Professional Documents
Culture Documents
Microsoft Azure, Dynamics and Online Services ISO 9001 Report - June 2021 PDF
Microsoft Azure, Dynamics and Online Services ISO 9001 Report - June 2021 PDF
Microsoft Azure, Dynamics and Online Services ISO 9001 Report - June 2021 PDF
APPLICABILITY
This document is supplemental to the ISO 9001 Stage 2 Review performed by Schellman & Company, LLC
(Schellman), the primary deliverable which is the certificate. The information found in this report and the conclusions
reached were dependent upon the complete and accurate disclosure of information by Microsoft. The information
provided in this report is “AS IS” without warranties of any kind. Schellman expressly disclaims any warranties of
representations including implied warranties and fitness for a particular purpose.
INDEPENDENCE DISCLOSURE
Schellman & Company, LLC (Schellman) assessed the Quality Management System (QMS) for Microsoft.
Schellman does not hold any investment or control over Microsoft. During the course of the assessment, Schellman
did not willfully and unnecessarily market services to achieve conformance to ISO 9001:2015. No Schellman
service was recommended during the course of the engagement.
TABLE OF
CONTENTS
SECTION 1 AUDIT TEAM RECOMMENDATION ....... 1
SECTION 2 PROJECT OVERVIEW .............................. 3
SECTION 3 SURVEILLANCE REVIEW TESTING
RESULTS................................................ 14
SECTION 4 SURVEILLANCE REVIEW SCHEDULE..... 18
APPENDIX A MICROSOFT AZURE
SCOPE STATEMENT ............................. 20
SECTION 1
AUDIT TEAM
RECOMMENDATION
Overall, the QMS appears to be operating effectively and the client has met the requirements of the ISO 9001
standard. There were no nonconformities noted as a result of the 2021 surveillance review. It is the audit team’s
recommendation to keep the certification in an active status. Microsoft Azure, Dynamics and other Online Services
(Microsoft Azure) has implemented and maintains policies and procedures that are designed in accordance with
the ISO 9001 standard. The policies are well-defined, detailed, regularly reviewed and updated, communicated,
and understood by users within the organization. This includes both Microsoft corporate level and Microsoft Azure,
Dynamics and other Online Services policies and procedures which have been adopted to support the
implementation of the QMS. Microsoft Azure, Dynamics and other Online Services has defined standard operating
procedures (SOPs) at a team level to provide additional guidance to personnel.
The audit team concluded that procedures were effectively implemented within the organization to monitor
conformance with the standard and achievement of objectives specified by Microsoft Azure that are in alignment
with the strategic direction of the organization. Based on the activities demonstrated by Microsoft Azure
management and the supporting documentation provided during the course of the surveillance review, the audit
team determined that effective processes were in place to manage and monitor information security risks and to
identify and monitor compliance with relevant standards and contractual commitments. The Microsoft Azure
leadership team has supported the QMS by providing the resources necessary to maintain and implement risk
treatment plans and projects designed to improve the risk posture of the organization.
A formally defined global risk management program is in place, and Microsoft Azure has demonstrated an effective
process to manage and monitor risk in accordance with the direction of management and the organization’s
tolerance for risk. The sponsorship of the QMS is headed by the Integrated Management Forum (IMF). The IMF
is the management group that oversees the various components of the QMS and the communication and exchange
of information between those components.
As part of the assessment, Schellman concluded that the scope of the QMS was appropriate and the audit
objectives of the surveillance review were met.
Microsoft Azure underwent a surveillance review in April 2021 of their ISO 9001 certification which was originally
issued in May 2020. The purpose of the surveillance review was to verify that the approved QMS continued to be
effectively implemented, to consider the implications of changes to that system initiated as a result of changes in
the client organization’s operations, and to confirm continued compliance with the certification requirements. This
report includes the results of the 2021 surveillance review mentioned above.
Schellman performed the surveillance review to summarily review the documentation and maintenance, monitoring,
and operating effectiveness of the QMS in order to achieve multiple objectives. The surveillance review included
the following:
• Confirm that Microsoft adheres to its own policies, objectives, and procedures; and
• Confirm that the QMS conforms to all the requirements of the normative QMS standard ISO 9001 and is
achieving Microsoft’s policy objectives.
