Microsoft Azure, Dynamics and Online Services ISO 9001 Report - June 2021 PDF

MICROSOFT AZURE, DYNAMICS 365 AND ONLINE SERVICES
ISO 9001:2015 SURVEILLANCE REVIEW SUMMARY REPORT
JUNE 21, 2021
Attestation and Compliance Services
Proprietary & Confidential

Reproduction or distribution in whole or in part without prior written consent is strictly prohibited.
STATEMENT OF CONFIDENTIALITY
The sole purpose of this document is to provide Microsoft Corporation (Microsoft) with the summary of the ISO
9001:2015 (ISO 9001) surveillance review. At Microsoft’s discretion, it may distribute this report to its clients. Each
recipient of this report agrees that it shall not distribute or use the information contained herein and any other
information regarding Microsoft for any purpose other than those stated. This document, and any other Microsoft
related information provided, shall remain the sole property of Microsoft and may not be copied, reproduced, or
distributed without the prior written consent of Microsoft.
APPLICABILITY
This document is supplemental to the ISO 9001 Stage 2 Review performed by Schellman & Company, LLC
(Schellman), the primary deliverable which is the certificate. The information found in this report and the conclusions
reached were dependent upon the complete and accurate disclosure of information by Microsoft. The information
provided in this report is “AS IS” without warranties of any kind. Schellman expressly disclaims any warranties of
representations including implied warranties and fitness for a particular purpose.
INDEPENDENCE DISCLOSURE
Schellman & Company, LLC (Schellman) assessed the Quality Management System (QMS) for Microsoft.
Schellman does not hold any investment or control over Microsoft. During the course of the assessment, Schellman
did not willfully and unnecessarily market services to achieve conformance to ISO 9001:2015. No Schellman
service was recommended during the course of the engagement.
TABLE OF
CONTENTS
SECTION 1 AUDIT TEAM RECOMMENDATION ....... 1
SECTION 2 PROJECT OVERVIEW .............................. 3
SECTION 3 SURVEILLANCE REVIEW TESTING
RESULTS................................................ 14
SECTION 4 SURVEILLANCE REVIEW SCHEDULE..... 18
APPENDIX A MICROSOFT AZURE
SCOPE STATEMENT ............................. 20
SECTION 1
AUDIT TEAM
RECOMMENDATION
ISO 9001 Surveillance Review Summary Report Proprietary and Confidential 1

AUDIT TEAM RECOMMENDATION
Summary of Findings and Recommendation
Overall, the QMS appears to be operating effectively and the client has met the requirements of the ISO 9001
standard. There were no nonconformities noted as a result of the 2021 surveillance review. It is the audit team’s
recommendation to keep the certification in an active status. Microsoft Azure, Dynamics and other Online Services
(Microsoft Azure) has implemented and maintains policies and procedures that are designed in accordance with
the ISO 9001 standard. The policies are well-defined, detailed, regularly reviewed and updated, communicated,
and understood by users within the organization. This includes both Microsoft corporate level and Microsoft Azure,
Dynamics and other Online Services policies and procedures which have been adopted to support the
implementation of the QMS. Microsoft Azure, Dynamics and other Online Services has defined standard operating
procedures (SOPs) at a team level to provide additional guidance to personnel.
The audit team concluded that procedures were effectively implemented within the organization to monitor
conformance with the standard and achievement of objectives specified by Microsoft Azure that are in alignment
with the strategic direction of the organization. Based on the activities demonstrated by Microsoft Azure
management and the supporting documentation provided during the course of the surveillance review, the audit
team determined that effective processes were in place to manage and monitor information security risks and to
identify and monitor compliance with relevant standards and contractual commitments. The Microsoft Azure
leadership team has supported the QMS by providing the resources necessary to maintain and implement risk
treatment plans and projects designed to improve the risk posture of the organization.
A formally defined global risk management program is in place, and Microsoft Azure has demonstrated an effective
process to manage and monitor risk in accordance with the direction of management and the organization’s
tolerance for risk. The sponsorship of the QMS is headed by the Integrated Management Forum (IMF). The IMF
is the management group that oversees the various components of the QMS and the communication and exchange
of information between those components.
As part of the assessment, Schellman concluded that the scope of the QMS was appropriate and the audit
objectives of the surveillance review were met.
Finding Ref Status Correction1 Corrective Action Plan1 Evidence of Remediation1

No nonconformities were identified during the 2021 surveillance review.
1
Correction is the immediate action taken to address the nonconformance; the corrective action plan includes the root cause related to the
nonconformance and the organization’s plan to address the root cause; and evidence of remediation includes the implementation of the
corrective action plan (i.e. the full implementation of the plan that addresses the root cause related to the nonconformance).

SECTION 2
PROJECT OVERVIEW

EXECUTIVE SUMMARY
Introduction
Microsoft Azure underwent a surveillance review in April 2021 of their ISO 9001 certification which was originally
issued in May 2020. The purpose of the surveillance review was to verify that the approved QMS continued to be
effectively implemented, to consider the implications of changes to that system initiated as a result of changes in
the client organization’s operations, and to confirm continued compliance with the certification requirements. This
report includes the results of the 2021 surveillance review mentioned above.
Schellman performed the surveillance review to summarily review the documentation and maintenance, monitoring,
and operating effectiveness of the QMS in order to achieve multiple objectives. The surveillance review included
the following:
• Confirm that Microsoft adheres to its own policies, objectives, and procedures; and
• Confirm that the QMS conforms to all the requirements of the normative QMS standard ISO 9001 and is
achieving Microsoft’s policy objectives.
The scope of the review was limited to the QMS supporting the development, operations and infrastructure teams
for Azure and Azure based services deployed in the Public, Government and Germany Cloud, collectively referred
to as Microsoft Azure.
The scope includes operations at the locations identified in Appendix A.
Opening Meeting Description
An opening meeting occurred remotely utilizing the Microsoft Teams web conferencing application on Monday, April
12, 2021. The meeting was held to kick-off the surveillance activities. An agenda was provided as well as a project
plan and audit plan for surveillance review. The opening meeting was held to perform the following:
• Reconfirm the audit plan, scope, and deliverables for the surveillance review;
• Identify the client points of contact for the objectives and domains; and
• Discuss the timing expectations of the fieldwork as well as the activities following the fieldwork.
Audit Review Details
The surveillance audit covered the documentation requirements of the ISO 9001 standard, as well as testing which
included evidence of the monitoring, maintenance, and operating effectiveness of the QMS.
The surveillance audit objectives included the following:

• Determine the continued conformance of the QMS to the ISO 9001 standard, specifically with regard to
achieving the objectives of Microsoft’s quality policy and Microsoft’s maintenance, monitoring, and
improvement activities of the QMS; and
• Effectiveness of the procedures and processed for evaluation and review of compliance with relevant
legislation and regulations.
The audit focused on the client’s:

• Internal audits and management review
• Treatment of complaints
• Effectiveness of the management system with regard to achieving the certified client’s objectives
• Progress of planned activities aimed at continual improvement

