC2 as an additional security measure instead and as a tool to ensure that everything and everyone remains compliant. 


Things to Remember 


One important thing to remember is that the engagement must be performed by an assessor with sufficient technical training and knowledge of the subject to adequately assess compliance. The assessor must also use the most current DPR which would include the evidence required to support each requirement. Note that the scope of the assessment engagement is limited to the Microsoft Personal Data or Microsoft Confidential Data in connection with that supplier’s Performance.


The assessor that you hire needs to be affiliated with the International Federation of Accountants (IFAC) or the American Institute of Certified Public Accountants (AICPA). If this is not the case, they need to possess certifications from relevant privacy and security organizations like the International Association of Privacy Professionals (IAPP) or the Information Security Systems Audit and Control Association (ISACA). 


Make sure that you review the SSPA Program Guide to check and make sure that your company meets the criteria for independent assurance and visit the SupplierWeb to find out when SSPA compliance activity will be issued. Plan ahead for your ISO27001 certification if this is in the works since this will require a lot of tasks to accomplish. 


How can we help?


As an MSFT Preferred Assessor, Connor has you covered. Microsoft will still accept an ISO27001 certification and a PCI-DSS ROC. Connor doesn’t ISO certify but we can definitely help with ISO readiness. Connor does not do Payment Card Industry – Data Security Standard- Report on Controls (PCI-DSS ROC’s). 


Connor can also help you get ahead of the competition by improving your current compliance program with ISO27001 and SOC2 compliance coaching. With SOC2 and ISO27001 included in your certifications, your company will have a definite advantage over the competition. 


Let us help you adopt a stronger security and data privacy baseline. If you would like to speak with our GRC experts for a complimentary consultation, please contact us at or set up a free consultation at