Assessment Report

Microsoft - Herzliya R&D

Assessment dates 20/05/2018 to 26/05/2018 (Please refer to Appendix for details)

Assessment Location(s) Herzliya (000)
Report Author Giuseppe Esposito
Assessment Standard(s) ISO/IEC 27001:2013, ISO IEC 27018

Page 1 of 25
 Assessment Report.

Table of contents
Executive Summary ..................................................................................................................................................... 3

Changes in the organization since last assessment ..................................................................................................... 4

NCR summary graphs .................................................................................................................................................. 5
Your next steps ............................................................................................................................................................ 7
NCR close out process ............................................................................................................................................. 7

Assessment objective, scope and criteria ................................................................................................................... 8

Assessment Participants .............................................................................................................................................. 9
Assessment conclusion ............................................................................................................................................. 10

Findings from this assessment .................................................................................................................................. 11

Opening meeting: ................................................................................................................................................. 11
Context, Policy, Roles and responsibilities: updates from last visit. 4, 5, A.5, A.6: ............................................... 11
Risk and SOA 6, 8: ................................................................................................................................................. 11

Monitoring, Internal audit, management review, Improvement 9.1, 9.2, 9.3, 10: ............................................... 12
Development A.14: ............................................................................................................................................... 12
Business Continuity A.17: ..................................................................................................................................... 13
Service delivery A.16, 9.1, A.9, A.10, A.12: ........................................................................................................... 13
Suppliers (IT third parties) A.15: ........................................................................................................................... 14
Staff Interviews (on the sample basis) 7, 8, A.7: ................................................................................................... 15
ISO27018 Base part of controls (5-18): ................................................................................................................. 15
ISO27018 Annex A controls (A.1-A.11): ................................................................................................................ 16
Next visit objectives, scope and criteria .................................................................................................................... 18
Next Visit Plan ........................................................................................................................................................... 19

Appendix: Your certification structure & on-going assessment programme ............................................................ 20

Scope of Certification ............................................................................................................................................ 20
Assessed location(s) .............................................................................................................................................. 20
Certification assessment program ........................................................................................................................ 22

Definitions of findings: .......................................................................................................................................... 23

How to contact BSI ................................................................................................................................................ 23
Notes ..................................................................................................................................................................... 24
Regulatory compliance ......................................................................................................................................... 24

Page 2 of 25
 Assessment Report.

Executive Summary
The audit was carried out at Microsoft Israeli Headquarter (HQ), Herzelyia, the audit objectives have
been achieved and the certificate scope can be confirmed. The audit team concludes based on the
results of this audit that Microsoft WDATP does fulfill the standards and audit criteria identified within
the audit report and it is deemed that the management system continues to achieve its intended
outcomes.
The audit team recommends that BSI consider the information found in this assessment report as the
evidence of the conformity of Microsoft WDATP to the requirements for ISO 27001 and ISO 27018 for
continued certification.
There were no outstanding nonconformities from previous assessments.

Page 3 of 25
 Assessment Report.

Changes in the organization since last assessment

There is no significant change of the organization structure and key personnel involved in the audited
management system.

No change in relation to the audited organization’s activities, products or services covered by the scope
of certification was identified.

There was no change to the reference or normative documents which is related to the scope of
certification.

Page 4 of 25
 Assessment Report.

NCR summary graphs

Which standard(s) BSI recorded findings against

Page 5 of 25
 Assessment Report.

Where BSI recorded findings

Page 6 of 25
 Assessment Report.

Your next steps

NCR close out process

There were no outstanding nonconformities to review from previous assessments.

No new nonconformities were identified during the assessment. Enhanced detail relating to the overall
assessment findings is contained within subsequent sections of the report.

Please refer to Assessment Conclusion and Recommendation section for the required submission and
the defined timeline.

Page 7 of 25
 Assessment Report.

Assessment objective, scope and criteria

The objective of the assessment was to conduct a certification assessment to ensure the elements of
the proposed scope of registration and the requirements of the management standard are effectively
addressed by the organisation's management system and to confirm the forward strategic plan.

The scope of the assessment is the documented management system with relation to the requirements
of ISO27001, ISO27018 and the defined assessment plan provided in terms of locations and areas of
the system and organisation to be assessed.

ISO27001, ISO27018
Microsoft WDATP management system documentation

Page 8 of 25
 Assessment Report.

