Assessment Report

Microsoft Office 365

Assessment dates 11/05/2018 to 11/10/2018 (Please refer to Appendix for details)

Assessment Location(s) Redmond (001)
Report Author Leonard Glover
Assessment Standard(s) ISO/IEC 27001:2013, ISO/IEC 27017:2015, ISO IEC 27018

Page 1 of 30
 Assessment Report.

Table of contents
Executive Summary ............................................................................................................................................................ 3
Changes in the organization since last assessment ........................................................................................................... 4
NCR summary graphs ......................................................................................................................................................... 5
Your next steps ................................................................................................................................................................... 6
NCR close out process.................................................................................................................................................... 6
Assessment objective, scope and criteria .......................................................................................................................... 7
Assessment Participants .................................................................................................................................................... 8
Assessment conclusion ...................................................................................................................................................... 9
Findings from this assessment ......................................................................................................................................... 10
The management of Information Security Management System (ISMS) for Microsoft Office 365 Services
development, operations, support, and protection of personally identifiable information (PII) in accordance with
the Office 365 ISMS Statement of Applicability dated October 19, 2018, ISO 27018:2014 Statement of Applicability
dated October 19, 2018, and ISO 27017:2015 Statement of Applicability dated October 19, 2018. ISMS Manual and
Statement of Applicability’s has been updated October 2018. This Assessment includes reference smo in 2018-
8796419 / 8796410/ 8796420: .................................................................................................................................... 10
Next visit objectives, scope and criteria........................................................................................................................... 21
Next Visit Plan .................................................................................................................................................................. 23
Appendix: Your certification structure & ongoing assessment programme.................................................................... 24
Scope of Certification................................................................................................................................................... 24
Assessed location(s) ..................................................................................................................................................... 24
Certification assessment program ............................................................................................................................... 27
Mandatory requirements – re-certification................................................................................................................. 27
Definitions of findings: ................................................................................................................................................. 28
How to contact BSI....................................................................................................................................................... 29
Notes ............................................................................................................................................................................ 29
Regulatory compliance ................................................................................................................................................ 30

Page 2 of 30
 Assessment Report.

Executive Summary
Microsoft has continued to grow the O365 Integrated ISMS by adding services and continuing to grow the
Trust Team.

Page 3 of 30
 Assessment Report.

Changes in the organization since last assessment

There is no significant change of the organization structure and key personnel involved in the audited
management system.

No change in relation to the audited organization’s activities, products or services covered by the scope of
certification was identified.

There was no change to the reference or normative documents which is related to the scope of
certification.

Page 4 of 30
 Assessment Report.

NCR summary graphs

There have been no NCRs raised.

Page 5 of 30
 Assessment Report.

Your next steps

NCR close out process

There were no outstanding nonconformities to review from previous assessments.

No new nonconformities were identified during the assessment. Enhanced detail relating to the overall
assessment findings is contained within subsequent sections of the report.

Please refer to Assessment Conclusion and Recommendation section for the required submission and the
defined timeline.

Page 6 of 30
 Assessment Report.

Assessment objective, scope and criteria

The objective of the assessment was to conduct a re-assessment of the existing certification to ensure the
elements of the scope of registration and the requirements of the management standard are effectively
addressed by the organization's management system.

The scope of the assessment is the documented management system with relation to the requirements of
ISO 27001:2013, ISO 27018:2014 and ISO 27017:2015 and the defined assessment plan provided in terms
of locations and areas of the system and organization to be assessed.

The visit was conducted as an integrated assessment.

Office 365 ISMS Statement of Applicability dated October 18, 2018, ISO 27018:2014 Statement of
Applicability dated October 18, 2018, and ISO 27017:2015 Statement of Applicability dated October 18,
2018.
Office 365 ISMS management system documentation

Page 7 of 30
 Assessment Report.

Assessment Participants
Opening Closing Interviewed
Name Position
Meeting Meeting (processes)
Principal Group
Program Manager
Greg Roberts X X X

Principal Program
Manager Lead
Patricia Anderson Office 365 GRC X X X

Page 8 of 30
 Assessment Report.

Assessment conclusion
BSI assessment team

Name Position
Leonard Glover Team Leader
Saroj Patel Team Member

Assessment conclusion and recommendation

The audit objectives have been achieved and the certificate scope remains appropriate. The audit team
concludes based on the results of this audit that the organization does fulfil the standards and audit criteria
identified within the audit report and it is deemed that the management system continues to achieve its
intended outcomes.

RECOMMENDED - The audited organization can be recommended for recertification to the above listed
standards, and has been found in general compliance with the audit criteria as stated in the above-
mentioned audit plan.

Use of certification documents, mark / logo or report

The use of the BSI certification documents and mark / logo is effectively controlled.

Page 9 of 30
 Assessment Report.

