Assessment Report

Microsoft Office 365

Assessment dates 02/14/2020 to 02/22/2020 (Please refer to Appendix for details)

Assessment Location(s) Redmond (001)
Report Author Dennis Cunanan
Assessment Standard(s) ISO/IEC 27017:2015, ISO/IEC 27001:2013, ISO IEC 27018

Page 1 of 28
 Assessment Report.

Table of contents
Executive Summary ......................................................................................................................................................... 4
Changes in the organization since last assessment .................................................................................................... 5
NCR summary graphs ...................................................................................................................................................... 6
Your next steps ................................................................................................................................................................ 7
NCR close out process ................................................................................................................................................ 7
Assessment objective, scope and criteria .................................................................................................................... 8
Statutory and regulatory requirements ....................................................................................................................... 8
Assessment Participants ................................................................................................................................................. 9
Assessment conclusion .................................................................................................................................................10
Findings from this assessment .....................................................................................................................................11
Arrived at Client & Opening meeting, Review audit plan:...................................................................................11
Context of the Organization: ...................................................................................................................................11
ISMS Scope and Coverage: .......................................................................................................................................11
Information Security Policy:.....................................................................................................................................12
Information Security Objectives: ............................................................................................................................12
Management review:................................................................................................................................................12
Information Security Risk Assessment Process, Information Security Risk Treatment Process, and
Statement of Applicability (SOA): ...........................................................................................................................12
Internal Audit: ............................................................................................................................................................13
Nonconformity and Corrective Action: ..................................................................................................................13
Documented Information (ISMS Documentation, ISMS Records): ....................................................................13
Information security incident management: ........................................................................................................14
Technical vulnerability management: ....................................................................................................................14
Change management (EXO): ....................................................................................................................................14
Asset Management: ..................................................................................................................................................14
User access management: .......................................................................................................................................15
Cryptography: ............................................................................................................................................................15

Page 2 of 28
 Assessment Report.

ISO 27018:2019 Annex A Public cloud PII processor extended control set for PII protection: ......................15
ISO/IEC 27017:2015 Information Security Controls for Cloud Services: ...........................................................18
Next visit objectives, scope and criteria .....................................................................................................................20
Next Visit Plan ................................................................................................................................................................21
Appendix: Your certification structure & ongoing assessment programme .........................................................22
Scope of Certification ...............................................................................................................................................22
Assessed location(s) ..................................................................................................................................................22
Certification assessment program ..........................................................................................................................25
Definitions of findings: .............................................................................................................................................27
How to contact BSI ....................................................................................................................................................27
Notes ...........................................................................................................................................................................28
Regulatory compliance .............................................................................................................................................28

Page 3 of 28
 Assessment Report.

Executive Summary
Overall, the implementation of the information security management system was implemented as planned
and intended results were achieved. All areas scheduled for this continuous assessment visit as per audit
plan were successfully reviewed and found to be effectively implemented. There were no nonconformances
noted during this assessment.

Page 4 of 28
 Assessment Report.

Changes in the organization since last assessment

There is no significant change of the organization structure and key personnel involved in the audited
management system.

No change in relation to the audited organization’s activities, products or services covered by the scope of
certification was identified.

There was no change to the reference or normative documents which is related to the scope of
certification.

Page 5 of 28
 Assessment Report.

NCR summary graphs

There have been no NCRs raised.

Page 6 of 28
 Assessment Report.

Your next steps

NCR close out process

There were no outstanding nonconformities to review from previous assessments.

No new nonconformities were identified during the assessment. Enhanced detail relating to the overall
assessment findings is contained within subsequent sections of the report.

Please refer to Assessment Conclusion and Recommendation section for the required submission and the
defined timeline.

Page 7 of 28
 Assessment Report.

Assessment objective, scope and criteria

The objective of the assessment was to conduct a surveillance assessment and look for positive evidence to
ensure that elements of the scope of certification and the requirements of the management standard are
effectively addressed by the organisation's management system and that the system is demonstrating the
ability to support the achievement of statutory, regulatory and contractual requirements and the
organisation's specified objectives, as applicable with regard to the scope of the management standard, and
to confirm the on-going achievement and applicability of the forward strategic plan and where applicable to
identify potential areas for improvement of the management system.

