Professional Documents
Culture Documents
Office 365 ISO Audit 2020
Office 365 ISO Audit 2020
Page 1 of 28
Assessment Report.
Table of contents
Executive Summary ......................................................................................................................................................... 4
Changes in the organization since last assessment .................................................................................................... 5
NCR summary graphs ...................................................................................................................................................... 6
Your next steps ................................................................................................................................................................ 7
NCR close out process ................................................................................................................................................ 7
Assessment objective, scope and criteria .................................................................................................................... 8
Statutory and regulatory requirements ....................................................................................................................... 8
Assessment Participants ................................................................................................................................................. 9
Assessment conclusion .................................................................................................................................................10
Findings from this assessment .....................................................................................................................................11
Arrived at Client & Opening meeting, Review audit plan:...................................................................................11
Context of the Organization: ...................................................................................................................................11
ISMS Scope and Coverage: .......................................................................................................................................11
Information Security Policy:.....................................................................................................................................12
Information Security Objectives: ............................................................................................................................12
Management review:................................................................................................................................................12
Information Security Risk Assessment Process, Information Security Risk Treatment Process, and
Statement of Applicability (SOA): ...........................................................................................................................12
Internal Audit: ............................................................................................................................................................13
Nonconformity and Corrective Action: ..................................................................................................................13
Documented Information (ISMS Documentation, ISMS Records): ....................................................................13
Information security incident management: ........................................................................................................14
Technical vulnerability management: ....................................................................................................................14
Change management (EXO): ....................................................................................................................................14
Asset Management: ..................................................................................................................................................14
User access management: .......................................................................................................................................15
Cryptography: ............................................................................................................................................................15
Page 2 of 28
Assessment Report.
ISO 27018:2019 Annex A Public cloud PII processor extended control set for PII protection: ......................15
ISO/IEC 27017:2015 Information Security Controls for Cloud Services: ...........................................................18
Next visit objectives, scope and criteria .....................................................................................................................20
Next Visit Plan ................................................................................................................................................................21
Appendix: Your certification structure & ongoing assessment programme .........................................................22
Scope of Certification ...............................................................................................................................................22
Assessed location(s) ..................................................................................................................................................22
Certification assessment program ..........................................................................................................................25
Definitions of findings: .............................................................................................................................................27
How to contact BSI ....................................................................................................................................................27
Notes ...........................................................................................................................................................................28
Regulatory compliance .............................................................................................................................................28
Page 3 of 28
Assessment Report.
Executive Summary
Overall, the implementation of the information security management system was implemented as planned
and intended results were achieved. All areas scheduled for this continuous assessment visit as per audit
plan were successfully reviewed and found to be effectively implemented. There were no nonconformances
noted during this assessment.
Page 4 of 28
Assessment Report.
No change in relation to the audited organization’s activities, products or services covered by the scope of
certification was identified.
There was no change to the reference or normative documents which is related to the scope of
certification.
Page 5 of 28
Assessment Report.
Page 6 of 28
Assessment Report.
Please refer to Assessment Conclusion and Recommendation section for the required submission and the
defined timeline.
Page 7 of 28
Assessment Report.
The scope of the assessment is the documented management system with relation to the requirements of
ISO/IEC 27001:2013, ISO/IEC 27018:2019, and ISO/IEC 27017:2015 and the defined assessment plan
provided in terms of locations and areas of the system and organisation to be assessed.
Page 8 of 28
Assessment Report.
Assessment Participants
Opening Closing
Name Position Interviewed(processes)
Meeting Meeting
Program
Patricia Anderson X X X
Manager Lead
Page 9 of 28
Assessment Report.
Assessment conclusion
BSI assessment team
Name Position
Dennis Cunanan Team Leader
The audit objectives have been achieved and the certificate scope remains appropriate. The audit team
concludes based on the results of this audit that the organization does fulfil the standards and audit criteria
identified within the audit report and it is deemed that the management system continues to achieve its
intended outcomes.
The use of the BSI certification documents and mark / logo is effectively controlled.
Page 10 of 28
Assessment Report.
The head office is located in Redmond, WA and one location in München, Germany.
Page 11 of 28
Assessment Report.