Findings from this assessment

The management of Information Security Management System (ISMS) for

Microsoft Office 365 Services development, operations, support, and
protection of personally identifiable information (PII) in accordance with
the Office 365 ISMS Statement of Applicability dated October 19, 2018,
ISO 27018:2014 Statement of Applicability dated October 19, 2018, and
ISO 27017:2015 Statement of Applicability dated October 19, 2018.
ISMS Manual and Statement of Applicability’s has been updated October
2018.

This Assessment includes reference smo in 2018- 8796419 / 8796410/

8796420:
The management of Information Security Management System (ISMS) for Microsoft Office 365 Services
development, operates, supports, and protects of personally identifiable information (PII) in accordance
with the Office 365 ISMS Statement of Applicability dated October 19, 2018, ISO 27018:2014 Statement of
Applicability dated October 19, 2018, and ISO 27017:2015 Statement of Applicability dated October 19,
2018.
ISMS Manual and Statement of Applicability’s has been updated October 2018.:
Leadership & Management Responsibility and Review
Management is dedicated in ensuring continued improvement of its ISMS. Management has reviewed the
entire Microsoft O365 ISMS for adequacy, metrics, suitability and improvement.

The review held for 3rd quarter 2018 of ISMS and Executive briefing was comprehensive and demonstrated
management commitment. ISMS Champs for Exchange, Skype for Business, Teams, Yammer & SharePoint
areas of the system were interviewed during audit. The Internal Audit done annually was reviewed from
2018. Monthly meetings with audit team are done for assurance.

Microservices are features used within the existing services, for example charts, weather, additional mini
features

4.1 Organization Content –

Regulatory PII protection etc. Dependencies for services, Risk Appetite November 2018

4.2 Interested parties are defined as service teams, customers, and trust.

Experiences and Devices E+D is the overarching umbrella organization for O365 GRC.

Communication was reviewed for Town Halls, State of Service & Engineering, Business Conduct.

Page 10 of 30
 Assessment Report.

Services reviewed and approved in Visual Studio 2018

FY 19 Standards of Business Conduct done for entire organization.

ISMS Manual and Statement of Applicability’s has been updated October 2018.
Office 365 continues to use Microsoft Visual Studio Online for incidents, bugs, fixes and action items from
different groups of the service.
Context of Organization for all three standards are ISO 27001:2013, ISO 27018:2014, & ISO 27017:2015
Persons under scope is 35 plus 15 leveraged resources.
Confidential personnel (16) were involved in audit to provide support from leveraged teams and resources.
Training decks were sampled and found effective.

Management demonstrated their high level of commitment to the ISMS. Verified CISO email communication
to disseminate the Information Security Policy.
Documents reviewed included (but not limited to):
Microsoft O365 ISMS Manual reviewed.
Microsoft O365 ISMS Scope Statement.
Microsoft O365 Statement of Applicability.

Internal Audit Results have been produced for 2018 and used as FedRamp Audit and SOC evidence.

ISO 27018:2014 for PII controls in Microsoft Office 365 ISMS from a public cloud for multi-tenant customers
sampling.
PII rights are done through the admin center. Annex 2 – is done through the MS Online Service Terms.
GDPR update in the terms. The out of scope services are named.
The O365 TLS and FIPs configurations are defined.
A2.2 Data cannot be used for data marketing.
Temporary files are explained for deletion.
A.5.2 Recording of PII disclosure is discussed and in Trust Center.
A.7 There is a list of suppliers that have access to customer data in Trust center.
The Incident Management Process NTK Need to Know process is followed.
Annex 9
Data retention schedule and Deletion for MS are documented .
A.9
Hardcopy restrictions are in place.
A.10 Control and logging – Redundancy of O365
A.10.4 FIPS140-2 compliant devices. TLS 1.2, and 1.3 is used in transit and AES is used at rest.
A.10 10
There are unique ID’s and they are not re-used.
A10.13 Storage space is deleted after 30 days .
A11.1 Geo location PII -The country and geo location of your data is viewable from the administrative
portal.

ISO 27017:2015 for Cloud Security was included in Microsoft Office 365 ISMS because it is run over public
cloud for multi-tenant customers as a SaaS (Software as a Service). The service is both infrastructure and
PaaS for Azure depending on the service.

Page 11 of 30
 Assessment Report.

The use and operation of different parts of the system can be found online with proper login.

The Office 365 ISMS Statement of Applicability for ISO 27001:2013, ISO 27018:2014, & ISO 27017:2015
has no exclusions.
Some controls are leveraged to internal Microsoft Data Center that is BSI ISO 27001 certified.

Continual Improvement occurs across the product line.

The process has been improved in 2018 adding GDPR additional controls for ISO 27018. This was reviewed
and approved by Microsoft management.

Internal Audit January 2018 report was reviewed during audit along with customer contracts and
exceptions. Audit findings and results found compliant in Issue Manager.

Certifications held by the site are including but not limited to:
MS Deutschland MCIO GmbH
ISO 27001:2013.

Microsoft German Cloud physically and logically controlled in Germany, the German Cloud has two data
centers, and two operations centers, and there is a dedicated private network between the data centers.
The centers remain the same, but the strategy may change in the near future 2019.

