Scribd
Upload
480 views166 pages

Office 365 Audited Controls

Uploaded by

Raman Gauta
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
480 views166 pages

Office 365 Audited Controls

Uploaded by

Raman Gauta
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 166

Audited Controls Information

What is in this spreadsheet?

The tabs in this spreadsheet

Columns within each of the other tabs:

Control Id
Control Title
Office 365 Control Ids
Implementation Details

Testing Details

Last Tested
Tested By
Control Family Id

Control Family Name


Control Family Description
s Information
This spreadsheet provides information about Microsoft Office 365 controls, implementation details, and audit test
procedures for the particular regulation(s) or standard(s) that you selected to download. Combining this information with
audit reports, FAQ's and whitepaper available from the same portal where you downloaded this spreadsheet will help you to
perform you own risk assessment or due diligence on Office 365 services.
The first tab of this spreadsheet is the "Introduction" tab - which you are reading right now :-). Each of the rest of the tab(s)
describe one of the regulatory or compliance standards that were selected for download.

he other tabs:

Control identification number as established by the regulation or standard


Title of the control
Control identificaion number(s) of the Microsoft Office 365 controls aligned to the regulation or standard
Detailed information on how Microsoft Office 365 implements controls to comply with the regulation or standard in order
to protect confidentiality, integrity, and availability of your data
Detailed information on the testing of this control that was performed by either independent third party auditors or
Microsoft in order to confirm the effectiveness of the control
Date that the control was last tested
Who tested the control
Control family or control area identification number as established by the regulatory standard or compliance guidance

Control family or control area name based on guidelines from the regulatory standard or compliance guidance
Control family or control area summary including a high level explanation of the underlying controls implemented within
this control area
Name: ISO 27001:2013
Description: Office 365 has been accredited to latest ISO 27001:2013 standards. Information under this standard will help you to understand how Office 365 has implemented Information Security Management System (ISMS) to manage and control information security risks. In addition you will gain deep insights into implementation and testing of

Control Id Control Title Implementation Details Testing Details


A.5.1.1 Policies for information Microsoft develops, documents, and distributes a security policy that addresses purpose, scope, roles, responsibilities, management Examined the Microsoft and Office 365 information security policies and determined that Office 365 developed and documented a security policy that addresses purpose,
security commitment, coordination among organizational entities, and compliance. Microsoft and Office 365 security policies exist in order scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. In addition, viewed a screenshot of the accompanying
to provide Office 365 staff and contractor staff with a current set of clear and concise information security policies. These policies approval signature page and confirmed that the documents were reviewed and approved.
provide direction for the appropriate protection of Office 365. Further an Office 365 information security policy has been created as
a component of an overall Information Security Management System for Office 365. The Office 365 information security policy has A demonstration of the SharePoint document repository provided during interviews with senior program managers confirmed that the policy and procedures documentation
been reviewed, approved, and endorsed by Office 365 management. Each management-endorsed version of the Microsoft and was managed, updated, and made available via SharePoint to Office 365 staff and contractor staff.
Office 365 security policies and subsequent updates are distributed to the relevant stakeholders. These security policies are made
available for review to new and existing Office 365 staff. Office 365 staff represent that they have reviewed, and agree to adhere to, Reviewed and validated that the policies listed below existed and confirmed that the documents address purpose, scope, roles and responsibilities, management commitment,
policies stated within the Microsoft and Office 365 information security policy documents. Office 365 contractor staff also agree to coordination among organizational entities, and compliance. In addition, a review of samples of the associated standard operating procedures confirmed that these
adhere to the relevant policies stated within the Microsoft and Office 365 security policies. Should one of these parties not have documents provided additional granularity, policy clarification (engineering guidance), and articulated the details for what was expected from each Office 365 team.
access to this policy for any reason, the supervising Office 365 agent is responsible for distributing the policy to them. A customer
facing version of the Microsoft security policy is made available for customer review through the Office 365 Security & Compliance Microsoft Security Policy
Center (http://protection.office.com) and the Microsoft Cloud Service Trust Portal (http://aka.ms/STP). Office 365 Information Security Policy
Office 365 Awareness & Training Policy
Office 365 Audit & Logging Policy (Office 365 audit and accountability)
Office 365 Security Assessment and Authorization Policy

A.5.1.2 Review of information Office 365 regularly reviews policies for information security at planned intervals, or if significant changes occur, to ensure their Examined Office 365 policies and associated procedures and confirmed that documentation was tracked using SharePoint document management, and was updated at least
security policies continuing suitability, adequacy, and effectiveness. Furthermore, Office 365 security policies undergo a formal review and update annually. Evidence of this was provided in the form of updated policy and procedures documentation (including review notes and sign-off's provided) and a demonstration of
process at a regularly scheduled interval not to exceed one year. In the event a significant change is required in the security the SharePoint repository used to manage the documents.
requirements, policies may be reviewed and updated outside of the regular schedule. 
Interviewed Office 365 program managers and determined that the information security program documentation, including both policy and procedures, was reviewed and
updated at least annually. Additionally, SharePoint provides subscription mechanisms for personnel to receive automated alerts when changes are made.

A.6.1.1 Information security roles Office 365 identifies individuals with information system security roles and responsibilities. The Office 365 security policies address Examined the Office 365 information security policy and determined that this document addressed purpose, scope, roles and responsibilities, management commitment,
and responsibilities purpose, scope, roles, responsibilities, compliance requirements, and required coordination among the various Microsoft coordination among organizational entities, and compliance.
organizations providing some level of support for the security of Office 365. Office 365 security policies contain rules and
requirements that must be met in the delivery and operation of Office 365. Office 365 employees and contingent staff are
accountable and responsible for complying with these guiding principles in their designated roles.
A.6.1.2 Implementation of Office 365 segregates duties and areas of responsibility to reduce opportunities for unauthorized use, unintentional modification, or Examined account management procedures to confirm that account management entitlement groups were the method used for creating separation of duties via role-based
segregation of duties misuse of the organization’s assets. Office 365 teams have defined roles as part of a comprehensive role-based access control access within Office 365.
mechanism. Additionally, each Office 365 team has identified role pairs that, if assigned to a single person, would allow for malicious
activity without collusion. If such roles pairs exist, no individual is allowed to belong to both roles. As one example, throughout Reviewed a sample of the account management tool used for opening bugs for the creation of a new entitlement to confirm that the account management groups were in
Office 365, individuals in any role with the ability to approve access requests, cannot approve their own access requests. use and were intended to institute separation of duties within the Office 365 environment.