• Continuing operational control
• Review of any changes
• Use or marks and/or any reference to certification
During the assessment, all QMS-related documentation was available for the audit team to assess the QMS and in
relation to the audit objectives of this assessment.
The closing meeting was held remotely after the conclusion of all audit review and follow up activities. The closing
meeting included a discussion with the QMS team regarding the surveillance review results and the overall
surveillance review recommendation and next steps.
Confidentiality Statement
The information included in this report is to be treated as confidential.
OVERVIEW OF OPERATIONS
Company Background Description of Services Provided
Microsoft Azure is a cloud computing platform for building, deploying and managing applications through a global
network of Microsoft and third-party managed datacenters. It supports both Platform as a Service (PaaS) and
Infrastructure as a Service (IaaS) cloud service models and enables hybrid solutions that integrate cloud services
with customers’ on-premises resources. Microsoft Azure supports many customers, partners, and government
organizations that span across a broad range of products and services, geographies, and industries. Microsoft
Azure is designed to meet their security, confidentiality, and compliance requirements.
Dynamics 365 is an online business application suite that integrates the Customer Relationship Management (CRM)
capabilities and its extensions with the Enterprise Resource Planning (ERP) capabilities. Microsoft Dynamics 365
products/offerings and its supporting Datacenters are covered under the Azure, Dynamics 365 and Online Services
report.
Microsoft datacenters support Microsoft Azure, Dynamics 365 and many other Microsoft Online Services (“Online
Services”). Online Services such as Intune, Power BI, and others are Software as a Service (SaaS) services that
leverage the underlying Microsoft Azure platform and datacenter infrastructure.
For a full description of the scope and services provided, refer to Appendix A.
QMS REVIEW
General Design and Operating Effectiveness of the Client QMS
The general design and operating effectiveness of the QMS conforms to the requirements of the ISO 9001 standard.
There were no nonconformities or OFIs noted as a result of the 2021 surveillance review.
Clause Conclusion Comment

Context of the Organization Effective No comment
Leadership – Commitment Effective No comment
Leadership – Policy Effective No comment

Clause Conclusion Comment
Leadership – Organizational Roles,
Effective No comment
Responsibilities and Authorities
Planning – Risk Assessment Effective No comment
Planning – Objectives Effective No comment
Planning – Changes Effective No comment
Support – Resources Effective No comment
Support – Competence Effective No comment
Support – Awareness Effective No comment
Support – Communication Effective No comment
Support – Documentation Effective No comment
Operation Effective No comment
Performance Evaluation – Monitoring
and Measurement
Performance Evaluation – Internal Audit Effective No comment
Performance Evaluation – Management
Review
Improvement – Nonconformity /
Corrective Action
Improvement – Continual Improvement Effective No comment
QMS Maintenance Activities
Overall, Microsoft Azure continued to demonstrate a sound understanding of its QMS as it continued to meet the
requirements of the ISO 9001 standard. During the surveillance review, an assessment was performed to determine
the overall effectiveness of the QMS during the certification lifecycle and no negative trends were identified. The
QMS and control framework are established, have been supported by top management, and are supported by a
competent team dedicated to the foundation and maintenance of the management system.
Microsoft Azure has implemented continual improvement activities since the 2020 Stage 2 review based on results
from its risk assessments and implementation of risk treatment plans that were based on available or planned
resources that took into consideration external and internal factors such as new organizational changes and
location-specific regulations. Additionally, the previous audit findings were addressed, contained, and found to be
operating effectively during the surveillance review. Further, there have been no complaints and Microsoft has
properly marketed their certificate in accordance to the client obligations and marketing guidelines provided to them.
Context of the Organization (Clause 4)
Understanding the Organization and its Context (Clause 4.1)

Microsoft Azure, Dynamics, and other Online Services (“Microsoft Azure”) has defined and implemented the QMS
as per the requirements of the ISO 9001 standard. The organization has identified the internal and external
dependencies to understand the context of the organization by proactively monitoring the results from risk
assessment, security and privacy incidents, vulnerabilities and threats, legal and regulatory compliance
requirements, and customer satisfaction key performance indicators (KPIs).
Risk management activities are built into the engineering, service operations and compliance process to make the
global risk management program more effective and efficient. The risk register captures internal and external
interfaces and dependencies along with the relevant risk drivers and management controls.

Microsoft Azure has identified the internal and external interfaces and dependencies and their relationships that
affect its ability to achieve the intended outcome(s) of its QMS in the integrated management system (IMS) scope
statement document.
Understanding the Needs and Expectations of Interested Parties (Clause 4.2)

Microsoft Azure has identified internal and external interested parties and their requirements relevant to their QMS
within its QMS manual. Microsoft Azure is bound to legal, regulatory, security and privacy requirements and
contractual obligations and engages with the relevant interested parties on periodic basis to discuss the
requirements and align, maintain, and improve its QMS.
Microsoft Azure has identified the internal and external interested parties that provide input to Microsoft Azure
QMS in the ISM scope statement document.
Determining the Scope of the QMS (Clause 4.3)

The scope of the QMS is defined and documented in the IMS scope statement document, version 2021.03 dated
May 7, 2021. The scope statement document is reviewed by the Microsoft Azure compliance manager at least
annually or upon significant change.
The scope of the QMS comprises the development, operations and infrastructure teams for Azure and Azure based
services deployed in Public, Government and Germany Cloud, collectively referred as Microsoft Azure. The full list
of in-scope services and locations are listed in Appendix A.
Microsoft Azure QMS applies to information resources, processes, and personnel. Information resources include
any Microsoft Azure owned or managed systems, applications, and network elements, and any information
processed by or used to provide Microsoft services. The Microsoft Azure is comprised of engineering, operations,
security, privacy, and compliance teams.
QMS and its Processes (Clause 4.4)

The QMS includes processes like development, operations and maintenance of components and services.
Microsoft Azure is committed to provide quality service to its customers through a reliable and secure cloud
environment which helps customers meet their compliance requirements. QMS is established, managed, and
monitored in accordance with the ISO 9001:2015 standard and aligns with Microsoft’s corporate policies and
standards, as well as Microsoft Cloud and Artificial Intelligence (CAI) Enterprise defined policies, and SOPs.
The risk assessment process identifies important risks prioritized for remediation, while the SOPs across various
operational areas provide guidance on implementing and monitoring controls to protect QMS assets.
Leadership (Clause 5)
Leadership and Commitment (Clause 5.1)

The CAI leadership team provides governance for Microsoft Azure and is represented by the top management
(corporate vice president) and partner directors of the feature teams. The leadership team is committed to improving
the quality of the services for their customers by integrating the QMS into service delivery function. The leadership
meetings are conducted on periodic basis to review scorecards and metrics, discuss and reach resolution on cross-
organizational issues related to Microsoft Azure and agree on high-level strategies supporting Microsoft Azure
services.
Customer Focus
Microsoft Azure improves and maintains the quality of services provided to its customers by using established
documentation and quality benchmarks. The leadership team has demonstrated their commitment through:
• Establishing and maintaining the policies, processes, frameworks, and SOPs to address regulatory
requirements and ensure Microsoft Azure is secure, available, and reliable:
• Identifying and treating the risks which affect the quality of the product
• Establishing and testing end-to-end recovery procedures to support reliability and availability of services.