Assessment Participants
Opening Closing Interviewed
Name Position
Meeting Meeting (processes)
General manager
X X
(WDATP)
Program manager
X X X
lead (WDATP)
Program manager
X X X
(WDATP)
Group software
engineering X X X
manager (WDATP)
Service engineer
manager
X X X
(Operations team
manager)
Group program
manager (Security X X X
IR)
Architects and
security lead X X X
(WDATP)
Software
engineering lead X X X
(WDATP)
Service engineering
X X X
lead (WDATP)

Page 9 of 25
 Assessment Report.

Assessment conclusion
BSI assessment team

Name Position
Giuseppe Esposito Team leader

Assessment conclusion and recommendation

The audit objectives have been achieved and the certificate scope remains appropriate. The audit team
concludes based on the results of this audit that the organization does fulfil the standards and audit
criteria identified within the audit report and it is deemed that the management system continues to
achieve its intended outcomes.

RECOMMENDED - The audited organization can be recommended for certification (ISO27018) and
continued certification (ISO27001) to the above listed standards, and has been found in general
compliance with the audit criteria as stated in the above-mentioned audit plan.

Use of certification documents, mark / logo or report

The use of the BSI certification documents and mark / logo is effectively controlled.

Page 10 of 25
 Assessment Report.

Findings from this assessment

Opening meeting:
The opening meeting was conducted and arrangements for the assessment were confirmed satisfactorily
with representatives present. Were presented the finding for BSI.

In the text below:

SOP: Standard Operating Procedure
JIT: stands for Just-In-Time
WDATP: Windows Defender Advanced Threats Protection

Context, Policy, Roles and responsibilities: updates from last visit. 4, 5,

A.5, A.6:
Verified “Windows Defender ATP ISMS Manual version 2017.1 Jan 2018
People in scope: 70Herzelya 40Haifa
Privacy Compliance: asset register
There is a centralized monitoring on the approach that teams
Verified “WDATP ISMS Policy” Version 2017.1
Scope definition:
The Information Security Management System for development, development environment and
operations of the following Windows Defender ATP online services:
· Endpoint Detection & Response
· Automatic Investigation & Remediation
· Secure Score
In accordance with the Statement of Applicability dated May 10, 2018. The above mentioned
certification scope is applicable exclusively to the locations listed on the second page of this document.
Was showed a demo of the service.
Staff composition by role:
80 developers
13 PMs
16 Operational team

Risk and SOA 6, 8:

Verified “WDATP Risk Management SOP” 2017.2 9/1/2018
Twice a year there are the big releases of the product;
In April last release; 7 new features introduced in this release;

Verified a new risk:

DaaS Detonation as a Service supplier risk assessment; defined 16 risks for this scenario.
At the moment there are 10 risks for which are active risk treatment plans.
16 mitigations plans in place, in total, at the moment.
Verified “Device health WDATP On-premise properties” risk and the related actions identified for the risk
mitigation: 7 actions (6 completed).
A quarterly risk review is operated; verified “WDATP Risk Review Q4-2017”.

Page 11 of 25
 Assessment Report.

The likelihood concept used in the risk model is mostly based on history but not only.
SOA: Just 1 control excluded: A.14.2.7, cause no external development in place.

Monitoring, Internal audit, management review, Improvement 9.1, 9.2,

9.3, 10:
Verified the list of items monitored.
Verified “KPI Monthly – 10/5/2018” notes from review.
Verified “WDATP audit report” 22/1/2018; findings issued in these areas:
. supplier management (open source software components) - The Windows Defender Advanced Threat
Protection (WDATP) team does not fully scan and review third-party code for known vulnerabilities and
missing security updates
. internal suppliers - The Windows Defender Advanced Threat Protection (WDATP) team does not
always review and subsequently remove users with privileged access from the JIT admin / approver
group
. user access controls - The Windows Defender Advanced Threat Protection (WDATP) team does not
always document internal suppliers in the Information Security Management System (ISMS) program.
Specifically WDG SMART & Fire teams
Verified the treatment action “15946737” corresponding to finding “user access review management”
issued during internal audit.
Remaining findings were noted and have been discussed / addressed by management. VSO tickets have
been created, and appropriate remediation actions have been taken for all audit issues
Verified “Compliance ISO certification – 16/5/2018”: meeting notes from management review.
On a weekly basis is kept the ISMS review meeting.