The scope of the review was limited to the QMS supporting the development, operations and infrastructure teams
for Azure and Azure based services deployed in the Public, Government and Germany Cloud, collectively referred
to as Microsoft Azure.
An opening meeting occurred remotely utilizing the Microsoft Teams web conferencing application on Monday, April
12, 2021. The meeting was held to kick-off the surveillance activities. An agenda was provided as well as a project
plan and audit plan for surveillance review. The opening meeting was held to perform the following:
• Reconfirm the audit plan, scope, and deliverables for the surveillance review;
• Identify the client points of contact for the objectives and domains; and
• Discuss the timing expectations of the fieldwork as well as the activities following the fieldwork.
The surveillance audit covered the documentation requirements of the ISO 9001 standard, as well as testing which
included evidence of the monitoring, maintenance, and operating effectiveness of the QMS.
During the assessment, all QMS-related documentation was available for the audit team to assess the QMS and in
relation to the audit objectives of this assessment.
The closing meeting was held remotely after the conclusion of all audit review and follow up activities. The closing
meeting included a discussion with the QMS team regarding the surveillance review results and the overall
surveillance review recommendation and next steps.
Confidentiality Statement
OVERVIEW OF OPERATIONS
Company Background Description of Services Provided
Microsoft Azure is a cloud computing platform for building, deploying and managing applications through a global
network of Microsoft and third-party managed datacenters. It supports both Platform as a Service (PaaS) and
Infrastructure as a Service (IaaS) cloud service models and enables hybrid solutions that integrate cloud services
with customers’ on-premises resources. Microsoft Azure supports many customers, partners, and government
organizations that span across a broad range of products and services, geographies, and industries. Microsoft
Azure is designed to meet their security, confidentiality, and compliance requirements.
Dynamics 365 is an online business application suite that integrates the Customer Relationship Management (CRM)
capabilities and its extensions with the Enterprise Resource Planning (ERP) capabilities. Microsoft Dynamics 365
products/offerings and its supporting Datacenters are covered under the Azure, Dynamics 365 and Online Services
report.
Microsoft datacenters support Microsoft Azure, Dynamics 365 and many other Microsoft Online Services (“Online
Services”). Online Services such as Intune, Power BI, and others are Software as a Service (SaaS) services that
leverage the underlying Microsoft Azure platform and datacenter infrastructure.
For a full description of the scope and services provided, refer to Appendix A.
QMS REVIEW
General Design and Operating Effectiveness of the Client QMS
The general design and operating effectiveness of the QMS conforms to the requirements of the ISO 9001 standard.
There were no nonconformities or OFIs noted as a result of the 2021 surveillance review.
Overall, Microsoft Azure continued to demonstrate a sound understanding of its QMS as it continued to meet the
requirements of the ISO 9001 standard. During the surveillance review, an assessment was performed to determine
the overall effectiveness of the QMS during the certification lifecycle and no negative trends were identified. The
QMS and control framework are established, have been supported by top management, and are supported by a
competent team dedicated to the foundation and maintenance of the management system.
Microsoft Azure has implemented continual improvement activities since the 2020 Stage 2 review based on results
from its risk assessments and implementation of risk treatment plans that were based on available or planned
resources that took into consideration external and internal factors such as new organizational changes and
location-specific regulations. Additionally, the previous audit findings were addressed, contained, and found to be
operating effectively during the surveillance review. Further, there have been no complaints and Microsoft has
properly marketed their certificate in accordance to the client obligations and marketing guidelines provided to them.
Risk management activities are built into the engineering, service operations and compliance process to make the
global risk management program more effective and efficient. The risk register captures internal and external
interfaces and dependencies along with the relevant risk drivers and management controls.
Microsoft Azure has identified the internal and external interested parties that provide input to Microsoft Azure
QMS in the ISM scope statement document.
The scope of the QMS comprises the development, operations and infrastructure teams for Azure and Azure based
services deployed in Public, Government and Germany Cloud, collectively referred as Microsoft Azure. The full list
of in-scope services and locations are listed in Appendix A.
Microsoft Azure QMS applies to information resources, processes, and personnel. Information resources include
any Microsoft Azure owned or managed systems, applications, and network elements, and any information
processed by or used to provide Microsoft services. The Microsoft Azure is comprised of engineering, operations,
security, privacy, and compliance teams.