Policy (Clause 5.2)
Microsoft Azure has adopted the SDL policy as its quality policy, which contains the security requirements integrated
during the product development lifecycle prior to releasing the product / service to the customer. The SDL policy is
communicated via the internal SharePoint site to Microsoft employees and interested parties. The SDL policy was
last approved on March 31, 2021 (version 2021.02). The detailed requirements and guidance for the procedures
are documented in the MSPP, which is also referred to as the requirements catalog.
Microsoft Azure has established SOPs for communicating detailed operational procedures. The MSPP defines a
common set of security policies and practices that Microsoft Azure teams must adhere to ensure standardized
security practices and operationalization of the QMS. The policy includes the commitment to satisfy requirements
related to quality and continual improvement of the system.
SOPs are reviewed and updated annually to ensure information accuracy and overall improvement to QMS.
Microsoft uses its internal SharePoint site for awareness and communication of policy and procedure documents.
Organizational Roles, Responsibilities, and Authorities (Clause 5.3)

The organizational chart with roles and responsibilities of the team supporting the QMS are well-defined and
documented in the IMS scope statement document and quality manual.
Sponsorship of the QMS is headed by the IMF. The IMF is the management group that oversees the various
components of the QMS and the communication and exchange of information between those components.
The most recent CAI fundamentals review was conducted on April 27, 2021, and the meeting presentation was
made available to highlight leadership’s involvement with the QMS, which included communication and review of
the policies, planning documents, and audits results.
Planning (Clause 6)
Actions to Address Risks and Opportunities

Microsoft Azure Global risk management program (RMP) is in place to oversee and evaluate existing and emerging
risks / threats to Microsoft Azure environment. The RMP aligns the risk management framework with the Microsoft
Azure risk management procedures and processes (Microsoft Azure engineering, service operation, infrastructure
and compliance). This includes determining relevant external and internal issues that impact and affect the outcome
of the QMS.
Risk Assessment
The risk and exception SOP documents the risk assessment process. Risk assessments are performed by Global
Azure teams to review the effectiveness of existing controls and safeguards, as well as to identify new risks. These
assessments ensure policies and supporting procedures properly address the environment considering changing
regulatory, contractual, business, technical, and operational requirements.
Risk Treatment
The Microsoft enterprise risk management office (RMO) establishes risk treatment plans based on inherent risk and
control effectiveness criteria.
Microsoft Azure security and engineering teams are responsible and accountable to work in conjunction with the
risk manager to identify and prioritize the remediation of the risks tagged as important. These risks / work items
are tracked via internal tools for closure and monitored by leadership, as appropriate.
Quality Objectives (Clause 6.2)

Microsoft Azure has established quality objectives to provide a platform to improve quality, delivery, corrective action
response, and other metrics to achieve desired performance levels for Microsoft cloud products and services.
These objectives are established in-line with the strategic direction of Microsoft Azure.

The senior leadership team has established appropriate forums to discuss the key performance indicators, prioritize
and monitor progress, and provide input for continual improvement.
Planning of Changes (Clause 6.3)

Microsoft Azure has defined the following criteria which could trigger change/updates to the QMS program:
• Addition or replacement of a major component or a significant part of a major system
• A change in security and quality standard or objective
• A breach of security, violation of system integrity, or any unusual situation that appears to invalidate the
accreditation
• A significant change to the physical structure housing the information system or environment of the
information system
• A significant change to the threat that could adversely affect the systems
• A significant change to the availability of safeguards
Microsoft Azure has established a change control process documented in the software change and release
management SOP which requires changes to follow standardized processes. Changes are required to be version
controlled, reviewed and approved by appropriate personnel as a part of the change control process.
Support (Clause 7)
Resources (Clause 7.1)

Microsoft Azure management is committed to continual improvement and effectiveness of its QMS processes.
Periodic reviews are scheduled to allocate appropriate budget to meet operational requirements and implement
corresponding action for the risk treatment plans. Through the periodic IMF meetings, management provides
guidance, resources, budget planning to successfully meet the quality objectives.
Competence (Clause 7.2)

Microsoft Azure full-time employees (FTEs) and contingent staff are required to undergo mandatory basic security
awareness training that includes security foundations training and/or role-based training annually to ensure
competency for their job function. Technical security training is offered through an online learning management
system. All new hires are required to take mandatory training before accessing the system or performing assigned
duties. Additionally, security awareness campaigns, software for targeting requirements, information operations
and kinetic effects (STRIKE) events and online resource are made available periodically to all FTEs and contingent
staff. Brown bag training sessions, seminars, and ad-hoc training sessions are utilized to ensure competency.
Suppliers are required to complete supplier code of conduct training upon hire.
A security education and awareness SOP is in place to provide guidance and direction on the security and
awareness training process.
Compliance training requirements and elevated access requirements are documented on the STRIKE community
site under compliance. Managers view the compliance of security training for their team through the STRIKE
compliance portal.
Awareness (Clause 7.3)

Microsoft Azure’s QMS is aligned with the MSPP and personnel are made aware of their requirements to contribute
to the effectiveness of the QMS and the implications of nonconformity. Employees are required to take training
based on the services they provide and the role they perform as defined by the training and awareness SOP.
Policies and procedures are published and communicated through a central SharePoint repository and are
accessible to employees and interested parties.

Communication (Clause 7.4)
Microsoft Azure management is committed to proper communication with the internal and external stakeholders
regarding the state of the QMS. The internal and external stakeholders have been defined and appropriate
decisions are made as to who needs to receive what level of detail and when. A formal communication plan has
been established and documented within the Microsoft IMS communication plan.
Documented Information (Clause 7.5)

A formal document and record management SOP is in place to help ensure that management directives regarding
document controls are maintained. An internal SharePoint portal is used as a document repository and follows a
document and record management SOP for guidance on creation, retention, disposition, change control, storage
and distribution of the QMS related documentation.
Documents are reviewed and approved at least annually or upon significant change. Documents are updated by
the control owners / service team subject matter experts (SMEs) and approved by the compliance lead prior to
publication. The change history of the document tracks any changes to the content, including creation date, version
number, author, change description, approver and approval date.
The most recent document review was performed in April – May 2021. This review included the QMS manual, IMS
scope statement and IMS communications plan.
Operation (Clause 8)
Operational Planning and Control (Clause 8.1)

The SDL SOP establishes the SDL process and minimum set of procedures to ensure that the high security
standard is maintained for Microsoft Azure products and services development. The service teams follow the SDL
process for secure software release management.
Requirements for Products and Services (Clause 8.2)

Customer Communication
Microsoft Azure strives to provide its customers with reasonable access to information in a timely manner.
Determining the Requirements for Products and Services

Microsoft Azure prioritizes the requirements obtained from its customers and various industry and government
standards to meet and exceed customer expectations. As a component of the QMS, Microsoft has implemented
ISO 27001, 27017, 27018 and 27701 as part of integrated management system to address risks to the
confidentiality, integrity and availability of information and ensure customer data is secured and customer privacy
is protected. Microsoft’s contractual privacy commitments provide assurance to their customers that their data is
safe in cloud.
The STP serves customers with both active and trial subscriptions. It offers access to security, privacy, and
compliance resources, such as independent audit reports of Microsoft Azure cloud services, risk assessments, and
security best practices through STP. Microsoft has invested into acquiring and maintaining certifications and
attestations that promote faith in Microsoft Azure’s security and reliability.
Review of the Requirements for Products and Services

The Microsoft Azure group participates in the semi-annual planning cycles (greenlight planning) with the leadership
team to review the requirements and determine the strategic goals for the upcoming semester.
Changes to Requirements for Products and Services
Authorized and relevant individuals are notified by e-mail when updates, changes, modifications, or amendments
are made to the QMS in accordance with the software change and release management SOP.