The scope of the assessment is the documented management system with relation to the requirements of
ISO/IEC 27001:2013, ISO/IEC 27018:2019, and ISO/IEC 27017:2015 and the defined assessment plan
provided in terms of locations and areas of the system and organisation to be assessed.

ISO/IEC 27001:2013, ISO/IEC 27018:2019, and ISO/IEC 27017:2015

Microsoft Office 365 management system documentation

Statutory and regulatory requirements

The process for identification of relevant statutory and regulatory requirements are handled by the legal
group (CELA). Meeting minutes were presented from CELA dated June 12, 2019. Weekly meetings are
performed to discussed updates.

No findings. The implementation was found to be effective.

Page 8 of 28
 Assessment Report.

Assessment Participants
Opening Closing
Name Position Interviewed(processes)
Meeting Meeting
Program
Patricia Anderson X X X
Manager Lead

Page 9 of 28
 Assessment Report.

Assessment conclusion
BSI assessment team

Name Position
Dennis Cunanan Team Leader

Assessment conclusion and recommendation

The audit objectives have been achieved and the certificate scope remains appropriate. The audit team
concludes based on the results of this audit that the organization does fulfil the standards and audit criteria
identified within the audit report and it is deemed that the management system continues to achieve its
intended outcomes.

RECOMMENDED - The audited organization can be recommended for continued certification to

the above listed standards, and has been found in general compliance with the audit criteria as
stated in the above-mentioned audit plan.

Use of certification documents, mark / logo or report

The use of the BSI certification documents and mark / logo is effectively controlled.

Page 10 of 28
 Assessment Report.

Findings from this assessment

Arrived at Client & Opening meeting, Review audit plan:

There are no significant changes since the last visit.
Review the Office 365 ISMS Management Review February 2020.
There are no publicly reportable information security breach.
Reviewed the CAV audit plan, no changes noted.

Context of the Organization:

Confirmed the process for determining internal and external issues that could affect the ISMS. These issues
are discussed with the CISO and Group Program Manager for Governance, Risk and Compliance. Evidence
presented dated February 10, 2020 (Enterprise Management), Connects (Annual Review).

No findings. The implementation was found to be effective.

ISMS Scope and Coverage:

The management of Information Security Management System (ISMS) for Microsoft Office 365 Services
development, operations, support, and protection of personally identifiable information (PII) in accordance
with the Statement of Applicability dated October 18, 2018.

The following services are in the ISMS scope:

- Exchange Online (EXO)
- Skype for Business (SfB)
- Sharepoint Online (SPO)
- Exchange Online Protection (EOP)
- Microsoft Teams
- Yammer

Support services are also included in the ISMS scope:

- Office Services Infrastructure (OSI)
- Suite User Experience (SUE)
- Office Online
- Customer Lockbox
- Centralized Infrastructure
- Microservices

The head office is located in Redmond, WA and one location in München, Germany.

No findings. The implementation was found to be effective.

Page 11 of 28
 Assessment Report.

Information Security Policy:

O365 still adheres to the Microsoft Corporate Security Program Policy Dated January 2, 2020. Confirmed
communication to staff as part of the awareness campaign.

No findings. The implementation was found to be effective.

Information Security Objectives:

Reviewed and confirmed the information security objectives established for the ISMS. Reviews performed
monthly (service, security, engineering).
Sample:
- Measure and drive security of services and products across the organization by security bugs,
- Additional service security metrics (such as unpatched servers) - tracked monthly reviews;
- Target zero overdue critical bugs;

Continuous monitoring in-placed to tracked information security performance.

No findings. The implementation was found to be effective.

Management review:
Reviewed and confirmed the process for reviewing ISMS performance. ERM meetings are performed on
annually and Monthly Service Reviews (MSR) are performed monthly.
Sampled evidences:
- Presentation dated November 21, 2019;
- Presentation dated January 16, 2020

ISMS related requirements were discussed on these meetings (e.g. incidents, availability requirements,
external requirements, etc.)

No findings. The implementation was found to be effective.