Development A.14:
Verified “WDATP development SDL SOP” ver 2018.1 15/5/2018.
A major release is issued every half year; security, privacy and compliance are the main criteria used in
development activities.
The logical phases are:
. Training; verified “standard of business conduct” and “Privacy 101 for 2018” on line annual training
report.
. Requirements phase; verified xTrack, a means to perform assessment of requirements.
. Design phase; VSO Visual Studio Online is the environment (PM and tracking system) containing the
list of tasks generated by the previous step. Verified “complete and upload a threat model” task.
. Implementation phase; Verified the classification of data to get from client Windows systems: “WDATP
RS4 Data Classification.xlsx (15/5/2018)” containing 769 rows in the “ETW” tab (ETW is the Windows
log mechanism). In total there are 997 rows in the file, corresponding to fields of data to get from client
systems.
. Validate phase (assurance team in a different VSO environment); verified report from J.T. for
penetration test on the product. Verified “WDG Serpent quick review report defender ATP April 2018”;
verified the outcome of automatic testing performed by means “Microsoft Encription-in-Transit Status”
tool.
Release phase; verified “VSO/Dashboard/RS4 Quality containing the summary of security items related
to product release.

Page 12 of 25
 Assessment Report.

The “WDATP Compliance calendar” contains all the tasks to be performed and when to comply with
security, privacy and compliance requirements.
The data for the staging environment are created by the team itself and by means team machines.
Security Assurance Team (Serpent) is external and general for all windows development teams.
C.Sharp is the programming language used.

Business Continuity A.17:

The RPO is 4 hours. The RTO changed from 30 minutes (last visit) to 40.
The BCP did not change from last visit.
Verified “Validation steps for disaster recovery if Inline detection IoC SOP” is a procedure performed
twice a year; the procedure contains the steps related to different systems used to support the service.
The last one was performed on 20/11/2017. This is for “Technology” scenario (the failover took 15
minutes). 16 subsystems tested twice a year.
Verified “Teleworking Fire Drill May 6, 2018”; report contains the people responses working from home.
For “people” scenario is in place the sharing of 16 SOP for operational team and these procedure are
shared by all operational team members.
The plan to test 16 subsystems twice a year is confirmed and inserted in the compliance calendar.
Verified “Compliance calendar” at page n.15 of 17.
Verified “14741031 Improvement items BCP drill” in the VSO database.

Service delivery A.16, 9.1, A.9, A.10, A.12:

Change management. Confirmed the procedure seen during last visit. The only thing changed is the tool
used (from TFS to VSO).
The change process takes place twice a month with a specific list of changes for each step. Verified
“17521115 Cloud.TiPartners_master_2018_05_14.01” page.

Logging and monitoring: Confirmed the procedure seen during last visit.
. Log collection (Geneva platform to collect logs)
Security, system and application events. Kept for 90 days.
. Event alerting and monitoring
AZURE IcM is the ticketing platform collecting alerts and incidents.

. Protection of log informations

The teams have only read access to logs.
https://www.microsoft.com/en-us/licensing/product-licensing/products.aspx#OST
is the link to the general contract pages containing the “Online Services Terms (OST)” too; the latter
text contains a specific statement on compliance to specific laws.
The access log to the production environments are kept for 6 months. The access is read only and only
the administrator in Azure environment can modify it. Although the six months period is respected
(necessary eg for Italian personal data regulation) and the logs are accessible in read-only mode, there
is no controls in place to assure the logs cannot be modified (controls against tampering).

Capacity; no changes from last visit. Azure, MCO, Cosmos, are the environments for which it is
necessary to monitor capacity. Each quarter there is a review.
Verified “2018-04-WDATP COGs Model” the capacity plan issued April 2018.

Verified security incident 18-0672 (BI platform): 9/4/2018 occurred; closed on 11/5/2018.

Page 13 of 25
 Assessment Report.

Verified “Windows & Devices group security operations (WDGFire): Security incident handling (IR) SOP”
ver 1.5.1 17/4/2018.

A.10 Cryptography
Verified “WDATPCryptographic control SOP” 20/5/2018
Are used internal and external certificates. SHA-2 2048 keys used. Kye lengths: encryption in transit TLS
1.2 at minimum and encryption at rest 256-bit AES at minimum.
Azure vault is the service used to store and manage certificates. Verified “SOP supporting tools assets –
access review” 2018.1 20/4/2018. At the moment 3.165 certificates are managed.