Design and Development (Clause 8.3)
The change and release management SOPs for both hardware and software changes contain high-level roles and
responsibilities, configuration management processes, and identification and maintaining of configuration items.
Microsoft Azure service teams are required to comply with standardized change and release management process.
The SOPs are reviewed at least annually by the required stakeholders.
External Processes, Products and Services (Clause 8.4)

The Microsoft Azure teams control the acquisition of external processes, products and services through the
requirements listed in third party management SOP and the MSPP. It dictates where a third party can access,
process, host or manage Microsoft’s Azure online services’ information assets or information processing facilities
or add products or services to Microsoft’s online services’ information processing facilities. Arrangements are made
through formal contracts to define responsibility and requirements for the security, confidentiality, integrity and
availability of the information assets involved. Appropriate security standards are addressed in the agreement to
provide a level of protection against identified risks equivalent to that provided by the Microsoft security policy.
The Microsoft Security Policy places ownership of third-party relationships with each of the services groups and
puts standards in place which tie directly to procedures and processes used within the SDL that the groups must
adhere to whenever new hardware, software, or services are introduced. Policies and procedures are distributed
to personnel with responsibilities for implementing those policies and procedures via e-mail links to the SharePoint
document repository.
Product and Service Provision (Clause 8.5)

Control of Production and Service Provision
Microsoft Azure has implemented the processes to ensure that products and services are provisioned under a
controlled environment.
Identification and Traceability

Microsoft Azure incident response team has established and documented the incident response policies and
procedures in the incident management SOP. These policies and procedures address the purpose, scope, roles,
responsibilities, regulatory requirements and required coordination for incident response team.
Microsoft Azure performs vulnerability scanning of the production environment and monitors and measures the
health of the information system on periodic basis to ensure the products and services conform to the requirements.
Property Belonging to Customers or External Providers

Preservation
Microsoft Azure implements transmission integrity and confidentiality by ensuring the implementation of
cryptographic controls for data protection. Additionally, implemented business continuity and disaster recovery
procedures ensures successful data backup and recovery to prevent and minimize impact of unforeseen
circumstances and enable successful critical business process execution.
Post-Delivery Activities
Post-delivery activities are documented in the SDL SOP. The product development team is responsible for
responding to security vulnerabilities or privacy issues that warrant a response. Vulnerabilities scans are performed
periodically. The scans results are reviewed to ensure compliance with baseline configurations, validate patch
installation, and identify vulnerabilities in production.
Control of Changes
Microsoft Azure has established separation of duties on critical functions within the production environment to
minimize the risk of unauthorized changes to production systems. Segregation of duties is used to separate the
responsibilities for requesting, approving and deploying changes to authorized teams / personnel. Development
and testing responsibilities for new software builds or changes to existing software are separated and managed
through restricted access to branches within Source Depot or Git and segregated in the development and production
environments.

Release of Products and Services (Clause 8.6)
Developers and integrators are responsible for developing the code, generating the builds, performing integration
testing, and managing deployments. Privileges to release software and configuration changes to production is
limited to authorized personnel only. Development and testing responsibilities for new software builds or changes
to existing software are segregated and managed through restricted access to development and test environments.
Features and changes are developed by the component teams, reviewed by designated component team members
and tested by the component team members for quality assurance and compatibility with the rest of the platform.
Only designated approvers can approve changes to production prior to code implementation.
Control of Nonconforming Outputs (Clause 8.7)

Microsoft Azure follows the SDL to ensure outputs of its products follow appropriate guidelines. Monitoring
programs are used to actively monitor, identify, correct, and prevent system and product non-conformities.
For customer-impacting incidents based on the severity, the incident response team conducts a post incident
response review to identify technical lapses, procedural failures, manual errors, process flaws and communication
glitches. As part of customer responsibility communicated through contractual agreements, customers are
responsible for maintaining current and accurate contact information with Microsoft to ensure timely notifications
relating to security incident involving potential breach of customer data. Notification relating to security incidents
involving customer data are communicated via the service health dashboard, or customer’s Microsoft Azure
management portal.
Performance (Clause 9)
Measurement and Monitoring (Clause 9.1)

The Microsoft Azure group uses security KPIs to adequately measure performance and effectiveness across QMS.
Independent entity managed assessments are conducted over the design and operating effectiveness of the control
environment. These assessments allow for the monitoring, measurement, and evaluation of the operating controls.
Senior leadership reviews major milestones as part of the planning process on a semi-annual basis. The KPIs are
reviewed by management and action items are created and tracked via appropriate security metrics through S360
portal.
The Microsoft Azure group records audit finding from internal and external audits and reviews for indications of
inappropriate or unusual activity, including the indications of compromise. Audit review findings are reported and
escalated using standard security incident management channels. Depending on the type of issue, TFS or incident
management tickets are opened to track resolution of the incident.
Internal Audit (Clause 9.2)

Microsoft Azure is committed to perform continuous independent internal and external audits each year to ensure
effective design, implementation and maintenance of its QMS.
The audit team reviewed the results from internal audit performed in April 2021 and concluded that the design of
the internal audit function was found to be operating effectively in conformance with the requirements of the
standard.
Management Review (Clause 9.3)

Management reviews are performed to address internal / external topics related to monitoring, trend analysis and
issue mitigation ensuring continuing suitability, adequacy and effectiveness of the QMS.
As noted previously, the IMF’s role is to provide management oversight and guidance on the business operations
and effectiveness of the QMS via periodic meetings.
The most recent quarterly security leadership review meeting was held in March 2021. Minutes were taken during
the meeting and maintained as record. The minutes include the agenda items as well as associated action items.
The minutes also included any outputs taken from the meetings. The management review process was noted to
be designed appropriately and effectively implemented in conformance with the requirements of the standard.

Improvement (Clause 10)
Microsoft Azure management is committed to continual improvement of the effectiveness of the QMS through the
MSPP, control objectives, audit results, analysis of monitored events, along with corrective and preventive actions
and management reviews.
Microsoft Azure management takes corrective action, as needed, to eliminate the cause of nonconformities within
the scope of the QMS. The procedures are followed when taking corrective action and actions are recorded in the
Microsoft Azure exception trackers. Depending on the nature and severity of the non-conformity, the records of
corrective actions are reviewed by management during Microsoft Azure risk management forum meeting.
FINDINGS OF NONCONFORMITY
Description of Findings (Major and Minor Nonconformities and Opportunities for Improvement)
There were no nonconformities or OFIs noted during 2021 Surveillance Review.
Description of Previous Findings
There were no nonconformities or OFIs in open status from 2020 Stage 2 review.
Explanation of ISO Requirement Classifications
This report provides management with an identification of the documentation efforts, in addition to the review and
testing of the maintenance, monitoring, and operating effectiveness of the QMS in relation to the ISO 9001 standard
requirements, specifically Clauses 4 through 10. Documentation requirements as well as the maintenance,
monitoring, and operating effectiveness of the QMS have been classified according to their significance in achieving
conformance to the standard. The classifications are defined as follows:
• Conform (C) – Based on observations, discussions with personnel, and inspection testing, these
documentation requirements are currently in place and found to be operating effectively.
• Nonconformities (Major (MJ) and Minor (MN))
Per definition from ISO 17021-1, a nonconformity is a nonfulfillment of the requirement. Major and Minor
Nonconformity definitions are included below:
o Major: nonconformity that affects the capability of the management system to achieve the
intended results
Note 1 to entry: Nonconformities could be classified as major in the following circumstances: 1) if
there is a significant doubt that effective process control is in place, or that products or services will
meet specified requirements, or 2) a number of minor nonconformities associated with the same
requirement or issue could demonstrate a systemic failure and thus constitute a major
nonconformity.
o Minor: nonconformity that does not affect the capability of the management system to
achieve the intended results
• Not Applicable (NA) – Clause or control of the ISO 9001 standard was not applicable to the review
performed.