Information Security Risk Assessment Process, Information Security Risk

Treatment Process, and Statement of Applicability (SOA):
O365 still established the information security risk assessment and treatment process. Reviewed the
Compliance Management Framework and the Risk Program Goals. Annual risk assessment is performed
(enterprise, business, operational, etc.). Risk assessment was performed last October 14, 2019. Reviewed
and confirmed the availability of risk assessment reports. Results of the risk assessments and action items
are discussed in the ERM annual meeting. In addition to the annual ERM meeting, quarterly risk reviews are
also performed. The next risk assessment is scheduled on September 2020.

Evidential documents reviewed:

Page 12 of 28
 Assessment Report.

2019 Annual Risk Assessment Version 1.0 Dated September 2019.

Risk Registers, Decision Logs, etc.
Risk Management SOP Office 365 Trust Dated February 2020.
Office 365 Risk Management Presentation

O365 still established the Statement of Applicability dated February 19, 2020. The SOA incorporates
ISO/IEC 27018:2019 Security and Privacy Controls for the protection of personally identifiable information
(PII) and ISO/IEC 27017:2015 Information Security Controls for Cloud Services. It was noted that all
controls were considered applicable. Justification for inclusions of controls were documented in the
Statement of Applicability. This was assessed and was found to be acceptable and applicable based on the
current company's operation.

No findings. The implementation was found to be effective.

Internal Audit:
Reviewed and confirmed the internal ISMS audit process for O365. Several assessments were performed on
O365's ISMS processes. Reviewed the internal audit report dated November 21, 2019. Internal audit
findings are discussed in meetings (e.g. ERM, MSR's, etc.).

O365 also established the audit calendar that covers different assessments scheduled (e.g. HiTrust,
FedRamp Audit, SOC, etc.)

Other reports reviewed:

- O365 SOC Bridge Letter Q4 2019 (December 31, 2019)
- Office 365 Core - SSAE 18 SCO 3 Report Dated September 30, 2019.
- Microsoft Office 365 Service Organization Controls Report Dated October 1, 2018 through September 30,
2019.

No findings. The implementation was found to be effective.

Nonconformity and Corrective Action:

Reviewed and confirmed the nonconformity and corrective action process. Issues related to the ISMS are
managed and recorded in Azure DevOps and Issue Manager. Reviewed sampled issues #17296, #17294,
#17291, #66381. Action plans & follow-ups were documented.

No findings. The implementation was found to be effective.

Documented Information (ISMS Documentation, ISMS Records):

Reviewed and confirmed the process for controlling ISMS documentation and records. ISMS documentation
are maintained in SharePoint. O365 established an annual review of policies and standards as per PM-0104.

Page 13 of 28
 Assessment Report.

The process of controlling ISMS records was reviewed. O365 implemented the Data Handling Standards
dated January 17, 2020. (e.g. Customer content, End-User Identifiable Information, etc.). Retention periods
were defined.

No findings. The implementation was found to be effective.

Information security incident management:

Reviewed and confirmed the O365 information security incident management process. The M365 Federated
Security Response Model was established and this is managed by the O365 Security Operations. The
Security Response SOP Dated March 1, 2019 was also available. Daily meetings are performed to discuss
incidents. Meeting minutes are maintained.

Reviewed Sampled Tickets:

- #166065595 Dated January 8, 2020 (SIR0843135)
- #163542454 Dated December 17, 2019.
- #173952116 Dated February 4, 2020 (SIR 0936050)

No findings. The implementation was found to be effective.

Technical vulnerability management:

Reviewed and confirmed the process for managing technical vulnerabilities. O365 established the
Vulnerability Management Process & Responsibilities. Vulnerability scanning is performed to identify missing
patches, insecure configurations, application vulnerabilities, etc. KPI's were also established based on
severity. O365 also established exception process. Exception reviews are performed on a weekly basis.

No findings. The implementation was found to be effective.

Change management (EXO):

Reviewed and confirmed the O365 change management process. Sampled change management process for
(EXO). Change management approached were as follows: Regular train (2-3 weeks), Fast train (1-2 days),
Emergency train (8-24 hours). Dashboards were available to review the progression of change tickets.
Reviewed sampled change tickets #407786, #398704, #411285. Approval for change was implemented
based on the sampled tickets.