Annex 5
Document Review
Microsoft O365 ISMS Manual dated October 4, 2018
Microsoft O365 ISMS Scope Statement
Microsoft O365 Statement of Applicability
Sovereign Cloud Access Control Standard (Annex 5 ) including Escort Policy for private cloud, dated August
20, 2018.

The incident management process has breach notification under C5 guidelines and there have been no
incidents in the last year 2017-2018.

The Data Custodian review for 2018 was reviewed during audit entire year with good SLA.

The security reviews were done, and a break glass scenario was designed as a result of the August review
for 2018.

The frequency of internal audits is documented, and corrective actions have been reviewed as completed.
Internal Audit team is under separate Executive Vice President. Statements of work (SOWs) are based off
work, stakeholders, service executives, and Board risks. Project Lead is assigned and teams work with the
lead. MS team can include of audit firm members, but they are staff augmentation.
The audit roles and responsibilities are defined for audit and stakeholders.

Internal audit has increased based on recommendation from board. Management action plans are means of
tracking.

Page 12 of 30
 Assessment Report.

Corrective actions – Issue Manager 16201 & 16204are documented findings and the GRC team does not
have write access to assure audit team closes issue rather they work with Internal Audit to submit the
updates to their findings.
The Assurance program is risk management program. The Board of Directors is governing body.
Trust tools are used to track risks.

Office Hours is made up of Trust, Privacy & CELA. The invitation is based on a unique circumstance for a
group question/ discussion. Verified Trust Office Hours meetings and actions for Approval.

Risk and Remediation Status was reviewed in audit and there are plans and current status items.
Remediation Management Team is made up of four people responsible for follow up on risks.

Risk Management Process

Risk Assessment is done quarterly with risk owners that roll up to the MS Enterprise Risk.
CISO is the lead in the quarterly meeting, verified 2018 risk items. GDPR was focus last year.

Just in Time and Privileged report. Internal audit follow up actions are due January 2019 and tracked in
secure system: Issue Manager.

Internal Audit for Sovereign Cloud KPI review was completed Jan. 2018.

Services Trust Platform- Trust Tools is the internal platform that matches certification control mapping.
GDPR was used as sample as it is most recent addition.
There is a process to request a copy of your personal data and the turnaround time meets GDPR
requirements. This data is the captured data of what happened in system (I.E. when email was accessed)

Teams is evaluating combing Compliance score with Secure score going forward for consistency. Tools for
assessing the level of compliance are available to the customer.

Human Resources Security and Training / 7.3 Awareness

O365 designated training – O365 Security Foundations training record was reviewed for sampled employees
during audit and found effective. Security training program is an on-going process and they are conducted
at annual intervals in order to communicate the security updates. The Monthly Service report was reviewed
for 100% completion of the last annual Standards of Business Conduct training and found effective.

HR owns the tool used for screening. IDM is updated with screening approvals. The process is well
documented for vendor contacts that require systems access and background checks.
The access is automated for annual Privacy Training.

ISMS controls and clauses sampled during this visit were from Annex A.5 to A.18:
(1) Risk Assessment and risk treatment process; process and plan verified for 2018 risk rankings
(2) Information Security Policy; verified, reviewed and found effective.
(3) Management and organization of Information security;
(4) Asset Management; verified CMDB process and change management process for list of assets.
(5) Operations Security; - SLAM process (security logging analysis and monitoring) is still in use.

Page 13 of 30
 Assessment Report.

(6) Physical and environmental security; - Microsoft MCIO (Infrastructure as a Service) controls (BSI
certified)
(7) Communications and Operations management; Security team interviews risk owners (champs): October
2017 communication from the O365 CISO.
(8) ISMS Framework including ISO 27018:2014 for PII controls
(9) Information security incident management; - Principal Group Program Manager Office 365 GRC
(10) Service level agreements on incident handling 24x7
(11) ISMS Framework including ISO 27017:2015 for Cloud.

ISO 27001 Sect 6 Planning

The O365 team has maintained annual updated information security plans and reports that include
applicable actions and reported to top management and documented in customer agreements.

ISO 27001 Sect 7 Support

The information security management system has documented information required for Yammer,
SharePoint (SPO), Skype for Business (SfB), Teams, OXO, Exchange (EXO) and other O365 services ISO
27001 Sect 8 Operation
Risk Assessment Report for 2018
• Sensitivity of information that is handled in performing the business process• Impact of loss of data
integrity
• Impact of loss of data or process tools availability
Treatments and action plans were found effective. No impacting risks currently but improvements are
underway to further enhance existing controls.

ISO 27001 Sect 9 Performance Evaluation

A.9.4 System and application access control is handled using IDM (identify management) system. Multiple
layers of approval are required for access by workgroup and system.
• Information Security Awareness
• Incident Response
• Security Reviews
• Risk Management
• Compliance

A.10.1 Cryptographic controls

The organization operates Centralized Cryptographic Policy. All encryption adheres to specific TLS
requirements and specific hashing criteria that are FIPS 140-2 driven. Additionally, all encryption is
managed by a strict lifecycle where keys are rotated and adhere to expiration and rollover processes. The
controls were verified by the director of O365 for 2018.
The Service trust tool has the questionnaire for controls around cryptography, what should be understood
and a scoring.