SECTION 3
SURVEILLANCE
REVIEW TESTING
RESULTS

SURVEILLANCE REVIEW TESTING RESULTS – QMS FRAMEWORK
Clause Classification
Clause Subject Audited Remarks
C MN MJ NA
ISO 9001 QMS Clause Requirements
Context of the organizations –
4.1 Understanding the organization and its 
context
Context of the Organizations –
4.2 Understanding the needs and 
expectations of interested parties
Context of the Organizations –
4.3 
Determining the scope of the QMS
Context of the organizations – QMS and
4.4 
its processes
Leadership – Leadership and
5.1.1 
commitment – General
Leadership – Leadership and
5.1.2 
commitment – Customer focus
Leadership – Policy – Establishing the
5.2.1 
quality policy
Leadership – Policy – Communicating
5.2.2 
the quality policy
Leadership – Organizational roles,
5.3 
responsibilities, and authorities
Planning – Actions to address risk and
6.1.1 
opportunities – General
Planning – Quality objectives and
6.2 
planning to achieve them
6.3 Planning – Planning of changes 
7.1.1 Support – Resources – General 
7.1.2 Support – Resources – People 
7.1.3 Support – Resources – Infrastructure 
Support – Resources – Environment for
7.1.4 
the operation of processes
Support – Resources – Monitoring and
7.1.5.1 
measuring resources – General
Support – Resources – Monitoring and
7.1.5.2 measuring resources – Measurement 
traceability
Support – Resources – Organizational
7.1.6 
knowledge
7.2 Support – Competence 

C MN MJ NA
7.3 Support – Awareness 
7.4 Support – Communications 
Support – Documented information –
7.5.1 
General
7.5.2 
Creating and updating
7.5.3 
control of documented information
Operation – Requirements for products
8.2.1 
and services – Customer communication
8.2.2 and services – Determining the 
requirements for products and services
8.2.3 and services – Review of the 
requirements for products and services
8.2.4 and services – Changes to requirements 
for products and services
Operation – Design and development of
8.3.1 
products and services – General
8.3.2 products and services – Design and 
development planning
development inputs
development controls
development outputs
development changes
Operation – Control of externally
8.4.1 provided processes, products, and 
services – General
8.4.2 provided processes, products, and 
services – Type and extent of control

C MN MJ NA
provided processes, products, and
8.4.3 
services – Information for external
parties
Operation – Production and service
8.5.1 provision – Control of production and 
service provision
8.5.2 
provision – Identification and traceability
8.5.3 provision – Property belonging to 
customers or external providers
8.5.4 
provision – Preservation
8.5.5 
provision – Post-delivery activities
8.5.6 
provision – Control of changes
Operation – Release of products and
8.6 
services
Operation – Control of nonconforming
8.7 
outputs
Performance evaluation – Monitoring,
9.1.1 measurement, analysis, and evaluation 
– General
– Customer satisfaction
– Analysis and evaluation
9.2 Performance evaluation – Internal audit 
Performance evaluation – Management
9.3.1 
review – General
9.3.2 
review – Management review inputs
9.3.3 
review – Management review outputs
10.1 Improvement – General 
10.2 Nonconformity and corrective action 
10.3 Continual improvement

SECTION 4
SURVEILLANCE
REVIEW SCHEDULE

SURVEILLANCE REVIEW SCHEDULE
Type of Locations to
Year Process to be Reviewed Audit Time
Review be Visited
QMS and full system scope 2 remote fieldwork days / 1 Redmond,
Stage 1
(design) day planning and reporting WA
2020
QMS and full system scope 8 days remote auditing / 2 Redmond,
Stage 2
(design and effectiveness) days planning and reporting WA
Redmond,
QMS and specific scope testing 3.5 days on-site / 1 day WA
2021 Surveillance
surrounding operations remote Sample of
Data Centers
Redmond,
QMS and specific scope testing 3.5 days on-site / 1 day WA
2022 Surveillance
surrounding operations remote Sample of
Data Centers
Redmond,
7 days on-site / 1.5 days WA
2023 Recertification QMS and full system scope
remote Sample of
Data Centers
Legend
Future projects

APPENDIX A
MICROSOFT AZURE
SCOPE STATEMENT

Scope of the QMS
The scope of the integrated management system (IMS) includes the ISMS, PIMS, SMS, BCMS, and QMS the
development, operations and infrastructure teams for Azure and Azure based services deployed in Public,
Government and Germany Cloud, collectively referred as Microsoft: Azure, Dynamics, and other Online Services
in accordance with its IMS Statement of Applicability.
Microsoft: Azure, Dynamics, and other Online Services IMS applies to information resources, processes and
personnel within the Microsoft: Azure, Dynamics, and other Online Services Group. Information Resources include
any Microsoft: Azure, Dynamics, and other Online Services owned or managed systems, applications, and network
elements, and any information processed by, or used to provide Microsoft services. The scope of the ISMS includes
the control requirements of ISO/IEC 27017:2015 and ISO/IEC 27018:2019 and the management system and control
requirements of ISO/IEC 27701:2019 for PII processors.
Azure Cloud-Based Services Inclusions
Cloud Environment Scope

Product
Service / Offering Name Azure Azure
Category Azure
Government Germany
Microsoft Azure Services
AI + Machine Azure Bot Service ✓ ✓ -
Learning
Azure Open Datasets ✓ - -
Cognitive Services ✓ ✓ -
Cognitive Services: Anomaly Detector ✓ - -
Cognitive Services: Form Recognizer ✓ ✓ -
Cognitive Services: Computer Vision API ✓ ✓ -
Cognitive Services: Container Platform ✓ ✓ -
Cognitive Services: Content Moderator ✓ ✓ -
Cognitive Services: Custom Vision Service ✓ ✓ -
Cognitive Services: Custom Decision Service ✓ - -
Cognitive Services: Cognitive Service Platform ✓ ✓ -
Cognitive Services: Face API ✓ ✓ -
Cognitive Services: Immersive Reader ✓ - -
Cognitive Services: Personalizer ✓ ✓ -
Cognitive Services: Text Analytics API ✓ ✓ -
Cognitive Services: Language Understanding ✓ ✓ -

Intelligent Service
Cognitive Services: Microsoft Translator ✓ ✓ -
Cognitive Services: QnAMaker Service ✓ ✓ -
Cognitive Services: Speech Services ✓ ✓ -
Cognitive Services: Video Indexer ✓ ✓ -
Machine Learning Service ✓ ✓ -

Product
Category Azure
Government Germany
AI builder ✓ - -
Machine Learning Studio ✓ - ✓