A.6.1.3 Contacts with authorities Office 365 is partnered with the Microsoft Trustworthy Computing Team to maintain contacts with external parties such as Validated that Office 365 has defined the organization(s) that provide information security alerts to the service, and that these alerts were being disseminated to Office 365
regulatory bodies, service providers, and industry organizations, such as the United States Computer Emergency Readiness Team teams on an ongoing basis.
(US-CERT) to ensure appropriate action can be quickly taken and advice obtained when necessary. Office 365 relies on Microsoft's
global criminal compliance and Corporate, External, and Legal Affairs (CELA) teams for contacts with law enforcement. Roles and Confirmed that the Office 365 security team was registered to receive mailing list notifications from the US-CERT, and reviewed the US-CERT Web site for new notifications
responsibilities for managing and maintaining these relationships are defined. daily.

Interviewed an Office 365 Principle Program Manager Lead and Office 365 Program Manager to validate that Office 365 maintained appropriate contacts with regulators and
relevant authorities from the government and other regulated industries through Microsoft's Trustworthy Computing, global criminal compliance, and CELA organizations.

A.6.1.4 Contacts with information Office 365 establishes and institutionalizes contact with selected groups and associations within the security community to facilitate Interviewed an Office 365 Principle Program Manager Lead and Office 365 Program Manager to determine that Office 365 established and institutionalized contact with
security special interest ongoing security education and training for organizational personnel. Office 365 has partnered with the Microsoft Trustworthy selected groups and associations within the security community to facilitate ongoing security education and training for organizational personnel. Validated that Office 365
organizations Computing Team to maintain contacts with external parties such as regulatory bodies, service providers, and industry organizations security and compliance teams participated in specialist security forums and professional association events. Example entities were:
to ensure appropriate actions can be quickly taken and advice obtained when necessary.
1. ISACA - Information Systems Audit and Control Association
2. ISC2 - International Information System Security Certification Consortium
3. RSA – Rivest, Shamir, & Adleman Conference
4. SANS – System and Network Security Institute
5. BHC - Black Hat Conference
6. CSA - Cloud Security Alliance
A.6.1.5 Information security Office 365 addresses Information security in project management, regardless of the type of the project. Office 365’s implementation Examined the SDL documentation and validated that a determination of information security requirements was included in the requirements phase of the SDL.
management for Office 365 of lifecycle support is outlined in Microsoft's Security Development Lifecycle (SDL), a process that is followed by Office 365
projects engineering and development projects. A security requirements analysis must be completed for development projects. This analysis Reviewed Office 365 security plans and the SDL, which provided a detailed outline of the processes followed by engineering and development projects. Determined that the
document acts as a framework and includes the identification of possible risks to the finished development project as well as security risk management process was closely integrated with the SDL, and that the SDL was a security development model that includes specific security considerations for
mitigation strategies that can be implemented and tested during the development phases. Critical security review and approval software, services, and devices. The SDL is designed to process code through rigorous security measures to ensure that the code can function in a manner that complies with
checkpoints are included during the development lifecycle. Microsoft's security standards. A security requirements analysis must be completed for Office 365 engineering and system development projects. This analysis document
acted as a framework and included the identification of possible risks to the finished development projects, as well as mitigation strategies that could be implemented and
tested during the development phases. Critical security reviews and approval checkpoints were included during the development lifecycle.

Interviewed a sample of organizational personnel with information security and development lifecycle responsibilities and determined that security is a primary focus of the
SDL process. Changes made to a component's code were subject to the SDL process and updates to the information system needed to proceed through a change
management process. Security measures, such as static and dynamic code analysis, were included within this process to ensure that updated code meets the level of security
required by Office 365. Signoffs were required from Release Managers for each step of the process.

Examined a PowerPoint briefing describing the SDL process and determined that measures were in place to regulate the development and maturity of Office 365 components.

Obtained and inspected evidence for a selection of SDL projects to ascertain that a security review was performed for each project prior to release.

Validated through the examination of capital programming and budgeting documentation, including the security compliance budget, the provision for security line items in
Office 365 budgeting and planning.

A.6.2.1 Policies for mobile devices Microsoft has adopted a policy and supporting security measures to manage the risks introduced by using mobile devices. Validated that Office 365 documentation, including the Office 365 security plan, affirms that mobile devices were not allowed within the information system boundary.
Unauthorized mobile computing devices are not permitted in, or directly attached to, any Office 365 production environment.
Microsoft staff and contingent staff must adopt and follow appropriate security practices when using mobile computing devices to Interviewed an Office 365 Principle Program Manager Lead and an Office 365 Program Manager to determine whether there have been any changes or exceptions to this
protect against the risks of using mobile equipment. Such risks relate to the mobile nature of these devices, and the security policy and confirmed that there have been no changes or exceptions.
practices adopted by Microsoft to mitigate these risks may include, but are not limited to, mobile device physical protection, access
controls, cryptographic requirements, virus protection, and/or controlling locations from which the devices may connect. Mobile Examined the Office 365 security plan and determined that Office 365 relies on the Microsoft Cloud Infrastructure & Operations (MCIO) team for partial implementation of
computing and data recording devices include PDAs, portable hard drives, laptop computers, flash drives, other recordable media, this control. Please review the ISO and SOC audit reports for MCIO for further details. These reports are available in the Compliance Reports section of Service Assurance
etc. Microsoft monitors for any unauthorized use of mobile devices in the Office 365 environment and performs investigations (http://aka.ms/serviceassurance).
accordingly. Office 365 assets are locked in cages in Microsoft facilities that are access-controlled. While Office 365 technicians have
physical access to the servers within the cages, they do not have the logical access to the servers that would be required to make
use of portable media.

