Академический Документы
Профессиональный Документы
Культура Документы
Page 1 of 30
Assessment Report.
Table of contents
Executive Summary ............................................................................................................................................................ 3
Changes in the organization since last assessment ........................................................................................................... 4
NCR summary graphs ......................................................................................................................................................... 5
Your next steps ................................................................................................................................................................... 6
NCR close out process.................................................................................................................................................... 6
Assessment objective, scope and criteria .......................................................................................................................... 7
Assessment Participants .................................................................................................................................................... 8
Assessment conclusion ...................................................................................................................................................... 9
Findings from this assessment ......................................................................................................................................... 10
The management of Information Security Management System (ISMS) for Microsoft Office 365 Services
development, operations, support, and protection of personally identifiable information (PII) in accordance with
the Office 365 ISMS Statement of Applicability dated October 19, 2018, ISO 27018:2014 Statement of Applicability
dated October 19, 2018, and ISO 27017:2015 Statement of Applicability dated October 19, 2018. ISMS Manual and
Statement of Applicability’s has been updated October 2018. This Assessment includes reference smo in 2018-
8796419 / 8796410/ 8796420: .................................................................................................................................... 10
Next visit objectives, scope and criteria........................................................................................................................... 21
Next Visit Plan .................................................................................................................................................................. 23
Appendix: Your certification structure & ongoing assessment programme.................................................................... 24
Scope of Certification................................................................................................................................................... 24
Assessed location(s) ..................................................................................................................................................... 24
Certification assessment program ............................................................................................................................... 27
Mandatory requirements – re-certification................................................................................................................. 27
Definitions of findings: ................................................................................................................................................. 28
How to contact BSI....................................................................................................................................................... 29
Notes ............................................................................................................................................................................ 29
Regulatory compliance ................................................................................................................................................ 30
Page 2 of 30
Assessment Report.
Executive Summary
Microsoft has continued to grow the O365 Integrated ISMS by adding services and continuing to grow the
Trust Team.
Page 3 of 30
Assessment Report.
No change in relation to the audited organization’s activities, products or services covered by the scope of
certification was identified.
There was no change to the reference or normative documents which is related to the scope of
certification.
Page 4 of 30
Assessment Report.
Page 5 of 30
Assessment Report.
Please refer to Assessment Conclusion and Recommendation section for the required submission and the
defined timeline.
Page 6 of 30
Assessment Report.
The scope of the assessment is the documented management system with relation to the requirements of
ISO 27001:2013, ISO 27018:2014 and ISO 27017:2015 and the defined assessment plan provided in terms
of locations and areas of the system and organization to be assessed.
Office 365 ISMS Statement of Applicability dated October 18, 2018, ISO 27018:2014 Statement of
Applicability dated October 18, 2018, and ISO 27017:2015 Statement of Applicability dated October 18,
2018.
Office 365 ISMS management system documentation
Page 7 of 30
Assessment Report.
Assessment Participants
Opening Closing Interviewed
Name Position
Meeting Meeting (processes)
Principal Group
Program Manager
Greg Roberts X X X
Principal Program
Manager Lead
Patricia Anderson Office 365 GRC X X X
Page 8 of 30
Assessment Report.
Assessment conclusion
BSI assessment team
Name Position
Leonard Glover Team Leader
Saroj Patel Team Member
The audit objectives have been achieved and the certificate scope remains appropriate. The audit team
concludes based on the results of this audit that the organization does fulfil the standards and audit criteria
identified within the audit report and it is deemed that the management system continues to achieve its
intended outcomes.
RECOMMENDED - The audited organization can be recommended for recertification to the above listed
standards, and has been found in general compliance with the audit criteria as stated in the above-
mentioned audit plan.
The use of the BSI certification documents and mark / logo is effectively controlled.
Page 9 of 30
Assessment Report.