The risk assessment process identifies important risks prioritized for remediation, while the SOPs across various
operational areas provide guidance on implementing and monitoring controls to protect QMS assets.
Leadership (Clause 5)
Customer Focus
Microsoft Azure improves and maintains the quality of services provided to its customers by using established
documentation and quality benchmarks. The leadership team has demonstrated their commitment through:
• Establishing and maintaining the policies, processes, frameworks, and SOPs to address regulatory
requirements and ensure Microsoft Azure is secure, available, and reliable:
• Identifying and treating the risks which affect the quality of the product
• Establishing and testing end-to-end recovery procedures to support reliability and availability of services.
Microsoft Azure has established SOPs for communicating detailed operational procedures. The MSPP defines a
common set of security policies and practices that Microsoft Azure teams must adhere to ensure standardized
security practices and operationalization of the QMS. The policy includes the commitment to satisfy requirements
related to quality and continual improvement of the system.
SOPs are reviewed and updated annually to ensure information accuracy and overall improvement to QMS.
Microsoft uses its internal SharePoint site for awareness and communication of policy and procedure documents.
Sponsorship of the QMS is headed by the IMF. The IMF is the management group that oversees the various
components of the QMS and the communication and exchange of information between those components.
The most recent CAI fundamentals review was conducted on April 27, 2021, and the meeting presentation was
made available to highlight leadership’s involvement with the QMS, which included communication and review of
the policies, planning documents, and audits results.
Planning (Clause 6)
Risk Assessment
The risk and exception SOP documents the risk assessment process. Risk assessments are performed by Global
Azure teams to review the effectiveness of existing controls and safeguards, as well as to identify new risks. These
assessments ensure policies and supporting procedures properly address the environment considering changing
regulatory, contractual, business, technical, and operational requirements.
Risk Treatment
The Microsoft enterprise risk management office (RMO) establishes risk treatment plans based on inherent risk and
control effectiveness criteria.
Microsoft Azure security and engineering teams are responsible and accountable to work in conjunction with the
risk manager to identify and prioritize the remediation of the risks tagged as important. These risks / work items
are tracked via internal tools for closure and monitored by leadership, as appropriate.
Microsoft Azure has established a change control process documented in the software change and release
management SOP which requires changes to follow standardized processes. Changes are required to be version
controlled, reviewed and approved by appropriate personnel as a part of the change control process.
Support (Clause 7)
A security education and awareness SOP is in place to provide guidance and direction on the security and
awareness training process.
Compliance training requirements and elevated access requirements are documented on the STRIKE community
site under compliance. Managers view the compliance of security training for their team through the STRIKE
compliance portal.
Documents are reviewed and approved at least annually or upon significant change. Documents are updated by
the control owners / service team subject matter experts (SMEs) and approved by the compliance lead prior to
publication. The change history of the document tracks any changes to the content, including creation date, version
number, author, change description, approver and approval date.
The most recent document review was performed in April – May 2021. This review included the QMS manual, IMS
scope statement and IMS communications plan.
Operation (Clause 8)
The STP serves customers with both active and trial subscriptions. It offers access to security, privacy, and
compliance resources, such as independent audit reports of Microsoft Azure cloud services, risk assessments, and
security best practices through STP. Microsoft has invested into acquiring and maintaining certifications and
attestations that promote faith in Microsoft Azure’s security and reliability.
The Microsoft Security Policy places ownership of third-party relationships with each of the services groups and
puts standards in place which tie directly to procedures and processes used within the SDL that the groups must
adhere to whenever new hardware, software, or services are introduced. Policies and procedures are distributed
to personnel with responsibilities for implementing those policies and procedures via e-mail links to the SharePoint
document repository.
Microsoft Azure performs vulnerability scanning of the production environment and monitors and measures the
health of the information system on periodic basis to ensure the products and services conform to the requirements.
Post-Delivery Activities
Post-delivery activities are documented in the SDL SOP. The product development team is responsible for
responding to security vulnerabilities or privacy issues that warrant a response. Vulnerabilities scans are performed
periodically. The scans results are reviewed to ensure compliance with baseline configurations, validate patch
installation, and identify vulnerabilities in production.