No findings. The implementation was found to be effective.

Asset Management:
Reviewed and confirmed asset management process for O365. The inventory of assets process was found
to be effective based on the process reviewed. Inventory of hardware and logical assets were maintained.

Page 14 of 28
 Assessment Report.

O365 established an Asset Lifecycle Management (Hardware Order Tracking, New Capacity Provisioning,
Upgrade Orchestration, Hardware Removal). Assets are tracked in MS Assets (e.g. #3310525, #4570277,
#4250624, #4813076, #4568202)

O365 established the Data Handling Standards. Information labelling were defined as follows (HBI, MBI,
LBI).

No findings. The implementation was found to be effective.

User access management:

Reviewed and confirmed the user access management process. The user access management was found to
be effective based on the evidence reviewed. Approval for access is required prior granting access. Account
& Identity Management platform is used for all user access requirements. Just in time and Just enough
access principles were implemented. Access logs are reviewed and maintained.

No findings. The implementation was found to be effective.

Cryptography:
Reviewed and confirmed the O365 encryption process. This process was noted to be effective. Automated
monitoring was in-placed for SSL certificates expiry. Reviewed the TLS Configuration Standard Office 365
Foundations Security Services (December 2018).

No findings. The implementation was found to be effective.

ISO 27018:2019 Annex A Public cloud PII processor extended control set
for PII protection:
A.1 General
No additional controls are relevant to this control. This control is mostly informational.

A.2 Consent and choice

A.2.1 Obligation to co-operate regarding PII principals’ rights
Cloud service customers are able to access and control their data through the standard protocols and
access mechanisms defined within the service. (e.g. Admin Portals and IW Portals settings).

Reviewed the Microsoft Privacy Statement as February 2020, and Trust Center (GDPR Data Subject
Request).

A.3 Purpose legitimacy and specification

A.3.1 Public cloud PII processor’s purpose
Reviewed Microsoft Online Services Terms (January 2020) and Microsoft Online Services Data Protection
Addendum (DPA) (January 2020); Ownership. Data is not used for advertising of similar commercial

Page 15 of 28
 Assessment Report.

purposes.

A.3.2 Public cloud PII processor's commercial use

Reviewed Microsoft Online Services Terms (January 2020) and Microsoft Online Services Data Protection
Addendum (DPA) (January 2020); Ownership. Data is not used for advertising of similar commercial
purposes.
Strict requirements for handling of data are defined in the Data Handling Standards (DHS).

A.4 Collection limitation

No additional controls are relevant to this privacy principle.

A.5 Data minimization

A.5.1 Secure erasure of temporary files
Deletion of temporary files varies depends on how temporary files are created, whether they are created by
the OS or services.

A.6 Use, retention and disclosure limitation

A.6.1 PII disclosure notification
Reviewed the Microsoft Online Service Data Protection Addendum (January 2020). Microsoft will not
disclose Customer Data outside of Microsoft or its controlled subsidiaries and affiliates except (1) as
Customer directs, (2) as described in the OST, or (3) as required by law.

Reviewed Microsoft Online Services Terms (January 2020). Microsoft will not disclose Customer Data to law
enforcement unless required by law. If law enforcement contacts Microsoft with a demand for Customer
Data, Microsoft will attempt to redirect the law enforcement agency to request that data directly from
Customer. If compelled to disclose Customer Data to law enforcement, Microsoft will promptly notify
Customer and provide a copy of the demand unless legally prohibited from doing so.

Microsoft has a Microsoft Law Enforcement and National Security Global Fullfilment (LENS_GF) team.

A.6.2 Recording of PII disclosures

Microsoft has a Microsoft Law Enforcement and National Security Global Fullfilment (LENS_GF) team
receives, validates and may respond to government entity demands and request for Customer Data in
compliance with the jurisdiction in which the data is hosted. LENS GF retains records of all disclosures.

A.7 Accuracy and quality

No additional controls are relevant to this privacy principle.