A.6.2.2 Management of teleworking Office 365 employs a policy and supporting security measures to protect information accessed, processed, or stored at teleworking Examined Office 365 access control policy and procedures addressing remote access to the information system for the usage restrictions, configuration and connection
sites. Telecommunicating locations are governed by the Office 365 remote access policy which requires authentication for remote requirements, and implementation guidance for each type of remote access.
access to Office 365’s networks.
Tested the remote access authentication mechanisms (remote access through terminal servers, multi-factor authentication, and just-in-time access) implementing the security
Office 365 uses Terminal Services Groups to control access into the environment. Terminal Services Groups are used to control and measures described in access control documentation and determined that Office 365 employed a policy and supporting security measures to protect information accessed
limit access to the Office 365 environment. Office 365 staff must be a member of the proper security groups and must use multi- and processed remotely.
factor authentication before being authorized to connect.
A.7.1.1 Screening requirements Office 365 screens individuals prior to authorizing access to the information system. Office 365 has implemented personnel Examined the Office 365 system security plan and determined that Microsoft screens individuals prior to authorizing access to the Office 365 information system. Determined
screening controls that include the use of background checks on employees and contingent staff. Office 365 Standards state that that "cloud screening" background checks were required to be completed prior to creating an Office 365 team account. Validated this was enforced technically via account
new employees (full time employees and contingent staff) are subject to a background check as part of the normal Office 365 hiring management tools, which will not allow account creation if the screening check has not been successfully completed.
practices. No candidate or employee can begin work or be placed on an assignment until the required background checks have
been successfully completed. Certain roles supporting cloud offerings may involve additional background checks or authentication Examined the background check requirements for full-time employees and contractors as well as selections of background screens performed and determined that the Office
requirements, such as proof of United States citizenship, or personnel security clearances that may require fingerprinting. 365 requirements for initial background checks, as well as employees transferring teams, and recurring biennially has been completed. These requirements were matched to
Background checks are required when hiring domestic external candidates as well as for current employees and internal transfers, the requirements defined in Office 365 system security plan.
whose jobs include working on customers' worksites and/or access to certain sensitive areas, including potential access to personally
identifiable information as defined in the Office 365 Asset Classification & Data Handling Standard. Any job-related criminal history
or material misrepresentation, falsification, or omission of fact may disqualify a candidate from employment or, if the individual has
commenced employment, may result in termination of employment.

A.7.1.2 Employment terms and Office 365 ensures that individuals requiring access to organizational information and information systems sign the appropriate Examined Microsoft's Employee Handbook and interviewed an Office 365 Principle Program Manager Lead and an Office 365 Senior Program Manager and determined that
conditions access agreements prior to being granted access. Office 365 staff are required to sign confidentiality and non-disclosure the rules of behavior were embedded in the Employee Handbook. The handbook is available to all employees on Microsoft's internal Human Resources portal. Office 365
agreements, as well as the Microsoft Employee Handbook, at the time of hire as a condition for employment. Additionally, the team users are provided with the rules of behavior as part of their annual security awareness training. Also determined that users were asked to provide explicit
Microsoft corporate general use standard describes user responsibilities and establishes expected behavior when using Office 365. acknowledgement during this training and that submission of training completion constitutes agreement that the user understands the handbook.
Users, including employees, vendors, and contractors are required to follow the rules of behavior outlined in the general use
standard. Vendors and contractors are required to have a signed Microsoft Master Vendor Agreement (MMVA) to ensure Examined the MMVA and determined that suppliers needed to comply with the physical and information security policies set out in the statement of work or otherwise
compliance with Microsoft policies on required engagements. The agreements are put in place to protect trade secrets, sensitive or provided to the supplier by Microsoft. Determined that, per the MMVA, the supplier must employ security procedures to prevent disclosure of Microsoft confidential
business confidential information, and assets. Office 365 contingent staff must also sign a non-disclosure agreement at the time of information to unauthorized third parties. Suppliers needed to have controls in place to protect the system access, system and application development and maintenance,
engagement before being given access to Office 365 services. change management, asset classification and control, incident response, physical and environmental security, disaster recovery, and employee training. Security requirements
were detailed in the MMVA that needed to be signed by an employee prior to beginning work at Microsoft. Also interviewed Office 365 Trust team personnel and determined
that vendors/contractors were subjected to the MMVA and to the non-disclosure agreements.

Examined the Office 365 system security plan and determined that vendors and contractors were subjected to the same screening requirements as Microsoft personnel.
Microsoft requires that vendors submit screening outcomes for third-party personnel directly to Microsoft, where they are tracked in a human resources information system.
Also examined the MMVA and determined that it has defined the personnel security requirements for vendors and contractors to gain approval.
A.7.2.1 Management responsibilities Office 365 management requires employees and contractors to apply information security in accordance with Microsoft's Interviewed an Office 365 Principle Program Manager Lead and an Office 365 Senior Program Manager and determined that the rules of behavior were embedded in the
around information security established policies and procedures. Office 365 receives a signed acknowledgement from such individuals indicating that they have Microsoft Employee Handbook and that security objectives were established per Microsoft's information security policy. The security policy and handbook are available to
read, understand, and agree to abide by the rules of behavior, before authorizing access to the information system. employees on Microsoft's internal Human Resources portal.

Additionally confirmed that Office 365 team users are provided with the rules of behavior as part of their annual security awareness training. Determined that users were
asked to provide explicit acknowledgement during this training and that submission of training completion constitutes agreement that the user understands this document.