The review held for 3rd quarter 2018 of ISMS and Executive briefing was comprehensive and demonstrated
management commitment. ISMS Champs for Exchange, Skype for Business, Teams, Yammer & SharePoint
areas of the system were interviewed during audit. The Internal Audit done annually was reviewed from
2018. Monthly meetings with audit team are done for assurance.
Microservices are features used within the existing services, for example charts, weather, additional mini
features
4.2 Interested parties are defined as service teams, customers, and trust.
Experiences and Devices E+D is the overarching umbrella organization for O365 GRC.
Communication was reviewed for Town Halls, State of Service & Engineering, Business Conduct.
Page 10 of 30
Assessment Report.
ISMS Manual and Statement of Applicability’s has been updated October 2018.
Office 365 continues to use Microsoft Visual Studio Online for incidents, bugs, fixes and action items from
different groups of the service.
Context of Organization for all three standards are ISO 27001:2013, ISO 27018:2014, & ISO 27017:2015
Persons under scope is 35 plus 15 leveraged resources.
Confidential personnel (16) were involved in audit to provide support from leveraged teams and resources.
Training decks were sampled and found effective.
Management demonstrated their high level of commitment to the ISMS. Verified CISO email communication
to disseminate the Information Security Policy.
Documents reviewed included (but not limited to):
Microsoft O365 ISMS Manual reviewed.
Microsoft O365 ISMS Scope Statement.
Microsoft O365 Statement of Applicability.
Internal Audit Results have been produced for 2018 and used as FedRamp Audit and SOC evidence.
ISO 27018:2014 for PII controls in Microsoft Office 365 ISMS from a public cloud for multi-tenant customers
sampling.
PII rights are done through the admin center. Annex 2 – is done through the MS Online Service Terms.
GDPR update in the terms. The out of scope services are named.
The O365 TLS and FIPs configurations are defined.
A2.2 Data cannot be used for data marketing.
Temporary files are explained for deletion.
A.5.2 Recording of PII disclosure is discussed and in Trust Center.
A.7 There is a list of suppliers that have access to customer data in Trust center.
The Incident Management Process NTK Need to Know process is followed.
Annex 9
Data retention schedule and Deletion for MS are documented .
A.9
Hardcopy restrictions are in place.
A.10 Control and logging – Redundancy of O365
A.10.4 FIPS140-2 compliant devices. TLS 1.2, and 1.3 is used in transit and AES is used at rest.
A.10 10
There are unique ID’s and they are not re-used.
A10.13 Storage space is deleted after 30 days .
A11.1 Geo location PII -The country and geo location of your data is viewable from the administrative
portal.
ISO 27017:2015 for Cloud Security was included in Microsoft Office 365 ISMS because it is run over public
cloud for multi-tenant customers as a SaaS (Software as a Service). The service is both infrastructure and
PaaS for Azure depending on the service.
Page 11 of 30
Assessment Report.
The use and operation of different parts of the system can be found online with proper login.
The Office 365 ISMS Statement of Applicability for ISO 27001:2013, ISO 27018:2014, & ISO 27017:2015
has no exclusions.
Some controls are leveraged to internal Microsoft Data Center that is BSI ISO 27001 certified.
Internal Audit January 2018 report was reviewed during audit along with customer contracts and
exceptions. Audit findings and results found compliant in Issue Manager.
Certifications held by the site are including but not limited to:
MS Deutschland MCIO GmbH
ISO 27001:2013.
Microsoft German Cloud physically and logically controlled in Germany, the German Cloud has two data
centers, and two operations centers, and there is a dedicated private network between the data centers.
The centers remain the same, but the strategy may change in the near future 2019.
Annex 5
Document Review
Microsoft O365 ISMS Manual dated October 4, 2018
Microsoft O365 ISMS Scope Statement
Microsoft O365 Statement of Applicability
Sovereign Cloud Access Control Standard (Annex 5 ) including Escort Policy for private cloud, dated August
20, 2018.
The incident management process has breach notification under C5 guidelines and there have been no
incidents in the last year 2017-2018.
The Data Custodian review for 2018 was reviewed during audit entire year with good SLA.