A.8 Openness, transparency and notice

A.8.1 Disclosure of sub-contracted PII processing
Reviewed the Microsoft Online Service Data Protection Addendum (January 2020) and Sub-processors list
that is available and transparent for all the cloud service customer. Microsoft has the routine implemented
to inform the cloud service customer in a timely fashion of any intended changes in this relation.

The information disclosed also includes the countries in which sub-contractors can process data. The
contracts between Microsoft and sub-contractors that process PII specifies the minimum technical and
organizational measures that meet the information security and PII protection obligations of the public
cloud PII processor.

Page 16 of 28
 Assessment Report.

A.9 Individual participation and access

No additional controls are relevant to this privacy principle.

A.10 Accountability
A.10.1 Notification of a data breach involving PII
Reviewed the Microsoft Online Service Data Protection Addendum (January 2020). The public cloud PII
processor should promptly notify the relevant cloud service customer in the event of any unauthorized
access to PII or unauthorized access to processing equipment or facilities resulting in loss, disclosure or
alteration of PII. Microsoft has this routine defined in the "Incident Management" and data breach
notification under the GDPR that includes the roles and responsibilities.

A.10.2 Retention period for administrative security policies and guidelines

The copies of security policies and operating procedures are been retained for a specified, documented
period on replacement and updates. Reviewed the Microsoft Corporate Document Retention Schedule Dated
April 1, 2016.

A.10.3 PII return, transfer and disposal

Microsoft has a policy in respect of the return, transfer and/or disposal of PII and this document is available
to the cloud service customers documented in Microsoft Online Service Data Protection Addendum (January
2020) and O365 Data Handling Standard.

A.11 Information security

A.11.1 Confidentiality or non-disclosure agreements
O365 personnel are subject to Microsoft Confidentiality Information Policy and Non-Disclosure Policy in
which obligations as part of the Microsoft Employee Agreement. Verified the Confidential Information Policy
(Effective Date: November 1, 2016) and Non-Disclosure Policy (Dated August 1, 2016). Reviewed PO terms
and Condition document.

A.11.2 Restriction of the creation of hardcopy material

Microsoft imposes restrictions on printing Customer Data and has procedures for disposing of printed
materials that contain Customer Data. Reviewed the Microsoft Online Service Data Protection Addendum
(January 2020).

A.11.3 Control and logging of data restoration

Cloud customer data are real time replicated to geo-regions. Cloud service customer can restore their own
data. Reviewed Control Framework CP-9501 Logging Data Restoration Efforts.

A.11.4 Protecting data on storage media leaving the premises

O365 group do not use any storage media that may contain PII.

A.11.5 Use of unencrypted portable storage media and devices

O365 group do not use any storage media that may contain PII.

A.11.6 Encryption of PII transmitted over public data-transmission networks

Encrypts cloud customer data in-transit and at rest. O365 provides FIPS 140-2 validated ciphers that include
integrity validation for customer connections, interconnected system connections, and remote access
connections to O365.

Page 17 of 28
 Assessment Report.

A.11.7 Secure disposal of hardcopy materials

O365 personnel adhere to Microsoft record management policy, retention policies and schedule. Secured
shredding bins were available in the mail/copy rooms on each floor in Microsoft buildings.

A.11.8 Unique use of user IDs

Unique user names (Alias, SID) are used to enforce accountability by identifying user actions to a specific
person (Active Directory and Azure Active Directory (AAD).

A.11.9 Records of authorized users

O365 access is based on role based access controls. Reviewed TORUS implementation. Request for JIT
access is on a need basis. Approval for JIT access is needed from senior manager.

A.11.10 User ID management

User account access are reviewed and renewed if needed. User accounts that no longer needed access are
automatically disabled. Access control system does automatic sync with HR system to ensure all
requirements are met prior to granting the access.

A.11.11 Contract measures

Reviewed the Microsoft Online Service Data Protection Addendum (January 2020). Microsoft Online Service
Data Protection Addendum outlines MS security commitment to protect Customer Data.

A.11.12 Sub-contracted PII processing

Reviewed the Microsoft Supplier Data Protection Requirements is publicly available. Reviewed the Microsoft
Supplier Program that specifies sub contractor’s requirements to become SSPA compliant. Sampled vendor
Accenture.