A.7.2.2 Plan for information security Office 365 provides employees of the organization and, where relevant, contractors with appropriate awareness education and Examined the Office 365 system security plan, the Office 365 information security policy, the Office 365 security training policy, and Office 365 security awareness training
awareness, education, and training and regular updates in organizational policies and procedures, as relevant to their job function. Office 365 provides role- modules, and determined that Office 365 provides security awareness training to information system users (including managers, senior executives, and contractors) as part of
training based security training to personnel with assigned security roles and responsibilities. Appropriate Office 365 staff takes part in a their initial training. All staff are required to take a new employee orientation security awareness and standards of business conduct training course within the first 30 days of
Microsoft Online Services-sponsored security training program, and are recipients of periodic security awareness updates when their employment by or transfer into the organization. Microsoft information technology and corporate security facilitated the training course which encompasses standard
applicable. Security education is an on-going process and is conducted regularly by Microsoft in order to minimize risks. Microsoft business security measures, information security, and user actions to maintain security and to respond to suspected security incidents. Office 365 Risk Management has
Online Services contractor staff are required to take all training determined to be appropriate to the services being provided and the implemented the security training control by requiring employees and contractors to take the security and awareness training annually. Non-operational personnel that is
role they perform. All personnel are required to enroll in New Employee Orientation security awareness and Standards of Business involved in development or quality assurance were required to take the mandatory training, as well as training associated with the operational procedures related to asset
Conduct training within the first 30 days of their employment by or transfer into the organization. Furthermore, the Office 365 Risk handling, incident response, and change control.
Management team has implemented a security training control that requires users (employees and contractors) to take the security
and awareness training on an annual basis. Non-operational personnel that are involved in development or quality assurance are Examined the Office 365 system security plan, the Office 365 information security policy, Office 365 framework controls, and the Office 365 security training policy, and
also required to take the mandatory training offered by Microsoft Online Services, as well as training associated with the operational determined that security training is required when there is a significant change to the system environment.
procedures related to Asset Handling, Incident Response, and Change Control. In addition, training related to system access, along
with the associated procedures, may be required. Security training is also required when there is a significant change to the system Examined a report of training records and screenshots identifying course content and determined that annual security awareness training addressed security awareness and
environment. was conducted in accordance with the annual frequency.

A.7.2.3 Disciplinary process around Microsoft uses a formal sanctions process for personnel that fail to comply with established information security policies and Examined the Office 365 system security plan and determined that Microsoft uses a formal sanctions process for personnel that fail to comply with established information
information security breach procedures. Any Office 365 personnel suspected of committing breaches of security and/or violating Microsoft's security policy are security policies and procedures. Validated that Microsoft's Human Resources team is responsible for ensuring that the sanctions process is conducted properly. Potential
subject to an investigation process and disciplinary action up to and including termination. Contractor staff suspected of committing security breaches involving Office 365 employees or third-party personnel were immediately reported to Human Resources, to the Corporate, External, and Legal Affairs
breaches of security and/or violation of the Microsoft's security policy are subject to formal investigation and action appropriate to (CELA) team, and to the employee's manager at Microsoft.
the associated contract, which may include termination of such contract. Once a determination has been made that an Office 365
staff member has violated policy, Human Resources is informed and is responsible for coordinating the disciplinary response. Interviewed an Office 365 Trust team Lead as well as a Senior Program Manager and determined that sanctions were reported to human resources, CELA, and the person's
manager. Incidents undergo a formal investigation before sanctions/actions are determined against the employee.
A.7.3.1 Responsibilities around Upon termination of individual employment, Microsoft conducts exit interviews that include a discussion of information security Examined the Office 365 system security plan as well as Microsoft's Employee Handbook and determined that Microsoft's Human Resources team is responsible for ensuring
termination topics. Responsibilities of management and employees related to completing terminations including revocation of access, return of that an exit interview, which includes a discussion of information security topics, is conducted upon termination of individual employment.
smartcards, ID cards, equipment and documentation, etc. are formally documented, and communicated by Human Resources.
Interviewed Office 365 Trust team and Office 365 Service team Leads and determined that responsibilities of management and employees related to completing termination
processes include revocation of access, return of smartcards, ID cards, equipment and documentation, etc., are formally documented and communicated by Human
Resources.

Interviewed Office 365 Trust team and Office 365 Service team Leads who have participated in an exit interview process. Confirmed that upon termination, the employees
were required to turn in their badge and all corporate equipment was recovered prior to the end of the business day. In addition, the employees were provided with the
policies and procedures about security and reminded of their non-disclosure and non-compete commitments.

A.8.1.1 Asset inventory Microsoft develops and documents an inventory of information system components that is at the level of granularity deemed Interviewed Office 365 Service team and Office 365 Trust team Leads to understand the end-to-end inventory workflow and the validation that happens via automated scans.
necessary for tracking and reporting. Office 365 has implemented a formal policy that requires assets used to provide Office 365 Determined that Office 365 developed and documented an inventory of information system components that was at the level of granularity deemed necessary for tracking
services to be accounted for and have a designated asset owner. An inventory of hardware assets in the Office 365 environment is and reporting.
maintained in an asset management tool. Asset owners are responsible for maintaining up-to-date information regarding their
assets within the asset inventory tool including owner or any associated agent, location, and security classification. Asset owners are Examined a sample of Office 365 inventory and change records of information system components and confirmed that the information maintained in the central asset
also responsible for classifying and maintaining the protection of their assets in accordance with the Office 365 asset classification reporting database (e.g., hostname, make, model, operating system, patch level, role, datacenter, virtual status, owning Office 365 team, etc.) was current and accurate.
and data handling standards.
A.8.1.2 Asset ownership Microsoft develops and documents an inventory of information system components that accurately reflects the current information Examined a sample of Office 365 inventory and change records of information system components and confirmed that the information maintained in the central asset
system. The Asset Management team uses a centralized ticketing system to track requests from the Office 365 team and the reporting database contains the level of granularity (e.g., hostname, make, model, operating system, patch level, role, datacenter, virtual status, the owning Office 365 team,
movement of assets. Assets have an assigned owner and policies and procedures have been developed and implemented to define etc.) needed to identify the individuals responsible and accountable for administering those components.
owner responsibilities.
A.8.1.3 Assets acceptable use policy Microsoft regularly reviews and updates the rules of acceptable usage standards of the infrastructure and other technology assets. Examined Microsoft's Employee Handbook as well as Interviewed an Office 365 Principal Program Manager Lead and an Office 365 Senior Program Manager. Determined that
The Microsoft Employee Handbook outlines the specific acceptable usage standards of the infrastructure and services technology Microsoft regularly reviews and updates it's rules of acceptable usage standards of the infrastructure and other technology assets. The Employee Handbook is available to
assets. All users, including employees, vendors, and contractors are required to follow the rules of behavior, which are outlined in employees on Microsoft's Human Resources portal. Additionally, Office 365 team members were provided with the rules of behavior as part of their annual security awareness
the Employee Handbook. training. Determined that users were asked to provide explicit acknowledgement during this training and that submission of training completion constitutes agreement that
the user understood this document.
A.8.1.4 Asset collection upon Upon termination of individual employment, Microsoft retrieves security-related organizational information and system-related Reviewed the Office 365 security plan and determined that Human Resources assistants or managers collect employee badges during the exit interview or upon termination.
termination property. Human Resources assistants or managers collect employee badges during the exit interview or upon termination. Business Business administrators and/or managers of terminated employees collect hardware assets at the time of termination. Additionally, when an employee was terminated, the
administrators and/or managers of terminated employees collect hardware assets. Microsoft may also conduct an audit to make employee is removed from the Human Resources Information System, which automatically notifies Microsoft's Accounts and Security Teams of the change, and revokes
sure data is removed in an appropriate manner. access to the system.