Microsoft Genomics ✓ - -
Microsoft Bot Framework ✓ - -
Analytics Azure Analysis Services ✓ ✓ ✓

Azure Data Explorer ✓ ✓ ✓
Azure Synapse Analytics ✓ ✓ ✓
Data Factory ✓ ✓ ✓
HDInsight ✓ ✓ ✓
Azure Stream Analytics ✓ ✓ ✓
Data Catalog ✓ ✓ ✓
Data Lake Analytics ✓ - -
Azure Data Share ✓ ✓ -
Azure Data Lake Storage Gen1 ✓ ✓ -
DesktopAnalytics ✓ - -
Update Compliance ✓ - -
Compute Cloud Services ✓ ✓ ✓

Service Fabric ✓ ✓ ✓
Virtual Machine Scale Sets ✓ ✓ ✓
Virtual Machines (including SQL VM) ✓ ✓ ✓
Batch ✓ ✓ ✓
Functions ✓ ✓ ✓
App Service ✓ ✓ ✓
App Service - Web Apps (including Containers) ✓ ✓ ✓
App Service - API Apps ✓ ✓ ✓
App Service - Mobile Apps ✓ ✓ ✓
App Service -Static Web Apps ✓ ✓ ✓
Guest Configuration ✓ ✓ -
Azure VMware Solution ✓ - -
Azure Kubernetes Configuration Management ✓ - -
Planned Maintenance ✓ ✓ ✓
Azure Spring Cloud Service ✓ - -

Product
Category Azure
Government Germany
Azure Arc enabled Servers ✓ ✓ -
Azure Arc enabled Kubernetes ✓ ✓ -
Azure VM Image Builder ✓ - -
Azure Service Manager (RDFE) ✓ ✓ ✓

Containers Azure Kubernetes Service (AKS) ✓ ✓ -
Azure Red Hat OpenShift (ARO) ✓ - -
Container Instances ✓ ✓ -
Container Registry ✓ ✓ -
Azure Container Service ✓ ✓ -
Databases Azure Cosmos DB ✓ ✓ ✓

Azure SQL ✓ ✓ ✓
Azure Database for MariaDB ✓ ✓ -
Azure Database for MySQL ✓ ✓ -
Azure Database for PostgreSQL ✓ ✓ -
Azure Database Migration Service ✓ ✓ -
Azure Cache for Redis (including Premium) ✓ ✓ ✓

Azure API for FHIR ✓ ✓ -
SQL Server Registry ✓ - -
SQL Server Stretch Database ✓ ✓ -
Developer Tools Azure DevTest Labs ✓ ✓ -
Azure Lab Services ✓ ✓ -
Azure for Education ✓ - -
Application Change Analysis ✓ - -
Azure App Configuration ✓ ✓ -
GitHub AE ✓ ✓ -
Identity Azure Information Protection ✓ ✓ -

Azure Active Directory (Free, Basic, Premium) ✓ ✓ ✓
Microsoft Accounts ✓ - -
Azure Active Directory B2C ✓ ✓ -
Azure Active Directory Domain Services ✓ ✓ -
Integration Service Bus ✓ ✓ ✓

Product
Category Azure
Government Germany
Internet of Event Hubs ✓ ✓ ✓
Things
Event Grid ✓ ✓ -
IoT Central ✓ - -
IoT Hub ✓ ✓ ✓
Azure Maps ✓ ✓ -
Notification Hubs ✓ ✓ ✓
Time Series Insights ✓ - -
Windows 10 IoT Core Services ✓ - -
Logic Apps ✓ ✓ -
API Management ✓ ✓ ✓
Microsoft Azure Peering Service ✓ ✓ -
Azure Digital Twins ✓ - -
Microsoft Autonomous Development Platform ✓ - -
Management Azure Resource Manager ✓ ✓ ✓

and Governance
Automation ✓ ✓ -
Azure Advisor ✓ ✓ -
Azure Lighthouse ✓ ✓ -
Azure Managed Applications ✓ ✓ -
Azure Migrate ✓ ✓ -
Azure Monitor ✓ ✓ -
Azure Policy ✓ ✓ -
Azure Resource Graph ✓ ✓ -
Cloud Shell ✓ ✓ -
Microsoft Azure Portal ✓ ✓ ✓

Azure Blueprints ✓ - -
Nomination Portal ✓ ✓ -
Scheduler ✓ ✓ ✓
Cost Management ✓ ✓ -
Azure Signup Portal ✓ ✓ -
Resource Move ✓ - -
Media Media Services ✓ ✓ ✓

Product
Category Azure
Government Germany
Mixed Reality Azure Spatial Anchors ✓ - -
Azure Remote Rendering ✓ - -
Networking Application Gateway ✓ ✓ ✓

Azure Load Balancer ✓ ✓ ✓
ExpressRoute ✓ ✓ ✓
Virtual Network ✓ ✓ ✓
VPN Gateway ✓ ✓ ✓
Azure Bastion ✓ ✓ ✓
Azure DDoS Protection ✓ ✓ -
Azure DNS ✓ ✓ ✓
Azure Firewall ✓ ✓ -
Azure Firewall Manager ✓ ✓ -
Azure Front Door ✓ ✓ -
Azure Internet Analyzer ✓ - -
Azure Private Link ✓ ✓ -
Azure Web Application Firewall ✓ ✓ -
Content Delivery Network ✓ ✓ -
Network Watcher ✓ ✓ ✓
Traffic Manager ✓ ✓ ✓
Virtual WAN ✓ ✓ -
Azure Public IP ✓ ✓ -
Virtual Network NAT ✓ ✓ -
Azure Route Server ✓ - -
Security Key Vault ✓ ✓ ✓

Microsoft Defender for Identity (formerly Azure ✓ ✓ -
Advanced Threat Protection)
Multi-Factor Authentication ✓ ✓ ✓
Azure Dedicated HSM ✓ ✓ -
Customer Lockbox for Microsoft Azure ✓ ✓ -
Azure Sentinel ✓ ✓ -
Security Center ✓ ✓ -
Azure Sphere ✓ - -

Product
Category Azure
Government Germany
Microsoft Azure Attestation ✓ - -
Trusted Hardware Identity Management ✓ - -
Azure Security Center for IoT ✓ - -
Azure Defender for IoT ✓ - -
Storage Storage (Blobs (including Azure Data Lake ✓ ✓ ✓

Storage Gen 2), Disks, Files, Queues, Tables,
Ultra Disks) including Cool and Premium
Archive Storage ✓ ✓ ✓
Azure Import/Export ✓ ✓ -
Azure Data Box ✓ ✓ -
Azure HPC Cache ✓ ✓ -
Site Recovery ✓ ✓ ✓
StorSimple ✓ ✓ -
Backup ✓ ✓ ✓
Azure File Sync ✓ ✓ -
Azure NetApp Files ✓ ✓ -
Lustre as a Service ✓ ✓ -
Azure Data Lake Storage Gen 1 ✓ - -
Web Azure Search ✓ ✓ -
Azure SignalR Service ✓ ✓ -
Windows Virtual Windows Virtual Desktop

✓ ✓ -
Desktop
Supporting Infrastructure and Platform Services ✓ ✓ ✓
Microsoft Online Services