The Encryption in O365 document dated January 2, 2018 explains how TLS and bit locker are used in the
environment. There are also guidelines on how customers can use cryptography. TLS Configuration
Standard Policy is dated March 2017. The transition up to TLS 1.2 is designed and customers have options,
but upgrade is the preferred route. The approach is to have best in class encryption. The time frames for
rolling out service are designed and understood if it were an emergency situation. The official notice for no
longer supporting 3DES in October 2018 was communicated.

Page 14 of 30
 Assessment Report.

The tool also shows overlapping controls for other standards (ex.,FFEIC, GDPR).

Yammer team was reviewed during audit 2018. Annex Controls 9, 12, 13 17
Yammer has additional access controls to cover the usage of LDAP. The sync process for AD is continuous
to assure credentials. Request for access is in the Yammer tool. The Dapper tool is used to assure
authentication of employee. JIT is Homie3 tool similar to Torus for access.

Yammer is moving away from traditional backups to a replication and versioning based strategy as part of
the service move to Azure. The Azure platform helps with consistency across containers.

BCT June 2018 test results with after actions are done in Yammer Visual Studio.

Managed controls by MS are implemented with details.

MS has completed the managed part of the service for every standard!

IcM – and OSP is where the log of log of the incidents are kept.
Privacy role in incidents is to advise and give guidance on how to handle incidents along with CELA.

Data Classification and Handling is done across service as part of the Office Hours process: the type of data
collected, deletion time, why it is being collected is logged. Sampled Bing@work, and SPO Video, times are
defined. There are multiple Office Hours sessions weekly to support the review load.
Guidance is the goal of the review.

OXO Office Experience Organization – Responsible for Word, Excel, Visio, and PowerPoint online versions.
Microservices increase capability in the service. PowerPoint Designer, Translation, Image are good
examples. Configuration of services and compliance is under the OXO governance. OXO SOC audits
included 41 services. O365 Trust is the guide for how services get through the trust process. Top tier
services are defined. The strategy is to move everything to the JIT solution.

A.11 Physical and environmental security

The organization operates physical, administrative, and technical information security controls per the
government requirements ensuring the preservation of confidentiality, integrity, and accessibility of
information assets. The infrastructure is covered by Microsoft MCIO and campus proximity cards.

A.12.1.2 Change management

The Change policy defines the criteria for which changes are handled. A documented definition of each type
of change item was available for review. The organization has management changes based on customer's
direction and already established flow was reviewed for 2018.

The changes that are needed to understand are in notifications in the O365 portal.

The process for Yammer is a peer reviewed and automated checks are done prior to implementation of the
change. The changes are done per service and rules are set up in system for change types.

Operational Security

Page 15 of 30
 Assessment Report.

O365 has an activity API to view how the environment is being used.

13.1.3. Segregation
Tenant network segmentation has a White Paper which details tenant isolation at the logical level.

Annex 9 Access Management

IDM process was reviewed in audit using the Torus tool. Access is granted with managerial and workload
approval. The expiration is based on initial approval date. The inactivity for the system is set in order to
assure the need is still there consistently across all workloads. There are consistent incremental syncs of the
systems and a daily full sync. The strategy will remain the same in 2019 as the system works well.
Lockbox is the tool that provides the elevated access. The customer approval process is a service offering.
The portal for seeing clearances is OSP, along with eligibility.

Lockbox participates in monthly security review and service review.

A.12.1.3 Capacity management

The organization has identified and agreed capacity, and performance requirements with the customer.
SLA’s for services and applications have been maintained.

A.13.1 Network security management

The organization has agreements with customers for the services to be delivered with the customer. The
organization has monthly MSR on time reporting and all SLA that are required for 2018.
The patch tool Spacewalk is used to coordinate patches that security team approves.

A.16 Information security incident management

The incident reporting process was found to be effectively maintained. There is evidence of a very good
security incident management process with an escalation and notification process intact. The Severity 0 and
1 process for 2018 was sampled and found effective.
Security Team is responsible for coordination of defined events. There is also a Cyder Op Center. The
process is based on NIST – 800-61

18.1.1 Identification of Applicable Legislation and Contractual Requirements

Applicable Legislation & Contractual Requirements are done with reports to the customer in 2018.
NIST 800-53, FedRAMP, & SOC, were sampled for contractual commitments.
An information security policy document has been reviewed by management for 2018.
LERR legal report and published.