The security reviews were done, and a break glass scenario was designed as a result of the August review
for 2018.
The frequency of internal audits is documented, and corrective actions have been reviewed as completed.
Internal Audit team is under separate Executive Vice President. Statements of work (SOWs) are based off
work, stakeholders, service executives, and Board risks. Project Lead is assigned and teams work with the
lead. MS team can include of audit firm members, but they are staff augmentation.
The audit roles and responsibilities are defined for audit and stakeholders.
Internal audit has increased based on recommendation from board. Management action plans are means of
tracking.
Page 12 of 30
Assessment Report.
Corrective actions – Issue Manager 16201 & 16204are documented findings and the GRC team does not
have write access to assure audit team closes issue rather they work with Internal Audit to submit the
updates to their findings.
The Assurance program is risk management program. The Board of Directors is governing body.
Trust tools are used to track risks.
Office Hours is made up of Trust, Privacy & CELA. The invitation is based on a unique circumstance for a
group question/ discussion. Verified Trust Office Hours meetings and actions for Approval.
Risk and Remediation Status was reviewed in audit and there are plans and current status items.
Remediation Management Team is made up of four people responsible for follow up on risks.
Just in Time and Privileged report. Internal audit follow up actions are due January 2019 and tracked in
secure system: Issue Manager.
Internal Audit for Sovereign Cloud KPI review was completed Jan. 2018.
Services Trust Platform- Trust Tools is the internal platform that matches certification control mapping.
GDPR was used as sample as it is most recent addition.
There is a process to request a copy of your personal data and the turnaround time meets GDPR
requirements. This data is the captured data of what happened in system (I.E. when email was accessed)
Teams is evaluating combing Compliance score with Secure score going forward for consistency. Tools for
assessing the level of compliance are available to the customer.
HR owns the tool used for screening. IDM is updated with screening approvals. The process is well
documented for vendor contacts that require systems access and background checks.
The access is automated for annual Privacy Training.
ISMS controls and clauses sampled during this visit were from Annex A.5 to A.18:
(1) Risk Assessment and risk treatment process; process and plan verified for 2018 risk rankings
(2) Information Security Policy; verified, reviewed and found effective.
(3) Management and organization of Information security;
(4) Asset Management; verified CMDB process and change management process for list of assets.
(5) Operations Security; - SLAM process (security logging analysis and monitoring) is still in use.
Page 13 of 30
Assessment Report.
(6) Physical and environmental security; - Microsoft MCIO (Infrastructure as a Service) controls (BSI
certified)
(7) Communications and Operations management; Security team interviews risk owners (champs): October
2017 communication from the O365 CISO.
(8) ISMS Framework including ISO 27018:2014 for PII controls
(9) Information security incident management; - Principal Group Program Manager Office 365 GRC
(10) Service level agreements on incident handling 24x7
(11) ISMS Framework including ISO 27017:2015 for Cloud.
The Encryption in O365 document dated January 2, 2018 explains how TLS and bit locker are used in the
environment. There are also guidelines on how customers can use cryptography. TLS Configuration
Standard Policy is dated March 2017. The transition up to TLS 1.2 is designed and customers have options,
but upgrade is the preferred route. The approach is to have best in class encryption. The time frames for
rolling out service are designed and understood if it were an emergency situation. The official notice for no
longer supporting 3DES in October 2018 was communicated.
Page 14 of 30
Assessment Report.
The tool also shows overlapping controls for other standards (ex.,FFEIC, GDPR).
Yammer team was reviewed during audit 2018. Annex Controls 9, 12, 13 17
Yammer has additional access controls to cover the usage of LDAP. The sync process for AD is continuous
to assure credentials. Request for access is in the Yammer tool. The Dapper tool is used to assure
authentication of employee. JIT is Homie3 tool similar to Torus for access.
Yammer is moving away from traditional backups to a replication and versioning based strategy as part of
the service move to Azure. The Azure platform helps with consistency across containers.
BCT June 2018 test results with after actions are done in Yammer Visual Studio.