US
Service/Offering Name Public Germany
Government
Intune ✓ ✓ -
Microsoft Cloud App Security ✓ ✓ -
Microsoft Graph ✓ ✓ ✓
Microsoft Managed Desktop ✓ - -
Microsoft Stream ✓ ✓ -
Power Apps ✓ ✓ -
Power Automate (Formerly Microsoft Flow) ✓ ✓ -

Microsoft Online Services
US
Government
Power BI ✓ ✓ ✓
Power BI Embedded ✓ ✓ ✓
Power Virtual Agents ✓ - -
Microsoft Threat Experts ✓ - -
Microsoft 365 Defender ✓ - -
Microsoft Defender for Endpoint ✓ ✓ -
Azure Health Bot ✓ - -
Microsoft Bing for Commerce ✓ - -
Universal Print ✓ - -
Microsoft Dynamics 365

US
Government
Dynamics 365 Customer Engagement ✓ ✓ ✓
Dynamics 365 Customer Service ✓ ✓ -
Dynamics 365 Customer Insights engagement insights ✓ - -
Dynamics 365 Field Service ✓ ✓ -
Dynamics 365 Sales ✓ ✓ ✓

Dynamics 365 Sales Professional ✓ - -
Dynamics 365 Sales Insights ✓ - -
Dynamics 365 AI Customer Insights ✓ ✓ -
Dynamics 365 Business Central ✓ - -
Dynamics 365 Finance ✓ - -
Dynamics 365 Fraud Protection ✓ - -
Dynamics 365 Marketing ✓ - -
Power Apps Portals (formerly Dynamics 365 Portals) ✓ ✓ ✓

Dynamics 365 Project Service Automation ✓ - -
Dynamics 365 Project Operations ✓ - -
Dynamics 365 Retail ✓ - -
Dynamics 365 Supply Chain Management ✓ - -
Dynamics 365 Commerce ✓ - -
Dynamics 365 Human Resources ✓ - -
Chat for Dynamics 365 ✓ ✓ -

Microsoft Dynamics 365
US
Government
Dynamics 365 Athena - CDS to Azure Data Lake ✓ ✓ -
Dynamics 365 Guides ✓ ✓ -
Dynamics 365 Business Q&A ✓ - -
Dynamics 365 Talent Attract & Onboard ✓ - -
Dynamics 365 Customer Service Insights ✓ - -
Dynamics 365 Customer Voice ✓ ✓ -
Dynamics 365 Remote Assist ✓ ✓ -
Business 360 AI Platform ✓ - -
Dataverse (formerly Common Data Service) ✓ ✓ -
Physical Environment
Microsoft: Azure, Dynamics, and other Online Services are hosted in datacenters located throughout the world,
which are managed by Azure’s Physical Infrastructure team. The Physical Infrastructure team provides the physical
and logical infrastructure for Microsoft’s cloud and hosted applications. The Physical Infrastructure team serves as
the underlying platform that supports Microsoft’s software plus service strategy. The physical infrastructure includes
the datacenter facilities, as well as the hardware and software components that support the services and networks.
At Microsoft, the logical infrastructure consists of operating system instances, routed networks, and unstructured
data storage, whether running on virtual or physical assets. Platform services include compute runtimes, identity
and directory stores (such as Active Directory® and Microsoft account), and other advanced functions consumed
by Microsoft properties.
Locations Covered by this Report

Azure production infrastructure is located in globally distributed datacenters. These datacenters deliver the core
physical infrastructure that includes physical hardware asset management, security, data protection, networking
services. These datacenters are managed, monitored, and operated by Microsoft operations staff delivering online
services with 24x7 continuity. The purpose-built facilities are part of a network of datacenters that provide mission
critical services to Azure and other Online Services. The datacenters within the scope of IMS are:
Main Location of the ISMS

One Microsoft Way
Redmond, Washington Redmond, Washington 98052
United States
Microsoft Azure Domestic Datacenters

Santa Clara, CA (BY3/4/5/21/22/24/30)
West US
San Jose, CA (SJC20/21/22/31)
West US 2 Quincy, WA (CO1/2/6, MWH01/02/03/04/05)
West Central US Cheyenne, WY (CYS01/04/05)
Central US Des Moines, IA (DM1/2/3/4, DSM05/06/07/08/09)
North Central US Chicago, IL (CH1/2/3/4, CHI20/21)

Microsoft Azure Domestic Datacenters
South Central US San Antonio, TX (SN1/2/3/4/6/7, SAT09/10/11/20)
Bristow, VA (BLU)
Reston, VA (BL4)
East US Sterling, VA (BL20)
Ashburn, VA (BL2/3/5/6/7/21/22/23/30)
Manassas, VA (MNZ20)
East US 2 Boydton, VA (BN1/3/4/6/7/8/9/10/13/14)
US GOV Iowa Des Moines, IA (DM2)
US GOV Arizona Phoenix, AZ (PHX20/21)
US GOV Texas San Antonio, TX (SN5)
US GOV Virginia Boydton, VA (BN1/11/12)
Microsoft Azure International Datacenters

Canada East Quebec, Canada (YQB20)
Canada Central Toronto, Canada (YTO20/21/22/23)
Campinas, Brazil (CPQ01/02/20/21/22/23/24)
Brazil South
Sao Paulo, Brazil (GRU)
Brazil Southeast Rio de Janeiro, Brazil (RIO01/20)
Amsterdam, Netherlands (AM1/3,
West Europe
AMS04/05/06/07/08/09/20/21/22/23)
Dublin, Ireland (DB3/4/5,
North Europe
DUB06/07/08/09/12/20/21/24/31)
UK South London, United Kingdom (LON21/22/23/24)
UK West Cardiff, United Kingdom (CWL20)
France Central Paris, France (PAR20/21/22/23/24)
France South Marseille, France (MRS20/21)
Germany North Berlin, Germany (BER20)
Germany Northeast Leipzig-Halle, Germany (LEJ20)
Germany West Central Frankfurt, Germany (FRA21/22/23)
Germany Central Frankfurt (FRA20)
Switzerland West Geneva, Switzerland (GVA20)
Switzerland North Zurich, Switzerland (ZRH20)
East Asia Hong Kong (HK2, HKG20/21)
Southeast Asia Singapore (SG2/3, SIN20/21/22)
West India Mumbai, India (BOM01)
Central India Dighi, India (PNQ01/20/21)
South India Ambattur, India (MAA01)
Japan West Osaka, Japan (OSA01/02/20/21/22)

Microsoft Azure International Datacenters
Japan East Tokyo, Japan (TYO01/20/21/22/31)
Korea South Busan, South Korea (PUS04/20)
Korea Central Seoul, South Korea (SEL20/21)
UAE Central Abu Dhabi (AUH20)
UAE North Dubai (DXB20/21)
Macquarie Park, Australia (SYD03)
Australia East
Sydney, Australia (SYD21/22/23/25/26/27)
Australia Southeast Melbourne, Australia (MEL01/20/21/23)
Australia Central Canberra, Australia (CBR20/22)
Australia Central 2 Canberra, Australia (CBR21)
South Africa North Johannesburg, South Africa (JNB20/21/22)
South Africa West Cape Town, South Africa (CPT20)
Norway East Oslo, Norway (OSL20/23)
Norway West Stavanger, Norway (SVG20)
Additional Microsoft Online Services Datacenters