A.11.13 Access to data on pre-used data storage space

Multi separate instance is implemented. Tenant ID's are assigned. When merchants leaves the merchant
space is destroyed.

A.12 Privacy compliance

A.12.1 Geographical location of PII
It was evidenced that Microsoft specifies and document the countries in which PII can possibly be stored
and is prepared to inform the cloud service customer in a timely fashion of any intended changes in this
regard

A.12.2 Intended destination of PII

The PII transmitted using a data-transmission network is subject to controls designed to ensure that data
reaches its intended destination. Reviewed the Trust Center site.

No findings. The implementation was found to effective.

ISO/IEC 27017:2015 Information Security Controls for Cloud Services:

Page 18 of 28
 Assessment Report.

CLD.6.3.1 Shared roles and responsibilities within a cloud computing environment

Reviewed and confirmed O365 Admin Guide. Roles and responsibilities are documented and communicated
to cloud service customers. Responsibilities of cloud service customers were documented.

CLD.8.1.5 Removal of cloud service customer assets

Service termination process was established. O365 provides detailed information about the arrangements
for the return and removal of any cloud service customer's assets upon termination of the agreement for
the use of a cloud service.

CLD.9.5.1 Segregation in virtual computing environments

O365 implements tenant isolation, logically segregated.

CLD.9.5.2 Virtual machine hardening

Virtual machine hardening is part of Microsoft Azure process.

CLD.12.1.5 Administrator's operational security

O365 has provided technical training materials available to cloud service customers.

CLD 12.4.5 Monitoring of Cloud Services

Office 365 management activity API available to cloud service customers.

CLD 13.1.4 Alignment of security management for virtual and physical networks
Virtual networks are inherently different that physical networks, however the same policy requirements for
security and cryptography go into their design and creation in O365 environment.

No findings. The implementation was found to be effective.

Page 19 of 28
 Assessment Report.

Next visit objectives, scope and criteria

The objective of the assessment is to conduct a re-assessment of the existing certification to ensure the
elements of the proposed scope of registration and the requirements of the management standard are
effectively addressed by the organisation's management system.

The scope of the assessment is the documented management system with relation to the requirements of
ISO/IEC 27001:2013, ISO/IEC 27018:2019, and ISO/IEC 27017:2015 and the defined assessment plan
provided in terms of locations and areas of the system and organisation to be assessed.

ISO/IEC 27001:2013, ISO/IEC 27018:2019, and ISO/IEC 27017:2015

Microsoft Office 365 management system documentation

Please note that BSI reserves the right to apply a charge equivalent to the full daily rate for cancellation of
the visit by the organization within 30 days of an agreed visit date. It is a condition of Registration that a
deputy management representative be nominated. It is expected that the deputy would stand in should
the management representative find themselves unavailable to attend an agreed visit within 30 days of its
conduct.

Page 20 of 28
 Assessment Report.

Next Visit Plan

The CCM will create the Re-Certification Audit Plan in a separate document.

Page 21 of 28
 Assessment Report.

Appendix: Your certification structure & ongoing assessment

programme

Scope of Certification

IS 552878 (ISO/IEC 27001:2013)

The management of Information Security Management System (ISMS) for Microsoft Office 365 Services
development, operations, support, and protection of personally identifiable information (PII) in accordance
with the Statement of Applicability dated February 19, 2020.

PII 663484 (ISO IEC 27018)

The management of Information Security Management System (ISMS) for Microsoft Office 365 Services
development, operations, support, and protection of personally identifiable information (PII) in accordance
with the Statement of Applicability dated February 10, 2020 (ref. ISO 27001:2013 certificate number IS
552878).

CLOUD 663485 (ISO/IEC 27017:2015)

The management of Information Security Management System (ISMS) for Microsoft Office 365 Services
development, operations, support, and protection of personally identifiable information (PII) in accordance
with the Statement of Applicability dated February 10, 2020 (ref. ISO 27001:2013 certificate number IS
552878).

Assessed location(s)

The audit has been performed at Central Office.