Interviewed Office 365 Trust team and Office 365 Service team Leads who have participated in the exit interview process. Confirmed that upon termination, the employees
were required to turn in their badges and corporate equipment was recovered prior to the end of the business day. Based on the procedures noted above, determined that
upon termination of individual employment, Microsoft retrieves security-related organizational information and system-related property.

A.8.2.1 Information classification Microsoft categorizes information and the information system in accordance with applicable federal laws, executive orders, Reviewed Microsoft's Office 365 asset classification and data handling standards and determined that the organization has documented how data (information within the
directives, policies, regulations, standards, and guidance. Classification of Office 365 assets and data handling standards provide system and output from the system) should be handled and retained.
guidance for classifying assets into one of the following security classification categories, based upon the type of data stored:
customer data (the most restricted data), account data, organization identifiable information, and system metadata. Interviews with Office 365 Security, Trust, and Service team Leads confirmed that data handled by Office 365 was subject to the Office 365 asset classification and data
handling standards, and that there are no exceptions to this policy.
A.8.2.2 Standards for information Microsoft policy requires that information assets must be protected based upon their classification. Office 365 asset classification Reviewed Microsoft's asset classification and data handling standards and determined that the organization has documented how data (information within the system and
labelling and data handling standards provide guidance for classifying and labeling assets into one of the following security classification information output from the system) should be handled, labeled, and retained.
categories - customer data (the most restricted data), account data, organization identifiable information, and system metadata. This
standard applies to information assets (data), as well as any information systems, or Microsoft personnel (which include any staff Interviews with Office 365 Security, Trust, and Service team Leads confirmed that data handled in Office 365 is subject to the Office 365 asset classification and data handling
including employees, interns, vendors, contractors, or other personnel) engaged in development, operations or support. Asset standards, and that there are no exceptions to this policy.
owners are required to assign and label their assets as per the asset classification requirements and no assets are exempt from this
requirement. In the datacenter environment, assets refer to servers, network devices, and magnetic tapes. Other digital media such
as USB flash/thumb drives, external/removable hard drives, and CD/DVD’s are not used. Non-digital media is not used in the
datacenter.

A.8.2.3 Data handling Microsoft protects media that contains information against unauthorized access, misuse, or corruption during transportation. Reviewed Microsoft's asset classification and data handling standards and determined that the organization has documented how data (information within the system and
Microsoft restricts access to digital media to organization-defined personnel or roles. Microsoft has implemented media access information output from the system) should be handled/labeled/retained.
through the implementation of the Microsoft Security Policy. Logical access to digital media is controlled via Active Directory Group
Policy and security group membership. Physical access to media is restricted using physical datacenter access controls. Access is Interviews with Office 365 Security, Trust, and Service team Leads confirmed that data handled in Office 365 is subject to Microsoft's asset classification and data handling
restricted to individuals who have a legitimate business purpose for accessing the data. The Asset Protection Standard defines the standards, and that there were no exceptions to this policy.
safeguards required to protect the confidentiality, integrity, and availability of information assets within Microsoft's datacenters.
Examined the Office 365 system security plan and determined that Office 365 relies on the Microsoft Cloud Infrastructure & Operations (MCIO) group for the partial
implementation of this control. Please review the ISO and SOC audit reports for MCIO for further details, which are available in the Compliance Report section of Service
Assurance.

A.8.3.1 Removable media Microsoft develops, documents, and disseminates to organization-defined personnel or roles, procedures to facilitate the Examined the Office 365 system security plan and determined that Office 365 relies on the Microsoft Cloud Infrastructure & Operations (MCIO) group for the partial
management implementation of the media protection policy and associated media protection controls. Microsoft does not use removable media implementation of this control. Please review the ISO and SOC audit reports for MCIO for further details, which are available in the Compliance Report section of Service
within the Office 365 production environment. Assurance.
A.8.3.2 Media disposal Microsoft disposes of media securely when no longer required, using formal procedures. Microsoft sanitizes media prior to disposal, Examined the Office 365 system security plan and determined that Office 365 relies on the Microsoft Cloud Infrastructure & Operations (MCIO) group for the partial
release out of organizational control, or release for reuse in accordance with applicable federal and organizational standards and implementation of this control. Please review the ISO and SOC audit reports for MCIO for further details, which are available in the Compliance Report section of Service
policies. Microsoft maintains accountability for assets leaving the datacenter through the use of NIST SP 800-88 consistent Assurance.
processes for cleansing/purging, asset destruction, encryption, accurate inventorying, tracking, and protection of chain of custody
during transport.
A.8.3.3 Physical media transfer and Microsoft protects media containing information against unauthorized access, misuse or corruption during transportation. Microsoft Examined the Office 365 system security plan and determined that Office 365 relies on the Microsoft Cloud Infrastructure & Operations (MCIO) group for the partial
handling protects and controls data on storage media during transport outside of controlled areas. In reference to this control, digital media implementation of this control. Please review the ISO and SOC audit reports for MCIO for further details, which are available in the Compliance Report section of Service
at Microsoft datacenters consists of servers, network devices, and magnetic tapes. Microsoft datacenters do not use non-digital Assurance.
media. Microsoft uses three methods to protect media that is being transported outside the datacenter: 1) secure transport, 2)
encryption, and 3) cleanse, purge, or destroy.