IcM – and OSP is where the log of log of the incidents are kept.
Privacy role in incidents is to advise and give guidance on how to handle incidents along with CELA.
Data Classification and Handling is done across service as part of the Office Hours process: the type of data
collected, deletion time, why it is being collected is logged. Sampled Bing@work, and SPO Video, times are
defined. There are multiple Office Hours sessions weekly to support the review load.
Guidance is the goal of the review.
OXO Office Experience Organization – Responsible for Word, Excel, Visio, and PowerPoint online versions.
Microservices increase capability in the service. PowerPoint Designer, Translation, Image are good
examples. Configuration of services and compliance is under the OXO governance. OXO SOC audits
included 41 services. O365 Trust is the guide for how services get through the trust process. Top tier
services are defined. The strategy is to move everything to the JIT solution.
The changes that are needed to understand are in notifications in the O365 portal.
The process for Yammer is a peer reviewed and automated checks are done prior to implementation of the
change. The changes are done per service and rules are set up in system for change types.
Operational Security
Page 15 of 30
Assessment Report.
O365 has an activity API to view how the environment is being used.
13.1.3. Segregation
Tenant network segmentation has a White Paper which details tenant isolation at the logical level.
ISO 27001
18.1.1 Identification of Applicable Legislation and Contractual Requirements
Applicable Legislation & Contractual Requirements are done with reports to the customer in O365 portal.
NIST 800-53, NIST 800-61 (framework), FedRAMP validated September 19, 2017, SOC1 report validated
ISMS controls and clauses sampled during this visit were from ISO 27018 as evidence:
ISMS controls and clauses sampled during this visit were from ISO 27017 as evidence:
The entire ISMS team presented evidence for compliance to ISO 27018. The controls below were reviewed
and evidenced sampled during audit for adherence to and sampled evidence were from:
A.1 Consent and choice – Reviewed administrator portal user interface
A.2 Purpose legitimacy and specification – Reviewed Terms Conditions
Page 16 of 30
Assessment Report.
A.2.1 Cloud PII processor’s purpose A.2.2 Cloud PII processor's commercial use - Reviewed Terms and
Conditions and confirmed that Microsoft does not allow the use of customer data for marketing purposes
A.4.1 Secure erasure of temporary files - Reviewed Terms for deleting temp files and time frames for O365
A.5.2 Recording of PII disclosures - Reviewed Disclosures to notify and redirect requests to tenant.
A.9.1 Notification of a data breach involving PII Reviewed Breach disclosure work flow and process
involving legal and executives-
A.9.2 Retention period for administrative security policies and guidelines – Retention for policies
30/60/90/180 days.
A.9.3 PII return, transfer, and disposal – Reviewed Terms and disclosure access to and deletion of
customer data 90-180 days grace period etc.
A.10.1 Confidentiality or non-disclosure agreements reviewed - All employees must sign agreement annually
as part of the employee handbook.
A.10.3 Control and logging of data restoration reviewed - Controls CP103 and CP 9501 in control Trust
Center.
Contingency plan FY 17 – SPO, EXO, SfB, Teams, OXO and Yammer was reviewed during audit 2018.
A.10.6 Encryption of PII transmitted over public data-transmission networks - Reviewed terms for FIPS
140-2 and encryption between data centers.
A.10.8 Unique use of user IDs - Reviewed terms for Active Directory and 2 factor authentication.
A.10.9 Records of authorized users reviewed - IDM for controls, monthly reviews for access.
A.10.10 User ID management reviewed - IDM for controls, users must reapply for access at expiration.
A.11 Privacy compliance changed terms for SSL TLS / encryption between data centers.
SSL& TLS 1.0 has been deprecated and TLS 1.2 is the new strategy .
The company has an authorized personnel SDL process and drop down for applicable selections.
WIKI feature inside Dev Ops is for process and procedure .
The build process into Azure has security features built in that will create bugs if necessary in TSA (Trust
Services Automation) . VS has the records for audit and compliance purposes for builds approval.