ISO 27001
18.1.1 Identification of Applicable Legislation and Contractual Requirements
Applicable Legislation & Contractual Requirements are done with reports to the customer in O365 portal.
NIST 800-53, NIST 800-61 (framework), FedRAMP validated September 19, 2017, SOC1 report validated

ISMS controls and clauses sampled during this visit were from ISO 27018 as evidence:
ISMS controls and clauses sampled during this visit were from ISO 27017 as evidence:
The entire ISMS team presented evidence for compliance to ISO 27018. The controls below were reviewed
and evidenced sampled during audit for adherence to and sampled evidence were from:
A.1 Consent and choice – Reviewed administrator portal user interface
A.2 Purpose legitimacy and specification – Reviewed Terms Conditions

Page 16 of 30
 Assessment Report.

A.2.1 Cloud PII processor’s purpose A.2.2 Cloud PII processor's commercial use - Reviewed Terms and
Conditions and confirmed that Microsoft does not allow the use of customer data for marketing purposes
A.4.1 Secure erasure of temporary files - Reviewed Terms for deleting temp files and time frames for O365
A.5.2 Recording of PII disclosures - Reviewed Disclosures to notify and redirect requests to tenant.
A.9.1 Notification of a data breach involving PII Reviewed Breach disclosure work flow and process
involving legal and executives-
A.9.2 Retention period for administrative security policies and guidelines – Retention for policies
30/60/90/180 days.
A.9.3 PII return, transfer, and disposal – Reviewed Terms and disclosure access to and deletion of
customer data 90-180 days grace period etc.
A.10.1 Confidentiality or non-disclosure agreements reviewed - All employees must sign agreement annually
as part of the employee handbook.
A.10.3 Control and logging of data restoration reviewed - Controls CP103 and CP 9501 in control Trust
Center.
Contingency plan FY 17 – SPO, EXO, SfB, Teams, OXO and Yammer was reviewed during audit 2018.
A.10.6 Encryption of PII transmitted over public data-transmission networks - Reviewed terms for FIPS
140-2 and encryption between data centers.
A.10.8 Unique use of user IDs - Reviewed terms for Active Directory and 2 factor authentication.
A.10.9 Records of authorized users reviewed - IDM for controls, monthly reviews for access.
A.10.10 User ID management reviewed - IDM for controls, users must reapply for access at expiration.
A.11 Privacy compliance changed terms for SSL TLS / encryption between data centers.
SSL& TLS 1.0 has been deprecated and TLS 1.2 is the new strategy .
The company has an authorized personnel SDL process and drop down for applicable selections.
WIKI feature inside Dev Ops is for process and procedure .

The build process into Azure has security features built in that will create bugs if necessary in TSA (Trust
Services Automation) . VS has the records for audit and compliance purposes for builds approval.
Skype process was reviewed for Privacy.
My Access tool is used to create security groups for the teams.

Annex 14
SAT testing is done by rings (user groups) from small to large, across firm.

The separation of production and development is done in networks by location and tenant.

A.11.1 Geographical location of PII - regional selection of service by contract. Global presence.
A.11.2 Intended destination of PII - reviewed terms for TLS 1.2 / encryption between data centers.

Annex 12.1
Capacity has auto scale feature built in per service. The monitoring graphs are available with alerts for any
thresholds are done.

GEO- redundant storage strategy is done in Azure replication.

Annex 16
Incident management - ICM monitoring system for logging. Security incident team on-call is the first point
of contact. Preventive practices and tooling are a part of 10 person team. SMEs are brought into issues for

Page 17 of 30
 Assessment Report.

clarity in the service affected. SIR owns the incident until closure. Visual Studio tracks bugs. The volume
has shown a slow increase across the year. Daily standup meetings are held for case monitoring. Visual
Studio is the tracking of preventive measures.
Reviewed ticketing system and found no aging tickets.

COSMOS logs and access is very controlled.

ISO 27018
Privacy and Protection of PII & Cryptography
The MS Cryptographic Board meets annually and publishes the controls – validated by MS Risk.
Legal publishes regulatory requirements is available in the Trust center and verified TLS versions 1.0-1.2 for
2018.

ISMS controls and clauses sampled during this visit were from ISO 27017 as evidence:

The entire ISMS team presented evidence for compliance to ISO 27017. The controls below were reviewed
and evidenced sampled during audit.
6.1.1 Information security roles and responsibilities
Cloud service provider has roles and JIT responsibilities defined. Customer roles are also documented.
6.1.4 Information security awareness, education, and training.

8.1.1 Inventory of assets- No customer assets are obtained, data deletion process is followed.
8.2.2 Labeling of information Control and the associated data is handled by customers, guidelines to
consider are published.
9.1.2 Access to networks and network services
9.2.2 User access provisioning – Reviewed process during audit. Also has 2 factor authentications
9.2.4. Management of secret authentication information of users

Security and Compliance – Jan 2018

9.4.1 Information access restriction
9.4.4 Use of privileged utility programs
Microsoft uses a promotion program that allows access for narrow scoped work.
Tenant Isolation
Active Directory, subscription storage, and location of data, prevent intermingling of data. ACL list available
O365 Secrets Management Policy
Yammer settings are built to check access every 5 mins and authorizers are done monthly.
The execution of code is done through templates and any changes to the template , causes alert and
review.