Control of Changes
Microsoft Azure has established separation of duties on critical functions within the production environment to
minimize the risk of unauthorized changes to production systems. Segregation of duties is used to separate the
responsibilities for requesting, approving and deploying changes to authorized teams / personnel. Development
and testing responsibilities for new software builds or changes to existing software are separated and managed
through restricted access to branches within Source Depot or Git and segregated in the development and production
environments.
For customer-impacting incidents based on the severity, the incident response team conducts a post incident
response review to identify technical lapses, procedural failures, manual errors, process flaws and communication
glitches. As part of customer responsibility communicated through contractual agreements, customers are
responsible for maintaining current and accurate contact information with Microsoft to ensure timely notifications
relating to security incident involving potential breach of customer data. Notification relating to security incidents
involving customer data are communicated via the service health dashboard, or customer’s Microsoft Azure
management portal.
Performance (Clause 9)
Senior leadership reviews major milestones as part of the planning process on a semi-annual basis. The KPIs are
reviewed by management and action items are created and tracked via appropriate security metrics through S360
portal.
The Microsoft Azure group records audit finding from internal and external audits and reviews for indications of
inappropriate or unusual activity, including the indications of compromise. Audit review findings are reported and
escalated using standard security incident management channels. Depending on the type of issue, TFS or incident
management tickets are opened to track resolution of the incident.
The audit team reviewed the results from internal audit performed in April 2021 and concluded that the design of
the internal audit function was found to be operating effectively in conformance with the requirements of the
standard.
As noted previously, the IMF’s role is to provide management oversight and guidance on the business operations
and effectiveness of the QMS via periodic meetings.
The most recent quarterly security leadership review meeting was held in March 2021. Minutes were taken during
the meeting and maintained as record. The minutes include the agenda items as well as associated action items.
The minutes also included any outputs taken from the meetings. The management review process was noted to
be designed appropriately and effectively implemented in conformance with the requirements of the standard.
Microsoft Azure management is committed to continual improvement of the effectiveness of the QMS through the
MSPP, control objectives, audit results, analysis of monitored events, along with corrective and preventive actions
and management reviews.
Microsoft Azure management takes corrective action, as needed, to eliminate the cause of nonconformities within
the scope of the QMS. The procedures are followed when taking corrective action and actions are recorded in the
Microsoft Azure exception trackers. Depending on the nature and severity of the non-conformity, the records of
corrective actions are reviewed by management during Microsoft Azure risk management forum meeting.
FINDINGS OF NONCONFORMITY
Description of Findings (Major and Minor Nonconformities and Opportunities for Improvement)
There were no nonconformities or OFIs in open status from 2020 Stage 2 review.
This report provides management with an identification of the documentation efforts, in addition to the review and
testing of the maintenance, monitoring, and operating effectiveness of the QMS in relation to the ISO 9001 standard
requirements, specifically Clauses 4 through 10. Documentation requirements as well as the maintenance,
monitoring, and operating effectiveness of the QMS have been classified according to their significance in achieving
conformance to the standard. The classifications are defined as follows:
• Conform (C) – Based on observations, discussions with personnel, and inspection testing, these
documentation requirements are currently in place and found to be operating effectively.
• Nonconformities (Major (MJ) and Minor (MN))
Per definition from ISO 17021-1, a nonconformity is a nonfulfillment of the requirement. Major and Minor
Nonconformity definitions are included below:
o Major: nonconformity that affects the capability of the management system to achieve the
intended results
Note 1 to entry: Nonconformities could be classified as major in the following circumstances: 1) if
there is a significant doubt that effective process control is in place, or that products or services will
meet specified requirements, or 2) a number of minor nonconformities associated with the same
requirement or issue could demonstrate a systemic failure and thus constitute a major
nonconformity.
o Minor: nonconformity that does not affect the capability of the management system to
achieve the intended results
• Not Applicable (NA) – Clause or control of the ISO 9001 standard was not applicable to the review
performed.
Legend
Future projects
The scope of the integrated management system (IMS) includes the ISMS, PIMS, SMS, BCMS, and QMS the
development, operations and infrastructure teams for Azure and Azure based services deployed in Public,
Government and Germany Cloud, collectively referred as Microsoft: Azure, Dynamics, and other Online Services
in accordance with its IMS Statement of Applicability.