Management review:
Reviewed and confirmed the process for reviewing ISMS performance. ERM meetings are performed on
annually and Monthly Service Reviews (MSR) are performed monthly.
Sampled evidences:
- Presentation dated November 21, 2019;
- Presentation dated January 16, 2020
ISMS related requirements were discussed on these meetings (e.g. incidents, availability requirements,
external requirements, etc.)
Page 12 of 28
Assessment Report.
O365 still established the Statement of Applicability dated February 19, 2020. The SOA incorporates
ISO/IEC 27018:2019 Security and Privacy Controls for the protection of personally identifiable information
(PII) and ISO/IEC 27017:2015 Information Security Controls for Cloud Services. It was noted that all
controls were considered applicable. Justification for inclusions of controls were documented in the
Statement of Applicability. This was assessed and was found to be acceptable and applicable based on the
current company's operation.
Internal Audit:
Reviewed and confirmed the internal ISMS audit process for O365. Several assessments were performed on
O365's ISMS processes. Reviewed the internal audit report dated November 21, 2019. Internal audit
findings are discussed in meetings (e.g. ERM, MSR's, etc.).
O365 also established the audit calendar that covers different assessments scheduled (e.g. HiTrust,
FedRamp Audit, SOC, etc.)
Page 13 of 28
Assessment Report.
The process of controlling ISMS records was reviewed. O365 implemented the Data Handling Standards
dated January 17, 2020. (e.g. Customer content, End-User Identifiable Information, etc.). Retention periods
were defined.
Asset Management:
Reviewed and confirmed asset management process for O365. The inventory of assets process was found
to be effective based on the process reviewed. Inventory of hardware and logical assets were maintained.
Page 14 of 28
Assessment Report.
O365 established an Asset Lifecycle Management (Hardware Order Tracking, New Capacity Provisioning,
Upgrade Orchestration, Hardware Removal). Assets are tracked in MS Assets (e.g. #3310525, #4570277,
#4250624, #4813076, #4568202)
O365 established the Data Handling Standards. Information labelling were defined as follows (HBI, MBI,
LBI).
Cryptography:
Reviewed and confirmed the O365 encryption process. This process was noted to be effective. Automated
monitoring was in-placed for SSL certificates expiry. Reviewed the TLS Configuration Standard Office 365
Foundations Security Services (December 2018).
ISO 27018:2019 Annex A Public cloud PII processor extended control set
for PII protection:
A.1 General
No additional controls are relevant to this control. This control is mostly informational.
Reviewed the Microsoft Privacy Statement as February 2020, and Trust Center (GDPR Data Subject
Request).
Page 15 of 28
Assessment Report.
purposes.
Reviewed Microsoft Online Services Terms (January 2020). Microsoft will not disclose Customer Data to law
enforcement unless required by law. If law enforcement contacts Microsoft with a demand for Customer
Data, Microsoft will attempt to redirect the law enforcement agency to request that data directly from
Customer. If compelled to disclose Customer Data to law enforcement, Microsoft will promptly notify
Customer and provide a copy of the demand unless legally prohibited from doing so.
Microsoft has a Microsoft Law Enforcement and National Security Global Fullfilment (LENS_GF) team.
The information disclosed also includes the countries in which sub-contractors can process data. The
contracts between Microsoft and sub-contractors that process PII specifies the minimum technical and
organizational measures that meet the information security and PII protection obligations of the public
cloud PII processor.
Page 16 of 28
Assessment Report.
A.10 Accountability
A.10.1 Notification of a data breach involving PII
Reviewed the Microsoft Online Service Data Protection Addendum (January 2020). The public cloud PII
processor should promptly notify the relevant cloud service customer in the event of any unauthorized
access to PII or unauthorized access to processing equipment or facilities resulting in loss, disclosure or
alteration of PII. Microsoft has this routine defined in the "Incident Management" and data breach
notification under the GDPR that includes the roles and responsibilities.
Page 17 of 28
Assessment Report.
Page 18 of 28
Assessment Report.
CLD 13.1.4 Alignment of security management for virtual and physical networks
Virtual networks are inherently different that physical networks, however the same policy requirements for
security and cryptography go into their design and creation in O365 environment.