Redmond / CLOUD 663485 (ISO/IEC 27017:2015)

Location reference 0047358928-001
Address Microsoft Office 365
1 Microsoft Way
Redmond
Washington
98052-8300
USA
Visit type Continuing assessment (surveillance)
Assessment reference 8988108
Assessment dates 02/19/2020
Deviation from Audit Plan No
Total number of Employees 35

Page 22 of 28
 Assessment Report.

Effective number of
Employees
Scope of activities at the site
Assessment duration
35
The management of Information Security Management System
(ISMS) for Microsoft Office 365 Services development,
operations, support, and protection of personally identifiable
information (PII) in accordance with the Statement of
Applicability dated February 10, 2020 (ref. ISO 27001:2013
certificate number IS 552878).
1 Day(s)

Redmond / IS 552878 (ISO/IEC 27001:2013)

Location reference 0047358928-001
Address Microsoft Office 365
1 Microsoft Way
Redmond
Washington
98052-8300
USA
Visit type Continuing assessment (surveillance)
Assessment reference 8971196
Assessment dates 02/20/2020
Deviation from Audit Plan No
Total number of Employees 35
Total persons doing work at 35
this site
Scope of activities at the site The management of Information Security Management System
(ISMS) for Microsoft Office 365 Services development,
operations, support, and protection of personally identifiable
information (PII) in accordance with the Statement of
Applicability dated February 19, 2020.
Assessment duration 2.5 Day(s)

Redmond / PII 663484 (ISO IEC 27018)

Location reference 0047358928-001
Address Microsoft Office 365
1 Microsoft Way
Redmond
Washington
98052-8300
USA
Visit type Continuing assessment (surveillance)
Assessment reference 8988107
Assessment dates 02/18/2020

Page 23 of 28
 Assessment Report.

Deviation from Audit Plan No

Total number of Employees
Effective number of
Employees
Scope of activities at the site
Assessment duration
35
35
The management of Information Security Management System
(ISMS) for Microsoft Office 365 Services development,
operations, support, and protection of personally identifiable
information (PII) in accordance with the Statement of
Applicability dated February 10, 2020 (ref. ISO 27001:2013
certificate number IS 552878).
1 Day(s)

Redmond / IS 552878 (ISO/IEC 27001:2013)

Location reference 0047358928-001
Address Microsoft Office 365
1 Microsoft Way
Redmond
Washington
98052-8300
USA
Visit type Programme Management
Assessment reference 3154945
Assessment dates 02/14/2020
Deviation from Audit Plan No
Total number of Employees 35
Total persons doing work at 35
this site
Scope of activities at the site The management of Information Security Management System
(ISMS) for Microsoft Office 365 Services development,
operations, support, and protection of personally identifiable
information (PII) in accordance with the Statement of
Applicability dated February 19, 2020.
Assessment duration 0.5 Day(s)

Page 24 of 28
 Assessment Report.

Certification assessment program

Certificate Number - IS 552878

Location reference - 0047358928-001

Audit1 Audit2 Audit3

Business area/Location Date (mm/yy): 02/20 02/21 02/21
Duration (days): 2.5 5.0 2.5
ISMS Changes + ISMS Scope Review X X X
Context of the organization X X X
Information Security Policy X X X
Information Security Objectives X X X
Competence, Awareness, Communication X X X
Information security risk assessment, information security X X X
risk treatment, and Statement of Applicability (SOA)
Documented information X X X
Management Review X X X
Internal Audit X X X
Nonconformity and Corrective Action X X X
A.5 Information security policies X
A.6 Organization of information security X X
A.7 Human resource security X
A.8 Asset management X X X
A.9 Access control X X
A.10 Cryptography X X X
A.11 Physical and environmental security X
A.12 Operations security X X X
A.13 Communications security X
A.14 System acquisition, development, and maintenance X
A.15 Supplier relationships X X
A.16 Information security incident management X X
A.17 Information security aspects of business continuity X X
management

Page 25 of 28
 Assessment Report.