All media being transported from Microsoft datacenters requires accurate tracking. Tickets are created to arrange and track the
transportation of media. Microsoft has contracted with several approved vendors to provide secure shipping services. Secure
transport begins with an accurate inventory and chain of custody. Authorized asset managers are required to manage the exchange
of assets. Assets are inventoried at the time of delivery to the transporter. The asset manager must witness the container being
locked with a tamper-proof seal. Secure transport could have additional requirements such as a dedicated transport for Office 365
assets, GPS tracking, and stopping only at Microsoft locations. In cases of longer transport routes, the requirement could be that
there are multiple drivers and trucks with sleeping quarters to provide for non-stop delivery. At the delivery location, the transport
company’s approved personnel must be present to witness the removal of the tamper-proof seal and unlocking of the container.
The receiving personnel will inventory the shipment and send a message confirming the receipt of the assets. This inventory is
validated by the Microsoft asset manager.

Some assets are required by Microsoft to be encrypted during transport. Magnetic tapes are required to be encrypted. Microsoft
uses SafeNet KeySecure to manage cryptographic keys using a FIPS 140-2 Level 3 validated encryption module and HSM to secure
AES 256-bit encrypted data on the magnetic tapes. When magnetic tapes are picked up for off-site storage, an approved asset
manager must deliver the locked container to the off-site storage vendor and enter an account pin before inventorying the tapes
being transported. Upon receipt of by the storage vendor, a message confirming the inventory received is sent to the asset
manager.

Microsoft contracts with a vendor to provide equipment destruction. Depending on asset classification, some equipment is required
to be destroyed on-site. Office 365 assets are required to be cleansed or purged before leaving the datacenter. Office 365 assets are
cleansed or purged with methods consistent with NIST SP 800-88 prior to reuse or disposal. Microsoft uses data erasure units from
Extreme Protocol Solutions (EPS). EPS software supports NIST SP 800-88 requirements for cleansing and purging/secure erasure.
Prior to cleansing or destruction, an inventory is created by the Microsoft asset manager. If a vendor is used for destruction, the
vendor provides a certificate of destruction for each asset destroyed, which is validated by the asset manager.

A.9.1.1 Access control policy The Microsoft Security Policy provides a baseline for Office 365 information security policies. This document addresses the purpose, Reviewed and validated that the Microsoft Security Policy and Office 365 security policies exist and that these policies describe the Office 365 access control policies including
scope, roles, responsibilities, compliance requirements, and required coordination among the various Microsoft organizations purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. Reviewed and confirmed that policies are
providing some level of support for the security of Office 365. Furthermore, Microsoft has developed an Office 365 system security hosted on SharePoint and shared with appropriate personnel.
policy that addresses roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
Policies and procedures are distributed to personnel with responsibilities for implementing those policies and procedures via email
links to SharePoint. Office 365 access control policy is a component of Office 365 security policies and undergoes a formal review
and update process.
A.9.1.2 Network and network service Office 365 team personnel are provided with access only to networks and network services that they have been specifically Reviewed the Office 365 system security plan and confirmed that Office 365 teams use the concept of least privilege, allowing only authorized accesses for Office 365 team
management authorized to use. Office 365 employs the concept of least privilege, allowing only authorized accesses for users (and processes users (and processes acting on behalf of Office 365 team users) that were necessary to accomplish assigned tasks in accordance with business functions and organizational
acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business need. Each Office 365 team was responsible for defining least privileged roles within their team. Roles were documented within account management tools. Office 365 team
functions. By default, no one has access to customer content without authorization. When a problem arises or a customer requests a members are required to use the access control tool to escalate rights when needed as part of a just-in-time (JIT) system. The JIT system has the additional benefit of creating
service ticket, an Office 365 on-call engineer (OCE) must use a special tool to request and obtain elevated privileges to enter the a session expiration for the requested privilege escalation, as well as enforcing the requirement for a justification to be provided each time that the privileged access was
system and fix the problem. requested. Privileges were reviewed and approved by an administrator with the access approver role prior to an employee gaining access to systems.

The tool sits between the OCE and the customer’s data, and it checks the scope of their permissions for carrying out certain Interviewed senior security and engineering Leads and members of the Office 365 Trust team with regards to the definition of required user attributes which needed to be
activities. The tool will approve or deny the request and, if approved, grant access only after management approval has also been validated prior to granting system access. Determined that managers needed to review and approve requests, based on their knowledge of an individual's role, prior to access
obtained. In certain situations, the tool may also call on another engineer to assist with situation. Only absolutely necessary actions being granted to that individual. Additionally, individual accounts with any special access requirements needed to complete specialized training and undergo background
are permitted, and access is granted on a time-limited basis. After the permitted entry period has expired, access privileges are checks (such as Public Trust Security Clearance investigation) prior to accounts becoming active.
automatically revoked. Every request for elevated privileges is logged.
Examined samples of account creation, account modification, and account disabling actions within account management logs and confirmed that access is granted based on
a valid access authorization, intended system usage, and other attributes, as required by the organization or associated mission or business functions, and that processes
operated as described within account management procedures.

Viewed a formal presentation describing the configuration, implementation, and use cases for the JIT system. Confirmed that JIT system is in place and required for use prior
to any administrator level accesses being used.

Interviewed multiple Office 365 administrators throughout the course of the engagement and confirmed that lockbox was used for privileged activity in order to enforce the
concept of least privilege.

Examined a sample of account management and JIT system audit logs and interviewed a sample of organizational personnel (e.g., administrators) with responsibilities for
employing the concept of least privilege. Confirmed that the implementation of least privilege was applied as intended.

Tested administrator use of the JIT tool through observation, both with successful login and escalations, as well as with an unsuccessful escalation due to an attempt to
escalate within an environment, where the account management entitlement had not been set for that user.

Interviewed senior security personnel and confirmed that users were required to use read-only accounts until they were approved for elevation through the JIT system.