Skype process was reviewed for Privacy.
My Access tool is used to create security groups for the teams.
Annex 14
SAT testing is done by rings (user groups) from small to large, across firm.
The separation of production and development is done in networks by location and tenant.
A.11.1 Geographical location of PII - regional selection of service by contract. Global presence.
A.11.2 Intended destination of PII - reviewed terms for TLS 1.2 / encryption between data centers.
Annex 12.1
Capacity has auto scale feature built in per service. The monitoring graphs are available with alerts for any
thresholds are done.
Annex 16
Incident management - ICM monitoring system for logging. Security incident team on-call is the first point
of contact. Preventive practices and tooling are a part of 10 person team. SMEs are brought into issues for
Page 17 of 30
Assessment Report.
clarity in the service affected. SIR owns the incident until closure. Visual Studio tracks bugs. The volume
has shown a slow increase across the year. Daily standup meetings are held for case monitoring. Visual
Studio is the tracking of preventive measures.
Reviewed ticketing system and found no aging tickets.
ISO 27018
Privacy and Protection of PII & Cryptography
The MS Cryptographic Board meets annually and publishes the controls – validated by MS Risk.
Legal publishes regulatory requirements is available in the Trust center and verified TLS versions 1.0-1.2 for
2018.
ISMS controls and clauses sampled during this visit were from ISO 27017 as evidence:
The entire ISMS team presented evidence for compliance to ISO 27017. The controls below were reviewed
and evidenced sampled during audit.
6.1.1 Information security roles and responsibilities
Cloud service provider has roles and JIT responsibilities defined. Customer roles are also documented.
6.1.4 Information security awareness, education, and training.
8.1.1 Inventory of assets- No customer assets are obtained, data deletion process is followed.
8.2.2 Labeling of information Control and the associated data is handled by customers, guidelines to
consider are published.
9.1.2 Access to networks and network services
9.2.2 User access provisioning – Reviewed process during audit. Also has 2 factor authentications
9.2.4. Management of secret authentication information of users
12.1.2 Change management & 12 Operations security & 12.1 Operational procedures and responsibilities
The Trust center has how the controls are operated as well as tested.
12.1.3 Capacity management
Page 18 of 30
Assessment Report.
CLD.6.3 Relationship between cloud service customer and cloud service provider
The relationship regarding shared roles and responsibilities between the cloud service customer and MS
O365 is in agreements for information security management.
CLD.6.3.1 Shared roles and responsibilities within a cloud computing environment- The service is clear on
tools used for management for administrators and support.
Page 19 of 30
Assessment Report.
CLD.8.1.5 & Annex 8.1.8 Removal of cloud service customer assets – There is a documented process for
service end and removal of customer data. Acceptable Use of Information and Data Handling Standard
2018. Customer data (email) and EUID (end user) data is all scoped out in its lifecycle. MCIO has the
physical devices and O365 has the logical controls.
Asset Management; verified CMDB process for MCIO. MS Asset database. The individual services are
managing the service asset and billing. Monthly reporting of system assets. O365 does budgeting by the
service with larger reporting of the items.
Central Admin and OSP are the primary internal operations and administration tools use to manage the
service.
CLD.9.5 Access control of cloud service customer data in shared virtual environment
To mitigate information security risks when using the shared virtual environment of cloud computing the
environments are separated in design.
CLD.9.5.1 Segregation in virtual computing environments is used to mitigate information security risks when
using the shared virtual environment of cloud computing the environments are separated in design.
Page 20 of 30
Assessment Report.
Internal Audit
5 pm debrief
Day 2
8:30 Cloud ISO 27017/27001 Opening Meeting
Cloud framework presentation
Day 3
Internal Audit/ German
Page 21 of 30
Assessment Report.
Internal Audit
Day 5
8:30 PII Cloud ISO 27018 Follow up Meeting
PII Cloud ISO 27018 framework presentation
The scope of the assessment is the documented management system with relation to the requirements of
ISO 27001:2013, ISO 27018:2014 and ISO 27017:2015 and the defined assessment plan provided in terms
of locations and areas of the system and organization to be assessed.