10.1 Cryptographic controls

Encryption policy and type is documented and followed according to policy.

12.1.2 Change management & 12 Operations security & 12.1 Operational procedures and responsibilities
The Trust center has how the controls are operated as well as tested.
12.1.3 Capacity management

Page 18 of 30
 Assessment Report.

The capacity is reviewed in reports monthly.

12.3.1 Information backup
30 data centers with over 100 co-locations
Yammer is moving to Azure to simplify its architecture and integrate closer with Office 365 standard
processes.

12.4.1 Event logging

Logging published for admin to view environment.
12.4.4 Clock synchronization
12.6.1. Management of technical vulnerabilities
Technical Vulnerability Audit report
Published annually Security Report 2018
follow up from finding was verified as still working Oct. 2018
Reviewed Yammer logs for request and privileged Accounts
Yammer employs a comprehensive management dashboard which was reviewed.

13.1.3 Network Segregation

Network Segmentation is done in Tenant Isolation
14.1.1 Information security requirements analysis and specification
Post Mortems are done for impacting incidents.
The team is a blend of technical ability along with varying credentials.

NIST 800-61 process is the basis.

XR Case Management is done with Security Secured Area Cyber Defense Operations Center (CDOC). There
is a daily call for briefing.
Incident types and categories are done across teams.

14.2 1 Secure Development SDL - using agile

Information security policy for supplier relationships- General counsel assures relationships.
15.1.2 Addressing security within supplier agreements- General counsel assures relationships.
15.1.3 Supplier Relationships- General counsel assures relationships.
Reporting information security events.
Supplier Security and Privacy Assurance SSPA
The sampled system has a verification SSPA green status in the system.
The Power BI tool was sampled to status of suppliers and blocked suppliers.

18.1.1. & Annex 18.1.2

Legal publishes regulatory requirements is available in the Trust center. Appropriate controls have been
implemented to handle infringement (i.e. copyright)

CLD.6.3 Relationship between cloud service customer and cloud service provider
The relationship regarding shared roles and responsibilities between the cloud service customer and MS
O365 is in agreements for information security management.

CLD.6.3.1 Shared roles and responsibilities within a cloud computing environment- The service is clear on
tools used for management for administrators and support.

Page 19 of 30
 Assessment Report.

CLD.8.1.5 & Annex 8.1.8 Removal of cloud service customer assets – There is a documented process for
service end and removal of customer data. Acceptable Use of Information and Data Handling Standard
2018. Customer data (email) and EUID (end user) data is all scoped out in its lifecycle. MCIO has the
physical devices and O365 has the logical controls.

Asset Management; verified CMDB process for MCIO. MS Asset database. The individual services are
managing the service asset and billing. Monthly reporting of system assets. O365 does budgeting by the
service with larger reporting of the items.

Central Admin and OSP are the primary internal operations and administration tools use to manage the
service.

CLD.9.5 Access control of cloud service customer data in shared virtual environment
To mitigate information security risks when using the shared virtual environment of cloud computing the
environments are separated in design.

CLD.9.5.1 Segregation in virtual computing environments is used to mitigate information security risks when
using the shared virtual environment of cloud computing the environments are separated in design.

CLD.12.1.5 Administrator's operational security

Control procedures for administrative operations of a cloud computing environment are defined,
documented, and monitored.

CLD.13.1.4 Alignment of security management for virtual and physical networks

The configuration of virtual networks, consistency of configurations between virtual and physical networks
are verified based on the cloud service provider's network security policy and not put into production until
done.

Page 20 of 30
 Assessment Report.

Next visit objectives, scope and criteria

The objective of the assessment is to conduct a surveillance assessment and look for positive evidence to
ensure the elements of the scope of certification and the requirements of the management standard are
effectively addressed by the organization's management system and that the system is demonstrating the
ability to support the achievement of statutory, regulatory and contractual requirements and the
organizations specified objectives, as applicable with regard to the scope of the management standard, and
to confirm the on-going achievement and applicability of the forward strategic plan.

Date Assessor Time Area/Process Clause

Day 1
Leonard Glover
9am Audit plan and documentation review ISO 27001
Changes to ISMS System
Audit interview planning and coverage
1pm Lunch
2pm
9 Management Review

Internal Audit
5 pm debrief

Day 2
8:30 Cloud ISO 27017/27001 Opening Meeting
Cloud framework presentation

Statement of Applicability for Cloud controls ISO 27017/27001

1 Lunch (working)
2 risk assessment for Cloud controls ISO 27017/27001
330 Sampling Evidence for Cloud controls ISO 27017/27001
5 Daily debrief meeting

Day 3
Internal Audit/ German

Security & Incident Management

12:00 Lunch (working)
1:00 Asset management
3:00 Compliance
4 Human resources security /

Debrief 5pm findings report /

Page 21 of 30
 Assessment Report.