Microsoft: Azure, Dynamics, and other Online Services IMS applies to information resources, processes and
personnel within the Microsoft: Azure, Dynamics, and other Online Services Group. Information Resources include
any Microsoft: Azure, Dynamics, and other Online Services owned or managed systems, applications, and network
elements, and any information processed by, or used to provide Microsoft services. The scope of the ISMS includes
the control requirements of ISO/IEC 27017:2015 and ISO/IEC 27018:2019 and the management system and control
requirements of ISO/IEC 27701:2019 for PII processors.
Cognitive Services ✓ ✓ -
DesktopAnalytics ✓ - -
Update Compliance ✓ - -
Planned Maintenance ✓ ✓ ✓
Azure Spring Cloud Service ✓ - -
Container Instances ✓ ✓ -
Container Registry ✓ ✓ -
GitHub AE ✓ ✓ -
IoT Central ✓ - -
IoT Hub ✓ ✓ ✓
Azure Maps ✓ ✓ -
Notification Hubs ✓ ✓ ✓
Time Series Insights ✓ - -
Logic Apps ✓ ✓ -
API Management ✓ ✓ ✓
Microsoft Azure Peering Service ✓ ✓ -
Azure Advisor ✓ ✓ -
Azure Lighthouse ✓ ✓ -
Azure Migrate ✓ ✓ -
Azure Monitor ✓ ✓ -
Azure Policy ✓ ✓ -
Cloud Shell ✓ ✓ -
Nomination Portal ✓ ✓ -
Scheduler ✓ ✓ ✓
Cost Management ✓ ✓ -
Resource Move ✓ - -
Azure DNS ✓ ✓ ✓
Azure Firewall ✓ ✓ -
Network Watcher ✓ ✓ ✓
Traffic Manager ✓ ✓ ✓
Virtual WAN ✓ ✓ -
Azure Public IP ✓ ✓ -
Azure Sentinel ✓ ✓ -
Security Center ✓ ✓ -
Azure Sphere ✓ - -
Site Recovery ✓ ✓ ✓
StorSimple ✓ ✓ -
Backup ✓ ✓ ✓
Azure File Sync ✓ ✓ -
Lustre as a Service ✓ ✓ -
Microsoft Graph ✓ ✓ ✓
Microsoft Managed Desktop ✓ - -
Microsoft Stream ✓ ✓ -
Power Apps ✓ ✓ -
Universal Print ✓ - -
Physical Environment
Microsoft: Azure, Dynamics, and other Online Services are hosted in datacenters located throughout the world,
which are managed by Azure’s Physical Infrastructure team. The Physical Infrastructure team provides the physical
and logical infrastructure for Microsoft’s cloud and hosted applications. The Physical Infrastructure team serves as
the underlying platform that supports Microsoft’s software plus service strategy. The physical infrastructure includes
the datacenter facilities, as well as the hardware and software components that support the services and networks.
At Microsoft, the logical infrastructure consists of operating system instances, routed networks, and unstructured
data storage, whether running on virtual or physical assets. Platform services include compute runtimes, identity
and directory stores (such as Active Directory® and Microsoft account), and other advanced functions consumed
by Microsoft properties.
Edge Sites
Ashburn, VA (ASH) Dusseldorf, Germany (DUS30)
Athens, Greece (ATH01) Rio De Janeiro, Brazil (RIO03/02)
Atlanta, GA (ATA) San Diego, California (SAN30)
Auckland, New Zealand (AKL01/30) Manila, Philippines (MNL30)
Bangkok, Thailand (BKK30) Marseille, France (MRS01)
Barcelona, Spain (BCN30) Minneapolis, MN (MSP30)
Berlin, Germany (BER30) Miami, FL (MIA)
Bogota, Columbia (BOG30) Milan, Italy (MIL30)
Boston, MA (BOS01/31) Montreal, Canada (YMQ01)
Brisbane, Australia (BNE01) Moscow Russia (MOW30)
Brussels, Belgium (BRU30) Mumbai, India (BOM02)
Bucharest, Romania (BUH01) Munich, Germany (MUC30)
Budapest, Hungary (BUD01) Nairobi, Kenya (NBO30)
In addition to datacenter, network, and personnel security practices, Azure also incorporates security practices at
the application and platform layers to enhance security for application development and service administration.