Page 19 of 28
Assessment Report.
The scope of the assessment is the documented management system with relation to the requirements of
ISO/IEC 27001:2013, ISO/IEC 27018:2019, and ISO/IEC 27017:2015 and the defined assessment plan
provided in terms of locations and areas of the system and organisation to be assessed.
Please note that BSI reserves the right to apply a charge equivalent to the full daily rate for cancellation of
the visit by the organization within 30 days of an agreed visit date. It is a condition of Registration that a
deputy management representative be nominated. It is expected that the deputy would stand in should
the management representative find themselves unavailable to attend an agreed visit within 30 days of its
conduct.
Page 20 of 28
Assessment Report.
Page 21 of 28
Assessment Report.
Scope of Certification
Assessed location(s)
Page 22 of 28
Assessment Report.
Effective number of 35
Employees
Scope of activities at the site The management of Information Security Management System
(ISMS) for Microsoft Office 365 Services development,
operations, support, and protection of personally identifiable
information (PII) in accordance with the Statement of
Applicability dated February 10, 2020 (ref. ISO 27001:2013
certificate number IS 552878).
Assessment duration 1 Day(s)
Page 23 of 28
Assessment Report.
Page 24 of 28
Assessment Report.
Page 25 of 28
Assessment Report.
A.18 Compliance X
Page 26 of 28
Assessment Report.
Definitions of findings:
Nonconformity:
Non-fulfilment of a requirement.
Major nonconformity:
Nonconformity that affects the capability of the management system to achieve the intended results.
Nonconformities could be classified as major in the following circumstances:
• If there is a significant doubt that effective process control is in place, or that products or services will
meet specified requirements;
• A number of minor nonconformities associated with the same requirement or issue could demonstrate a
systemic failure and thus constitute a major nonconformity.
Minor nonconformity:
Nonconformity that does not affect the capability of the management system to achieve the intended
results.
Observation:
It is ONLY applicable for those schemes which prohibit the certification body to issue an opportunity for
improvement.
It is a statement of fact made by the assessor referring to a weakness or potential deficiency in a
management system which, if not improved, may lead to a nonconformity in the future.
'Just for Customers' is the website that we are pleased to offer our clients following successful registration,
designed to support you in maximizing the benefits of your BSI registration - please go to
www.bsigroup.com/j4c to register. When registering for the first time you will need your client reference
number and your certificate number
Page 27 of 28
Assessment Report.
Should you wish to speak with BSI in relation to your certification, please contact your local BSI office –
contact details available from the BSI website:
https://www.bsigroup.com/en-US/contact-us/
Notes
This report and related documents are prepared for and only for BSI’s client and for no other purpose. As
such, BSI does not accept or assume any responsibility (legal or otherwise) or accept any liability for or in
connection with any other purpose for which the Report may be used, or to any other person to whom the
Report is shown or in to whose hands it may come, and no other persons shall be entitled to rely on the
Report. If you wish to distribute copies of this report external to your organization, then all pages must be
included.
BSI, its staff and agents shall keep confidential all information relating to your organization and shall not
disclose any such information to any third party, except that in the public domain or required by law or
relevant accreditation bodies. BSI staff, agents and accreditation bodies have signed individual
confidentiality undertakings and will only receive confidential information on a 'need to know' basis.
This audit was conducted on-site through document reviews, interviews and observation of activities. The
audit method used was based on sampling the organization’s activities and it was aimed to evaluate the
fulfilment of the audited requirements of the relevant management system standard or other normative
document and confirm the conformity and effectiveness of the management system and its continued
relevance and applicability for the scope of certification.
As this audit was based on a sample of the organization’s activities, the findings reported do not imply to
include all issues within the system.
Regulatory compliance
BSI conditions of contract for this visit require that BSI be informed of all relevant regulatory non-
compliance or incidents that require notification to any regulatory authority. Acceptance of this report by
the client signifies that all such issues have been disclosed as part of the assessment process and
agreement that any such non-compliance or incidents occurring after this visit will be notified to the BSI
client manager as soon as practical after the event.
Page 28 of 28