Day 4 Leonard Glover 9 Statement of Applicability ISO 27001-2013 sampling

Documentation & Records/ Access management
1 Lunch
2:00 eastern Reporting
5 Daily debrief
November 2018 day 6 Leonard Glover 9 Management Review

Internal Audit

Security & Incident Management

12:00 Lunch (working)
1:00 Germany Asset management
3:00 Compliance
4 Human resources security /

Debrief 5pm findings report /

Day 5
8:30 PII Cloud ISO 27018 Follow up Meeting
PII Cloud ISO 27018 framework presentation

Statement of Applicability for PII Cloud ISO 27018/27001

12:30pm Sampling Evidence for PII Cloud ISO 27018/27001

1pm closing meeting

The scope of the assessment is the documented management system with relation to the requirements of
ISO 27001:2013, ISO 27018:2014 and ISO 27017:2015 and the defined assessment plan provided in terms
of locations and areas of the system and organization to be assessed.

Office 365 ISMS Statement of Applicability dated October 18, 2018, ISO 27018:2014 Statement of
Applicability dated October 18, 2018, and ISO 27017:2015 Statement of Applicability dated October 18,
2018.
Office 365 ISMS management system documentation

Please note that BSI reserves the right to apply a charge equivalent to the full daily rate for cancellation of
the visit by the organization within 30 days of an agreed visit date. It is a condition of Registration that a
deputy management representative be nominated. It is expected that the deputy would stand in should
the management representative find themselves unavailable to attend an agreed visit within 30 days of its
conduct.

Page 22 of 30
 Assessment Report.

Next Visit Plan

Date Auditor Time Area/Process Clause

Page 23 of 30
 Assessment Report.

Appendix: Your certification structure & ongoing assessment

programme

Scope of Certification

IS 552878 (ISO/IEC 27001:2013)

The management of Information Security Management System (ISMS) for Microsoft Office 365 Services
development, operations, support, and protection of personally identifiable information (PII) in accordance
with the Statement of Applicability dated October 18, 2018.

PII 663484 (ISO IEC 27018)

The management of Information Security Management System (ISMS) for Microsoft Office 365 Services
development, operations, support, and protection of personally identifiable information (PII) in accordance
with the Statement of Applicability dated October 18, 2018.. (ref. ISO 27001:2013 certificate number IS
552878).

CLOUD 663485 (ISO/IEC 27017:2015)

The management of Information Security Management System (ISMS) for Microsoft Office 365 Services
development, operations, support, and protection of personally identifiable information (PII) in accordance
with the Statement of Applicability dated October 18, 2018. (ref. ISO 27001:2013 certificate number IS
552878).

Assessed location(s)

The audit has been performed at Permanent Locations.

Redmond / IS 552878 (ISO/IEC 27001:2013)

Location reference 0047358928-001
Address Microsoft Office 365
1 Microsoft Way
Redmond
Washington
98052-8300
USA
Visit type Re-certification Audit (RA Opt 2)
Assessment reference 8614496
Assessment dates 11/05/2018
Deviation from Audit Plan No
Total number of Employees 35

Page 24 of 30
 Assessment Report.

Total persons doing work at 35

this site
Scope of activities at the site
Assessment duration
The management of Information Security Management System
(ISMS) for Microsoft Office 365 Services development,
operations, support, and protection of personally identifiable
information (PII) in accordance with the Statement of
Applicability dated October 18, 2018.
5 Day(s)

Redmond / CLOUD 663485 (ISO/IEC 27017:2015)

Location reference 0047358928-001
Address Microsoft Office 365
1 Microsoft Way
Redmond
Washington
98052-8300
USA
Visit type Re-certification Audit (RA Opt 2)
Assessment reference 8796336
Assessment dates 11/09/2018
Deviation from Audit Plan No
Total number of Employees 35
Effective number of 35
Employees
Scope of activities at the site The management of Information Security Management System
(ISMS) for Microsoft Office 365 Services development,
operations, support, and protection of personally identifiable
information (PII) in accordance with the Statement of
Applicability dated October 18, 2018.
Assessment duration 1 Day(s)

Redmond / PII 663484 (ISO IEC 27018)

Location reference 0047358928-001
Address Microsoft Office 365
1 Microsoft Way
Redmond
Washington
98052-8300
USA
Visit type Re-certification Audit (RA Opt 2)
Assessment reference 8796335
Assessment dates 11/08/2018
Deviation from Audit Plan No

Page 25 of 30

Total number of Employees
Effective number of
Employees
Scope of activities at the site
Assessment duration
Page 26 of 30
Assessment Report.
35
35
The management of Information Security Management System
(ISMS) for Microsoft Office 365 Services development,
operations, support, and protection of personally identifiable
information (PII) in accordance with the Statement of
Applicability dated October 18, 2018.
1 Day(s)
 Assessment Report.