A.9 Access control

Verified “Microsoft WCD Access Management SOP” 2018.1 10/5/2018.
Was established to perform quarterly review for JIT group responding to the finding issued during the
internal audit. Developers can access to production environment for a limited period of time and with a
double factor of authentication.
Verified “SOP Production assets – access review” 20/4/2018. The results display some situations to be
fixed (already fixed).
Double factor authentication is always used to access production environment as administrator.

Finding Certificate
1637166-201805-I1 IS 663486
Reference Reference
Certificate
ISO/IEC 27001:2013 Clause A12.4.3
Standard
Category Opportunity for Improvement
Area/Process: Service delivery A.16, 9.1, A.9, A.10, A.12
The organization can consider the opportunity to extend the monitoring
and logging policy to face the risks associated with client personal data
incidents, taking into account specific local regulations other than main
Details regulations like GDPR (eg: Italian “Measures and arrangements applying
to the controllers of processing operations performed with the help of
electronic tools in view of committing the task of system administrator”).

Suppliers (IT third parties) A.15:

Verified “WDATP supplier evaluation operating procedure” ver2018.1 10/5/2018.
1. Internal technologies or service providers (eg: cloud hosting platform)
2. Internal administrative (eg: physical security)
3. 3rd parties.

1. 7 internal suppliers;
2. 6 internal suppliers;
3. No.
For each supplier there is a SLA; verified the risk assessment performed for “WDG Information security
as a supplier”; verified mail from Naama to Moti Gindi and Chase Carpenter saying: the results from risk
assessment on the specific supplier, compensating controls adopted, in scope services, supplier
assessment results, mitigation plans, was signed on 20 April 2018.
15.1.3 The Organization does not retain necessary to insert specific agreements for some services (eg:

Page 14 of 25
 Assessment Report.

security incident management).

Monitoring: verified “security training” January 2018, online training for “WDATP compliance vteam”
In general the monitoring of internal supplier services are shared with the suppliers themselves (eg:
security incident management, performance for AZURE, Azure audit reports, etc).
Changed are managed by means the refresh of agreements.

Staff Interviews (on the sample basis) 7, 8, A.7:

R. M. – Software Engineer
Online session on security: standard of business conduct attended on last March; verified
communication of completion on line training: “SBC FY18” and “FY18 Privacy101”.
Security development lifecycle used.

Y. K. – Software developer
Security and privacy online training completed; no personal data kept in test environments.
PT used; is followed the security development policy; is adopted code review as following control. The
changes are implemented by means controlled workflows.

A. C. – Service engineer
Learning activity every year; three courses attended in the last year.
Verified dashboard monitoring service; staging environment with no customer data.

ISO27018 Base part of controls (5-18):

The organization performed a new context analysis. Was confirmed the risk analysis approach. Were
confirmed all the control in place adopted for ISO27001.
In this section, the controls not mentioned as extended controls from 27002, contains extension
categories not applicable to the service in scope.

Extensions from 27002:

5.1.1 Part of the contract is the statement “….However, Microsoft is not responsible for compliance with
any laws or regulations applicable to Customer or Customer’s industry that are not generally applicable
to information technology service providers”, sentence contained in Online Service Terms May 1, 2018
document.
6.1.1: The section “how to contact Microsoft” is in the Online Service Terms May 1, 2018
7.2.2: Contract and training are in “standard of business conduct” general document.
9.2.1: Azure Active directory implements the policies to control access right and eventually compromised
credentials.
10.1.1: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-
atp/data-storage-privacy-windows-defender-advanced-threat-protection
11.2.7: All data managed are encrypted.
12.3.1: The data are duplicated in two different data center.
12.4.2: There is a specific procedure to apply to customer data who lives the service. Ref: “data
retention and deletion” from Online Service Terms May 1, 2018
16.1.1: A specific process is in place “Data breach Incident response plan – WDATP” 0.1 23/5/18. The
control is inserted in SOA.
18.2.1: https://www.microsoft.com/en-us/trustcenter/compliance/iso-iec-27001

Page 15 of 25
 Assessment Report.

ISO27018 Annex A controls (A.1-A.11):

A.1.1 Obligation to cooperate. Ref: “Data Subject Rights; Assistance with Requests” subsection of the
Online Service Terms May 1, 2018 document.