Office 365 ISMS Statement of Applicability dated October 18, 2018, ISO 27018:2014 Statement of
Applicability dated October 18, 2018, and ISO 27017:2015 Statement of Applicability dated October 18,
2018.
Office 365 ISMS management system documentation
Please note that BSI reserves the right to apply a charge equivalent to the full daily rate for cancellation of
the visit by the organization within 30 days of an agreed visit date. It is a condition of Registration that a
deputy management representative be nominated. It is expected that the deputy would stand in should
the management representative find themselves unavailable to attend an agreed visit within 30 days of its
conduct.
Page 22 of 30
Assessment Report.
Page 23 of 30
Assessment Report.
Scope of Certification
Assessed location(s)
Page 24 of 30
Assessment Report.
Page 25 of 30
Assessment Report.
Page 26 of 30
Assessment Report.
Page 27 of 30
Assessment Report.
Review of assessment finding regarding conformity, effectiveness and relevance of the management
system:
Review of assessment cycle and the organization has had few findings and all have been resolved across
their multiple certificates. Management has upgraded their ISMS this last visit cycle.
Client manager remains qualified with necessary codes, impartiality, and BSI processes and procedures.
Definitions of findings:
Nonconformity:
Non-fulfilment of a requirement.
Major nonconformity:
Nonconformity that affects the capability of the management system to achieve the intended results.
Nonconformities could be classified as major in the following circumstances:
• If there is a significant doubt that effective process control is in place, or that products or services will
meet specified requirements;
• A number of minor nonconformities associated with the same requirement or issue could demonstrate a
systemic failure and thus constitute a major nonconformity.
Page 28 of 30
Assessment Report.
Minor nonconformity:
Nonconformity that does not affect the capability of the management system to achieve the intended
results.
Observation:
It is ONLY applicable for those schemes which prohibit the certification body to issue an opportunity for
improvement.
It is a statement of fact made by the assessor referring to a weakness or potential deficiency in a
management system which, if not improved, may lead to a nonconformity in the future.
'Just for Customers' is the website that we are pleased to offer our clients following successful registration,
designed to support you in maximizing the benefits of your BSI registration - please go to
www.bsigroup.com/j4c to register. When registering for the first time you will need your client reference
number and your certificate number
Should you wish to speak with BSI in relation to your registration, please contact our Operations Support
Team:
Notes
This report and related documents are prepared for and only for BSI’s client and for no other purpose. As
such, BSI does not accept or assume any responsibility (legal or otherwise) or accept any liability for or in
connection with any other purpose for which the Report may be used, or to any other person to whom the
Report is shown or in to whose hands it may come, and no other persons shall be entitled to rely on the
Page 29 of 30
Assessment Report.
Report. If you wish to distribute copies of this report external to your organization, then all pages must be
included.
BSI, its staff and agents shall keep confidential all information relating to your organization and shall not
disclose any such information to any third party, except that in the public domain or required by law or
relevant accreditation bodies. BSI staff, agents and accreditation bodies have signed individual
confidentiality undertakings and will only receive confidential information on a 'need to know' basis.
This audit was conducted on-site through document reviews, interviews and observation of activities. The
audit method used was based on sampling the organization’s activities and it was aimed to evaluate the
fulfilment of the audited requirements of the relevant management system standard or other normative
document and confirm the conformity and effectiveness of the management system and its continued
relevance and applicability for the scope of certification.
As this audit was based on a sample of the organization’s activities, the findings reported do not imply to
include all issues within the system.
Regulatory compliance
BSI conditions of contract for this visit require that BSI be informed of all relevant regulatory non-
compliance or incidents that require notification to any regulatory authority. Acceptance of this report by
the client signifies that all such issues have been disclosed as part of the assessment process and
agreement that any such non-compliance or incidents occurring after this visit will be notified to the BSI
client manager as soon as practical after the event.
Page 30 of 30