Certification assessment program

Certificate Number - IS 552878

Location reference - 0047358928-001

Audit1 Audit2 Audit3 Audit4 Audit5 Audit6

Business Date (mm/yy): 11/19 11/20 11/21
area/Location
Duration (days): 2.5 4 5 0.0 0.0 0.0
Improvement Process X X X
Internal audits X X X
ISMS Framework X X X
Management Reviews / Responsibility X X X
SAMPLING Annex A Controls -5.1.1 X X
Policies for Information security
5.1.2 Review of policies for information
security
6.1.1 Allocation of information security
roles and responsibilities
6.1.2 Segregation of duties
6.1.3 Contact with authorities.
6.1.4 Contact with special interest groups
6.1.5 Information security in project
management
6.2.1 Mobile device policy
6.2.2 Teleworking
7.1.1 Screening
7.1.2 Terms and conditions of
employment
7.2.1 Management responsibilities during
employment
7.2.2 Inf
Risk assessment and treatment X X
SAMPLING 27018 Controls X X X
SAMPLING 27001 Controls X X X

Mandatory requirements – re-certification.

Page 27 of 30
 Assessment Report.

Review of assessment finding regarding conformity, effectiveness and relevance of the management
system:

Review of assessment cycle and the organization has had few findings and all have been resolved across
their multiple certificates. Management has upgraded their ISMS this last visit cycle.

Management system strategy and objectives:

Management has communicated their intension to continue using and improving the ISMS.

Review of progress in relation to the organization's objectives:

Management has communicated their intension to continue using the ISMS and show consistency across
the organization.

Review of assessment progress and the re-certification plan:

The entire ISMS has been audited in the last visit cycle , the clauses and controls have been evidenced
along with corrective actions and top management support. The management team for the scope of
activities remains along with audit duration.

BSI Client Management Impartiality and Surveillance Strategy:

Client manager remains qualified with necessary codes, impartiality, and BSI processes and procedures.

Continue with the current Total assessment days / Cycle.

Definitions of findings:

Nonconformity:
Non-fulfilment of a requirement.

Major nonconformity:
Nonconformity that affects the capability of the management system to achieve the intended results.
Nonconformities could be classified as major in the following circumstances:
• If there is a significant doubt that effective process control is in place, or that products or services will
meet specified requirements;
• A number of minor nonconformities associated with the same requirement or issue could demonstrate a
systemic failure and thus constitute a major nonconformity.

Page 28 of 30
 Assessment Report.

Minor nonconformity:
Nonconformity that does not affect the capability of the management system to achieve the intended
results.

Opportunity for improvement:

It is a statement of fact made by an assessor during an assessment, and substantiated by objective
evidence, referring to a weakness or potential deficiency in a management system which if not improved
may lead to nonconformity in the future. We may provide generic information about industrial best
practices but no specific solution shall be provided as a part of an opportunity for improvement.

Observation:
It is ONLY applicable for those schemes which prohibit the certification body to issue an opportunity for
improvement.
It is a statement of fact made by the assessor referring to a weakness or potential deficiency in a
management system which, if not improved, may lead to a nonconformity in the future.

How to contact BSI

'Just for Customers' is the website that we are pleased to offer our clients following successful registration,
designed to support you in maximizing the benefits of your BSI registration - please go to
www.bsigroup.com/j4c to register. When registering for the first time you will need your client reference
number and your certificate number

Should you wish to speak with BSI in relation to your registration, please contact our Operations Support
Team:

BSI Management Systems

12950 Worldgate Drive
Suite 800
Herndon
VA
20170
Tel: +1 (800) 862 4977 Fax: +1 (703) 437 9001

Notes

This report and related documents are prepared for and only for BSI’s client and for no other purpose. As
such, BSI does not accept or assume any responsibility (legal or otherwise) or accept any liability for or in
connection with any other purpose for which the Report may be used, or to any other person to whom the
Report is shown or in to whose hands it may come, and no other persons shall be entitled to rely on the

Page 29 of 30
 Assessment Report.

Report. If you wish to distribute copies of this report external to your organization, then all pages must be
included.

BSI, its staff and agents shall keep confidential all information relating to your organization and shall not
disclose any such information to any third party, except that in the public domain or required by law or
relevant accreditation bodies. BSI staff, agents and accreditation bodies have signed individual
confidentiality undertakings and will only receive confidential information on a 'need to know' basis.

This audit was conducted on-site through document reviews, interviews and observation of activities. The
audit method used was based on sampling the organization’s activities and it was aimed to evaluate the
fulfilment of the audited requirements of the relevant management system standard or other normative
document and confirm the conformity and effectiveness of the management system and its continued
relevance and applicability for the scope of certification.

As this audit was based on a sample of the organization’s activities, the findings reported do not imply to
include all issues within the system.

Regulatory compliance

BSI conditions of contract for this visit require that BSI be informed of all relevant regulatory non-
compliance or incidents that require notification to any regulatory authority. Acceptance of this report by
the client signifies that all such issues have been disclosed as part of the assessment process and
agreement that any such non-compliance or incidents occurring after this visit will be notified to the BSI
client manager as soon as practical after the event.

Page 30 of 30