A.2.1 The Online Service Terms May 1, 2018 document is the basic part of the contract and contains at
“Processing of Customer Data: Ownership” the deal regarding the control. Moreover annexes to the
basic part of the contract are possible but only one time a contract was escalated to the team (that
perform the third level of escalation).

A.2.2 “Processing of Customer Data: Ownership” section from Online Service Terms May 1, 2018.

A.4.1 The timing depends on the specific subsystem; the documents are technical document like
functional specification and task description. The monitoring of the resources used and consumed gives
feedbacks on the eventual resources not deleted by the internal supplier.

A.5.1 “Disclosure of Customer Data” section from Online Service Terms May 1, 2018.

A.5.2 https://www.microsoft.com/en-us/trustcenter/Privacy/govt-requests-for-data
The page contains the commitment to respond to Government disclosure requests.
https://www.microsoft.com/en-us/about/corporate-responsibility/lerr
The page contains the last report issued (Jul-Dec 2017) showing the statistics on disclosures.

A.7.1 “Notice and Controls on use of Subprocessors” section in Online Service Terms May 1, 2018
and
https://www.microsoft.com/en-us/trustcenter/privacy/who-can-access-your-data-and-on-what-
terms#subcontractors

A.9.1 “Data breach Incident response plan – WDATP” 0.1 23/5/18

A.9.2 Security policies are recorded in a specific sharepoint; 6 year of retention policy is applied; verified
“Documentation Management SOP – Club Safety” 2017.3 16/1/2018.

A.9.3 “Data Transfers and Location” and “Data Retention and Deletion” from Online Service Terms May
1, 2018.

A.10.1 Individual contract signed by all employees contains specific clauses contained in appendix B to
the contract: “Letter of commitment to safeguarding secrecy avoiding unfair competition, intellectual
property and reputation”.

A.10.2 Verified “DM-03 Information and media handling standard” (site EGRC Enterprise Government
Risk and Compliance) containing REQ-579 (printing) requirement.
The classification of PII as confidential or high confidential is contained in “Microsoft classification
wizard”. PII can be confidential or high confidential data.

A.10.3 Verified “SOP for Investigations disaster recovery” 2017.2 22/1/2018.

The “Kusto” database contains the PII; the policy adopted to start with a new site is a replacement of
the old one because all data are duplicated on two different data centers.

A.10.4 Is adopted the correspondent control from AZURE SOA

(https://servicetrust.microsoft.com/ViewPage/MSComplianceGuide?command=Download&downloadType

Page 16 of 25
 Assessment Report.

=Document&downloadId=47d89200-b24b-491d-b657-7c523ddfb6f9&docTab=4ce99610-c9c0-11e7-
8c2c-f908a777fa4d_ISO_Reports
The data are encrypted as compensating control.

A.10.5 Personal device are not allowed by policy; the laptops are equipped with Win10 and bitlocker.
InTune is used to manage mobile phones.

A.10.6 All communications are encrypted, Exhange communications too (https).

A.10.7 Verified “DM-03 Information and media handling standard” general policy. The hardcopy
materials is destructed by means shredders present at any floor of the building.

A.10.8 Identity management is supported by active directory; verified “SOP Production assets – access
review” 20/4/2018; the report shows that there aren’t shared accounts.

A.10.9 Verified “SOP Production assets – access review” 20/4/2018

A.10.10 The Microsoft general policy “AC-02 Account Management and access authorization standard”
valid for laptops, development environment and general services; for production the owner is “Operation
team”; deactivated account cannot be allocate to other users because the Operational team have to ask
to IT for new accounts.

A.10.11 Verified “Processing of Customer Data; Ownership” and “Security Practices and Policies”
sections from Online Service Terms May 1, 2018.

A.10.12 Verified the on line policy https://www.microsoft.com/en-us/trustcenter/privacy/who-can-

access-your-data-and-on-what-terms#subcontractors
This is a general policy and the organization cannot read the specific contracts.

A.10.13 The Azure services don’t give the possibility to reuse an environment dismissed. Other than,
there are logical controls on user accounts and separation of environments. There aren’t possibilities to
define specific physical space for client environments.

A.11.1 The customers chose the location where to store data. The page
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/data-
storage-privacy-windows-defender-advanced-threat-protection#do-i-have-the-flexibility-to-select-where-
to-store-my-data
describes these possibilities (US, EU, UK).
In the setting onboarding phase the customer can then choose the location where store data.

A.11.2 The control relies on the secure protocol used to transmit data: the endpoints are authenticated.