Southeast Asia 2 Cyberjaya, Malaysia (KUL01)
Korea South 2 Busan, South Korea (PUS01)
Brazil Northeast Fortaleza, Brazil (FOR01)
Chile Central Santiago, Chile (SCL01)
East Europe Vienna, Austria (VIE)
North Europe 2 Vantaa, Finland (HEL01)
Edge Sites
Ashburn, VA (ASH) Dusseldorf, Germany (DUS30)
Athens, Greece (ATH01) Rio De Janeiro, Brazil (RIO03/02)
Atlanta, GA (ATA) San Diego, California (SAN30)
Auckland, New Zealand (AKL01/30) Manila, Philippines (MNL30)
Bangkok, Thailand (BKK30) Marseille, France (MRS01)
Barcelona, Spain (BCN30) Minneapolis, MN (MSP30)
Berlin, Germany (BER30) Miami, FL (MIA)
Bogota, Columbia (BOG30) Milan, Italy (MIL30)
Boston, MA (BOS01/31) Montreal, Canada (YMQ01)
Brisbane, Australia (BNE01) Moscow Russia (MOW30)
Brussels, Belgium (BRU30) Mumbai, India (BOM02)
Bucharest, Romania (BUH01) Munich, Germany (MUC30)
Budapest, Hungary (BUD01) Nairobi, Kenya (NBO30)

Edge Sites
Buenos Aires, Argentina (BUE30) New Delhi, India (DEL01)
Busan, South Korea (PUS03) New York City, NY (NYC)
Cape Town, South Africa (CPT02) Newark, NJ (EWR30)
Cairo, Egypt (CAI30) Osaka, Japan (OSA30/31)
Chennai, India (MAA02) Oslo, Norway (OSL30)
Chicago, IL (CHG) Palo Alto, CA (PAO)
Copenhagen, Denmark (CPH30) Paris, France (PAR02/PRA)
Dallas, TX (DAL, DFW30) Perth, Australia (PER01/30)
Denver, CO (DEN02, DNA) Phoenix, AZ (PHX01/31)
Detroit, MI (DTT30) Portland, OR (PDX31)
Dubai, United Arab Emirates (DXB30) Prague, Czech Republic (PRG01)
Frankfurt, Germany (FRA/FRA31) Queretaro, Mexico (MEX30)
Geneva, Switzerland (GVA30) Rome, Italy (ROM30)
Helsinki, Finland (HEL03) Sao Paulo, Brazil (SAO03)
Ho Chi Minh, Vietnam (SGN30) San Jose, CA (SJC)
Hong Kong (HKB, HKG30) Santiago, Chile (SCL30)
Honolulu, HI (HNL01) Seattle, WA (STB)
Houston, TX (HOU01) Seoul, South Korea (SLA)
Hyderabad, India (HYD30) Singapore (SGE, SG1, SIN30)
Istanbul, Turkey (IST30) Sofia, Bulgaria (SOF01)
Jakarta, Indonesia (JKT30) Stockholm, Sweden (STO)
Johannesburg, South Africa (JNB02) Taipei, Taiwan (TPE30/31)
Kuala Lumpur, Malaysia (KUL02/30) Tel Aviv, Israel (TLV30)
Las Vegas, NV (LAS01) Tokyo, Japan (TYA/TYB)
Lisbon, Portugal (LIS01) Toronto, Canada (YTO01)
Los Angeles, CA (LAX, LAX31) Vancouver, Canada (YVR01/30)
Lagos, Nigeria (LOS30) Warsaw, Poland (WAW01)
London, United Kingdom (LTS) Zagreb, Croatia (ZAG30)
Madrid, Spain (MAD30) Zurich, Switzerland (ZRH)
Manchester, United Kingdom (MAN30)
In addition to datacenter, network, and personnel security practices, Azure also incorporates security practices at
the application and platform layers to enhance security for application development and service administration.

Microsoft Azure, Dynamics and Online Services ISO 9001 Report - June 2021 PDF

Uploaded by

Copyright:

Available Formats

You might also like

Microsoft Azure, Dynamics and Online Services ISO 9001 Report - June 2021 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Microsoft Azure, Dynamics and Online Services ISO 9001 Report - June 2021 PDF

Uploaded by

Copyright:

Available Formats

MICROSOFT AZURE, DYNAMICS 365 AND ONLINE SERVICES

ISO 9001:2015 SURVEILLANCE REVIEW SUMMARY REPORT

JUNE 21, 2021

Attestation and Compliance Services

Proprietary & Confidential

ISO 9001 Surveillance Review Summary Report Proprietary and Confidential 1

Finding Ref Status Correction1 Corrective Action Plan1 Evidence of Remediation1

ISO 9001 Surveillance Review Summary Report Proprietary and Confidential 2

ISO 9001 Surveillance Review Summary Report Proprietary and Confidential 3

The scope includes operations at the locations identified in Appendix A.

Opening Meeting Description

Audit Review Details

The surveillance audit objectives included the following:

The audit focused on the client’s:

ISO 9001 Surveillance Review Summary Report Proprietary and Confidential 4

The information included in this report is to be treated as confidential.

Clause Conclusion Comment

ISO 9001 Surveillance Review Summary Report Proprietary and Confidential 5

QMS Maintenance Activities

Context of the Organization (Clause 4)

Understanding the Organization and its Context (Clause 4.1)

ISO 9001 Surveillance Review Summary Report Proprietary and Confidential 6

Understanding the Needs and Expectations of Interested Parties (Clause 4.2)

Determining the Scope of the QMS (Clause 4.3)

QMS and its Processes (Clause 4.4)

Leadership and Commitment (Clause 5.1)

ISO 9001 Surveillance Review Summary Report Proprietary and Confidential 7

Organizational Roles, Responsibilities, and Authorities (Clause 5.3)

Actions to Address Risks and Opportunities

Quality Objectives (Clause 6.2)

ISO 9001 Surveillance Review Summary Report Proprietary and Confidential 8

Planning of Changes (Clause 6.3)

Resources (Clause 7.1)

Competence (Clause 7.2)

Awareness (Clause 7.3)

ISO 9001 Surveillance Review Summary Report Proprietary and Confidential 9

Documented Information (Clause 7.5)

Operational Planning and Control (Clause 8.1)

Requirements for Products and Services (Clause 8.2)

Determining the Requirements for Products and Services

Review of the Requirements for Products and Services

ISO 9001 Surveillance Review Summary Report Proprietary and Confidential 10

External Processes, Products and Services (Clause 8.4)

Product and Service Provision (Clause 8.5)

Identification and Traceability

Property Belonging to Customers or External Providers

ISO 9001 Surveillance Review Summary Report Proprietary and Confidential 11

Control of Nonconforming Outputs (Clause 8.7)

Measurement and Monitoring (Clause 9.1)

Internal Audit (Clause 9.2)

Management Review (Clause 9.3)

ISO 9001 Surveillance Review Summary Report Proprietary and Confidential 12

There were no nonconformities or OFIs noted during 2021 Surveillance Review.

Description of Previous Findings

Explanation of ISO Requirement Classifications

ISO 9001 Surveillance Review Summary Report Proprietary and Confidential 13

ISO 9001 Surveillance Review Summary Report Proprietary and Confidential 14

ISO 9001 Surveillance Review Summary Report Proprietary and Confidential 15