A.9.2.1 User registration and de- Microsoft implements a formal user registration and deregistration process to enable assignment of access rights. Microsoft Reviewed Office 365 system security plan and account management procedures and confirmed that the Office 365 teams have established conditions for group/role
registration process specifies authorized users of the information system, group and role membership, and access authorizations (e.g., privileges) and membership by defining conditions for each group/role in the appropriate account management tool. The Office 365 team's management identified personnel who should be
other attributes (as required) for each account. Microsoft maintains and updates a record of personnel authorized to access Office given authorization to access the system and specified the type of privilege each Office 365 team member would have based on their role. Microsoft account management
365 systems that contain customer data. tools are configured to automatically enforce the access privileges of each Office 365 team member based on role based access control.

Interviewed Office 365 Trust and Service team members to identify several account types and the respective conditions for group and role membership. Interviewed security
and engineering personnel as well as members of the Trust team and confirmed that account procedures are appropriately applied to the account management architecture
and business logic to include identification of account types, conditions for membership to entitlement groups, and approval requirements.

Interviewed a sample of organizational personnel with account management responsibilities and confirmed that the measures being applied to specify the details of account
types (requisite access authorizations/privileges), establish conditions for group and role membership, and required appropriate approvals for requests to establish account.

Examined sample of account creation, account modification, and account disabling actions within account management logs and confirmed that access granting (which
requires approval by a requestor's manager) operated as described within account management procedures.

A.9.2.2 Provisioning process for user Microsoft implements a formal user registration and deregistration process to assign or revoke access rights for user types to Reviewed the Office 365 system security policy and account management procedures and confirmed that the Office 365 team's management identify the Office 365 team
access systems and services. Microsoft creates, enables, modifies, disables, and removes information system accounts in accordance with personnel to be granted authorization to access the system, and specified the type of privilege each Office 365 team member would have based on their role. Role-based
the Office 365 system security policy. The Office 365 system security policy prohibits the use of guest, anonymous, or temporary access control is used to control the access privileges of each Office 365 team member. Access privileges vary depending on the individual's role.
accounts. All account requests go through a standard account management process. Account changes are managed with
automated workflow management tools that allow Office 365 teams to track the process through account request, approval, Interviewed Office 365 team members with account management responsibilities and confirmed that the measures are being applied to specify the details of account types
creation, modification, and deletion. (requisite access authorizations/privileges), establish conditions for group and role membership, and require appropriate approvals for requests to establish account.

Examined sample of account creation, account modification, and account disabling actions within account management logs and confirmed that access granting and removal
operates as described within the account management procedures.

Interviews with senior security and engineering personnel, and members of the Trust team, with regard to account management responsibilities and their implementation
with the account management tools, confirmed that appropriate measures were in place to enforce the processes established around account establishment, activation,
modification, disabling, and account removal.
A.9.2.3 Privileged access rights Microsoft restricts and controls the allocation and use of privileged access rights in Office 365. Microsoft restricts privileged Interviewed senior security and engineering personnel and members of the Office 365 Trust team with regard to the definition of required user attributes which are validated
management accounts on the system to defined personnel or roles. Office 365 teams require individuals with administrative privileges to use their prior to granting system access. Determined that managers review and approve requests based on their knowledge of the individual's role prior to access being granted.
assigned accounts for performing business and administrative functions in the Office 365 production environment. Office 365 Additionally, verified that individual accounts with any special access requirements must complete specialized training and pass background checks (such as Public Trust
requires that users of information system accounts or roles with access to security functions or security relevant information, use Security Clearance investigation) prior to account activation.
non-privileged accounts or roles when accessing other system functions. Microsoft uses role-based access control to enforce the
separation of privileged and non-privileged roles. Examined sample of account creation, account modification, and account disabling actions within account management logs and confirmed that access was granted based on
a valid access authorization, intended system usage, and other attributes, as required by the organization or associated mission or business functions, and that the processes
operated as described within account management procedures.

Viewed a formal presentation describing the configuration, implementation, and use cases for the access control system to confirm that it was in place and required for use
prior to any administrator-level accesses being used.

Interviewed multiple Office 365 administrators throughout the course of the engagement and confirmed that a just-in-time (JIT) access control system is used for privileged
activity in order to enforce the concept of least privilege.

Examined a sample of account management and JIT system audit logs and interviewed a sample of organizational personnel (e.g., administrators) with responsibilities for
employing the concept of least privilege. Confirmed that the implementation of least privilege is applied as intended.

Tested administrator use of the JIT system through observation, both with successful login and escalations, as well as with an unsuccessful escalation due to an attempt to
escalate within an environment where the account management entitlement had not been set for that user.

A.9.2.4 User secret authentication Microsoft controls the allocation of secret authentication information through a formal management process. Microsoft manages Reviewed the Office 365 system security plan and determined that Microsoft’s Global Security Account Management (GSAM) team has established and implemented
information management Office 365 information system authenticators by establishing and implementing administrative procedures for initial authenticator procedures for handling initial authenticator (e.g., smart card) distribution, for dealing with lost, compromised, or damaged smart cards, and for revoking smart card
distribution, for lost, compromised, or damaged authenticators, and for revoking authenticators. The employee's manager receives a certificates.
one-time password, which is confidentially communicated to the employee. At initial login, the employee is required to change the
password in compliance with password design criteria. Regular system-enforced password updates are made based on policy. Interviewed Office 365 Security and Trust team members and confirmed that identity verification is done by Microsoft prior to the user receiving a corporate domain account.

Tested login procedures through observation, and verified that at initial login the employee is required to change their password in compliance with password design criteria.