Page 17 of 25
 Assessment Report.

Next visit objectives, scope and criteria

The objective of the assessment is to conduct a surveillance assessment and look for positive evidence
to ensure the elements of the scope of certification and the requirements of the management standard
are effectively addressed by the organisation's management system and that the system is
demonstrating the ability to support the achievement of statutory, regulatory and contractual
requirements and the organisations specified objectives, as applicable with regard to the scope of the
management standard, and to confirm the on-going achievement and applicability of the forward
strategic plan.

The scope of the assessment is the documented management system with relation to the requirements
of ISO27001, ISO27018 and the defined assessment plan provided in terms of locations and areas of
the system and organisation to be assessed.

Criteria:
ISO27001, ISO27018
Microsoft WDATP management system documentation

Please note that BSI reserves the right to apply a charge equivalent to the full daily rate for cancellation
of the visit by the organization within 30 days of an agreed visit date. It is a condition of Registration
that a deputy management representative be nominated. It is expected that the deputy would stand in
should the management representative find themselves unavailable to attend an agreed visit within 30
days of its conduct.

Page 18 of 25
 Assessment Report.

Next Visit Plan

Date Auditor Time Area/Process Clause

Context of the organization
Leadership
Planning
Support
Operations Herzliya
Operations Haifa
Development
Service delivery
Performance evaluation
Improvement
Program Management

Page 19 of 25
 Assessment Report.

Appendix: Your certification structure & on-going assessment

programme

Scope of Certification

IS 663486 (ISO/IEC 27001:2013)

The Information Security Management System for development, development environment and
operations of the following Windows Defender ATP online services:
· Endpoint Detection & Response
· Automatic Investigation & Remediation
· Secure Score
In accordance with the Statement of Applicability dated May 10, 2018. The above mentioned
certification scope is applicable exclusively to the locations listed on the second page of this document.

PII 694593 (ISO IEC 27018)

The Information Security Management System for development, development environment and
operations of the following Windows Defender ATP online services:
· Endpoint Detection & Response
· Automatic Investigation & Remediation
· Secure Score
In accordance with the Statement of Applicability dated May 10, 2018. The above mentioned
certification scope is applicable exclusively to the locations listed on the second page of this document.

Assessed location(s)

The audit has been performed at Central Office.

Herzliya / IS 663486 (ISO/IEC 27001:2013)

Location reference 0047620344-000
Address Microsoft - Herzliya R&D
Center 13 Shenkar St. Gav-Yam
Building N.5
Herzliya
4672513
Israel
Visit type Continuing assessment (surveillance)
Assessment reference 8791148
Assessment dates 21/05/2018
Deviation from Audit Plan No
Total number of Employees 70
Effective number of 70
Employees
Scope of activities at the site The Information Security Management System for
development, development environment and operations of the
following Windows Defender ATP online services: · Endpoint

Page 20 of 25

Assessment duration
Herzliya / PII 694593 (ISO IEC 27018)
Location reference
Address
Visit type
Assessment reference
Assessment dates
Deviation from Audit Plan
Total number of Employees
Effective number of
Employees
Scope of activities at the site
Assessment duration
The following sites/projects were also incorporated into the assessment:
Microsoft - Haifa R&D Center
Building No. 25, Matam
Haifa
3190501
Israel
Page 21 of 25
Assessment Report.
Detection & Response · Automatic Investigation &
Remediation · Secure Score In accordance with the Statement
of Applicability dated May 10, 2018. The above mentioned
certification scope is applicable exclusively to the locations
listed on the second page of this document.
2.5 day(s)
0047620344-000
Microsoft - Herzliya R&D
Center 13 Shenkar St. Gav-Yam
Building N.5
Herzliya
4672513
Israel
Stage 2 Audit
8953715
24/05/2018
No
70
70
The Information Security Management System for
development, development environment and operations of the
following Windows Defender ATP online services: · Endpoint
Detection & Response · Automatic Investigation &
Remediation · Secure Score In accordance with the Statement
of Applicability dated May 10, 2018. The above mentioned
certification scope is applicable exclusively to the locations
listed on the second page of this document.
1 day(s)
 Assessment Report.