A.18 Compliance X

Certificate Number - PII 663484

Location reference - 0047358928-001

Audit1 Audit2 Audit3

Business area/Location Date (mm/yy): 02/20 02/21 02/22
Duration (days): 1.0 1.0 1.0
A.1 General X X X
A.2 Consent and choice X X X
A.3 Purpose legitimacy and specification X X X
A.4 Collection limitation X X X
A.5 Data minimization X X X
A.6 Use, retention and disclosure limitation X X X
A.7 Accuracy and quality X X X
A.8 Openness, transparency and notice X X X
A.9 Individual participation and access X X X
A.10 Accountability X X X
A.11 Information security X X X
A.12 Privacy compliance X X X

Certificate Number - CLOUD 663485

Location reference - 0047358928-001

Audit1 Audit2 Audit3

Business area/Location Date (mm/yy): 02/20 02/21 02/22
Duration (days): 1.0 1.0 1.0
CLD.6.3.1 Shared roles and responsibilities within a cloud X X X
computing environment
CLD.8.1.5 Removal of cloud service customer assets X X X
CLD.9.5.1 Segregation in virtual computing environments X X X
CLD.9.5.2 Virtual machine hardening X X X
CLD.12.1.5 Administrator's operational security X X X

Page 26 of 28
 Assessment Report.

CLD 12.4.5 Monitoring of Cloud Services X X X

CLD 13.1.4 Alignment of security management for virtual X X X
and physical networks

Definitions of findings:

Nonconformity:
Non-fulfilment of a requirement.

Major nonconformity:
Nonconformity that affects the capability of the management system to achieve the intended results.
Nonconformities could be classified as major in the following circumstances:
• If there is a significant doubt that effective process control is in place, or that products or services will
meet specified requirements;
• A number of minor nonconformities associated with the same requirement or issue could demonstrate a
systemic failure and thus constitute a major nonconformity.

Minor nonconformity:
Nonconformity that does not affect the capability of the management system to achieve the intended
results.

Opportunity for improvement:

It is a statement of fact made by an assessor during an assessment, and substantiated by objective
evidence, referring to a weakness or potential deficiency in a management system which if not improved
may lead to nonconformity in the future. We may provide generic information about industrial best
practices but no specific solution shall be provided as a part of an opportunity for improvement.

Observation:
It is ONLY applicable for those schemes which prohibit the certification body to issue an opportunity for
improvement.
It is a statement of fact made by the assessor referring to a weakness or potential deficiency in a
management system which, if not improved, may lead to a nonconformity in the future.

How to contact BSI

'Just for Customers' is the website that we are pleased to offer our clients following successful registration,
designed to support you in maximizing the benefits of your BSI registration - please go to
www.bsigroup.com/j4c to register. When registering for the first time you will need your client reference
number and your certificate number

Page 27 of 28
 Assessment Report.

Should you wish to speak with BSI in relation to your certification, please contact your local BSI office –
contact details available from the BSI website:
https://www.bsigroup.com/en-US/contact-us/

Notes

This report and related documents are prepared for and only for BSI’s client and for no other purpose. As
such, BSI does not accept or assume any responsibility (legal or otherwise) or accept any liability for or in
connection with any other purpose for which the Report may be used, or to any other person to whom the
Report is shown or in to whose hands it may come, and no other persons shall be entitled to rely on the
Report. If you wish to distribute copies of this report external to your organization, then all pages must be
included.

BSI, its staff and agents shall keep confidential all information relating to your organization and shall not
disclose any such information to any third party, except that in the public domain or required by law or
relevant accreditation bodies. BSI staff, agents and accreditation bodies have signed individual
confidentiality undertakings and will only receive confidential information on a 'need to know' basis.

This audit was conducted on-site through document reviews, interviews and observation of activities. The
audit method used was based on sampling the organization’s activities and it was aimed to evaluate the
fulfilment of the audited requirements of the relevant management system standard or other normative
document and confirm the conformity and effectiveness of the management system and its continued
relevance and applicability for the scope of certification.

As this audit was based on a sample of the organization’s activities, the findings reported do not imply to
include all issues within the system.

Regulatory compliance

BSI conditions of contract for this visit require that BSI be informed of all relevant regulatory non-
compliance or incidents that require notification to any regulatory authority. Acceptance of this report by
the client signifies that all such issues have been disclosed as part of the assessment process and
agreement that any such non-compliance or incidents occurring after this visit will be notified to the BSI
client manager as soon as practical after the event.

Page 28 of 28