Certification assessment program

Certificate Number - IS 663486

Location reference - 0047620344-000

Audit1 Audit2 Audit3 Audit4 Audit5 Audit6

Business Date (mm/yy): 7/2/17 26/4/17 26/6/17 1/5/18 1/4/19 1/4/20
area/Location
Duration (days): 1,5 0,5 6 3 3,5 7
Context of the organization X X X X
Leadership X X X X
Planning X X X X X
Support X X X X
Operations Herzliya X X X X X
Operations Haifa X X X
Development X X X X X X
Service delivery X X X X X X
Performance evaluation X X X X
Improvement X X X X
Program Management X X X X

Certificate Number - PII 694593

Location reference - 0047620344-000

Audit1 Audit2
Business area/Location Date (mm/yy): 05/18 04/19
Duration (days): 1 1
Scope and Policy X X
Organisational context X X
Leadership and Commitment X X
Management System Support X X
Planning and Resources X X
Human Resource Management X X
Control of Documents and Records X X
Objectives / Performance Monitoring & Measurement X X
Management Review X X

Page 22 of 25
 Assessment Report.

Supply Chain X X
Internal Audits X X
Actions / Non-Conformity / Incidents / Complaints X X
Risk Management / Prevention X X
Legal and Other Requirements X X
Improvement X X
Haifa operations X X

Definitions of findings:

Nonconformity:
Non-fulfilment of a requirement.

Major nonconformity:
Nonconformity that affects the capability of the management system to achieve the intended results.
Nonconformities could be classified as major in the following circumstances:
• If there is a significant doubt that effective process control is in place, or that products or services
will meet specified requirements;
• A number of minor nonconformities associated with the same requirement or issue could
demonstrate a systemic failure and thus constitute a major nonconformity.

Minor nonconformity:
Nonconformity that does not affect the capability of the management system to achieve the intended
results.

Opportunity for improvement:

It is a statement of fact made by an assessor during an assessment, and substantiated by objective
evidence, referring to a weakness or potential deficiency in a management system which if not improved
may lead to nonconformity in the future. We may provide generic information about industrial best
practices but no specific solution shall be provided as a part of an opportunity for improvement.

Observation:
It is ONLY applicable for those schemes which prohibit the certification body to issue an opportunity for
improvement.
It is a statement of fact made by the assessor referring to a weakness or potential deficiency in a
management system which, if not improved, may lead to a nonconformity in the future.

How to contact BSI

Page 23 of 25
 Assessment Report.

'Just for Customers' is the website that we are pleased to offer our clients following successful
registration, designed to support you in maximising the benefits of your BSI registration - please go to
www.bsigroup.com/j4c to register. When registering for the first time you will need your client reference
number and your certificate number (47654212/IS 663486).

Should you wish to speak with BSI in relation to your registration, please contact our Customer
Engagement and Planning:

BSI Group Italia S.r.l.

Via G. Fara, 35
20124 Milano (MI)
Italy
Tel: +39 02 6679091
Fax: +39 02 66981396
E-mail (per il piano di azioni correttive): Caps.Italy@bsigroup.com

Notes

This report and related documents are prepared for and only for BSI’s client and for no other purpose.
As such, BSI does not accept or assume any responsibility (legal or otherwise) or accept any liability for
or in connection with any other purpose for which the Report may be used, or to any other person to
whom the Report is shown or in to whose hands it may come, and no other persons shall be entitled to
rely on the Report. If you wish to distribute copies of this report external to your organisation, then all
pages must be included.

BSI, its staff and agents shall keep confidential all information relating to your organisation and shall not
disclose any such information to any third party, except that in the public domain or required by law or
relevant accreditation bodies. BSI staff, agents and accreditation bodies have signed individual
confidentiality undertakings and will only receive confidential information on a 'need to know' basis.

This audit was conducted on-site through document reviews, interviews and observation of activities.
The audit method used was based on sampling the organization’s activities and it was aimed to evaluate
the fulfilment of the audited requirements of the relevant management system standard or other
normative document and confirm the conformity and effectiveness of the management system and its
continued relevance and applicability for the scope of certification.

As this audit was based on a sample of the organization’s activities, the findings reported do not imply
to include all issues within the system.

Regulatory compliance

BSI conditions of contract for this visit require that BSI be informed of all relevant regulatory non-
compliance or incidents that require notification to any regulatory authority. Acceptance of this report by
the client signifies that all such issues have been disclosed as part of the assessment process and
agreement that any such non-compliance or incidents occurring after this visit will be notified to the BSI
client manager as soon as practical after the event.

Page 24 of 25
 Assessment Report.

Page 25 of 25