A.9.2.5 User access right reviews Office 365 asset owners review user access rights at least quarterly. Microsoft reviews accounts for compliance with account Examined records within the account management tools and confirmed that system account reviews are performed at least quarterly and that corresponding actions are
management requirements. A ticket is opened for each security group that allows service access and the security group owner initiated based on these reviews.
reviews membership for accuracy. If any discrepancies are found, they are noted in the ticket and a change is initiated in the account
management tool.
A.9.2.6 Process for removal or Microsoft disables information system access upon termination of individual employment. Microsoft's Human Resources team holds Examined samples of account creation, account modification, and account disabling actions within account management logs and confirmed that access granting and
adjustment of access rights the primary responsibility of ensuring that personnel termination is handled appropriately. Account changes are managed through removal operates as described within account management procedures. In addition, an examination of account management termination logs confirmed that the terminated
automated workflow management tools that allow Office 365 teams to track the process through account request, approval, employees in the account management database was synchronized with the Human Resources database. This, along with the cascading termination, ensures that all of the
creation, modification, and deletion. When an employee is terminated from Microsoft, the employee is removed from the system via individual's account(s) are automatically removed, all credentials are revoked, and all access is terminated.
a termination transaction. Once the transaction has been keyed in and approved, appropriate account and security teams are
notified and access to the network and buildings is disabled via the termination transaction process. For involuntary terminations, an Interviews with senior security and engineering personnel and members of the Trust team regarding account management responsibilities and their implementation with the
urgent request for access termination is submitted via email from Human Resources, and access is disabled. account management tools, confirmed that appropriate measures are in place to enforce the processes established around account establishment, activation, modification,
disabling, and account removal.

Interviewed Office 365 Trust team Lead and Senior Program Manager and confirmed that terminated employees are required to turn in their badge and smart card during the
exit interview.

A.9.3.1 Secret authentication Microsoft requires its personnel to follow it's practices with respect to the use of secret authentication information. Microsoft Examined and tested security baselines applied to Office 365 team devices and determined that the devices are configured correctly to protect authenticator content by
information manages information system authenticators by requiring individuals to take devices and implement specific security safeguards to storing passwords in non-reversible encryption.
protect authenticators. For Office 365, Microsoft enforces a minimum password complexity, password minimum and maximum
lifetime restrictions, encrypts passwords in storage and in transmission, and prohibits password reuse. Passwords must not be Examined password configuration settings to determine that Microsoft enforces a minimum password complexity, password minimum, and maximum lifetime restrictions.
shared or revealed to anyone other than the authorized user and must be encrypted when stored. Additionally, passwords must be
promptly changed if they are suspected of being known by unauthorized individuals. Authenticators must not be written down or Examined a sample of Active Directory Group Policy Objects (GPO) exports provided by multiple Office 365 teams and validated that the GPO settings are operative in
stored in readable form batch files, automatic log-in scripts, software macros, terminal function keys, in computers without access enforcing the password complexity requirements for user accounts.
control, or in other locations where unauthorized persons might discover them.
Interviewed senior security and engineering personnel and members of the Trust team about password management responsibilities and confirmed that passwords are not
shared or revealed to anyone other than the authorized user and were encrypted when stored. Additionally, confirmed that passwords are promptly changed if they were
suspected of being known by unauthorized individuals. Also confirmed that authenticators are not written down or stored in readable form batch files, automatic log-in
scripts, software macros, terminal function keys, in computers without access control, or in other locations where unauthorized persons might discover them.
A.9.4.1 Restriction on information Microsoft restricts access to Office 365 information and application system functions in accordance with an access control policy. Examined samples of entitlement groups as defined in the account management tools used to define logical access. Confirmed that role-based entitlement groups and
access The Office 365 system enforces role-based access control over all subjects and objects specified by the policy. The policy is uniformly associated authorizations were appropriately configured.
enforced across subjects and objects within the boundary of the information system. All Office 365 accounts are considered
privileged. Each Office 365 administrator is assigned a role within their team that corresponds to a security group. Each security Tested, by means of a failed login attempt, the role-based entitlement group, the just-in-time (JIT) system and the access control system. Confirmed enforcement of the
group is assigned permissions to correlating environments with just enough access to properly fulfill their tasks. Office 365 teams restrictions. The user attempted to log in to a system for which they had no associated entitlement group and was presented with an access denied message.
use the concept of least privilege, allowing only pre-authorized accesses for administrators which are necessary to accomplish
assigned tasks in accordance with business functions and organizational needs along with just-in-time access enforcements. Service Reviewed the Office 365 system security plan and confirmed that Office 365 teams use the concept of least privilege, allowing only accesses for authorized Office 365 team
owners employ the concept of least privilege for specific duties and information systems (including specific ports, protocols, and members (and processes acting on their behalf) that were necessary to accomplish assigned tasks in accordance with business functions and organizational needs. Each Office
services) in accordance with risk assessments as necessary to adequately mitigate risk to operational assets, individuals, and/or other 365 team is responsible for defining least privileged roles within their team. Roles are documented within account management tools. Office 365 team members are required
organizations. to use the JIT system via the access control tool in order to escalate rights when needed. The JIT system has the additional benefit of creating a session expiration for the
requested privilege escalation, as well as enforcing the requirement for a justification to be provided each time that privileged access is requested. Privileges are reviewed and
Furthermore, an access control tool sits between the administrator and the customer’s data. The tool checks the scope of the approved by an administrator with the access approver role prior to an employee gaining access to systems.
administrator’s permissions for carrying out certain activities. The tool will approve or deny the request and, if approved, grant
access only after management approval has also been obtained. In certain situations, the tool may also call on another administrator Interviewed senior security and engineering Leads and members of the Office 365 Trust team about the definition of required user attributes which needed to be validated
to assist with situation. Only absolutely necessary actions are permitted, and access is granted on a time-limited basis. After the prior to granting system access. Determined that managers must review and approve requests, based on their knowledge of an individual's role, prior to granting access to
permitted entry period has expired, access privileges are automatically revoked. Every request for elevated privileges is logged. that individual. Additionally, individual accounts with any special access requirements need to complete specialized training and undergo background checks (such as Public
Trust Security Clearance investigation) prior to accounts becoming active.

Examined samples of account creation, account modification, and account disabling actions within account management logs and confirmed that access is granted based on
a valid access authorization, intended system usage, and other attributes, as required by the organization or associated mission or business functions, and that processes
operate as described within account management procedures.

Viewed a formal presentation describing the configuration, implementation, and use cases for the JIT system. Confirmed that the JIT system is in place and required for use
prior to any administrator-level access being available.

Interviewed multiple Office 365 administrators throughout the course of the engagement and confirmed that the access control tool is used for privileged activity in order to
enforce the concept of least privilege.

Examined a sample of account management and JIT system audit logs and interviewed a sample of organizational personnel (e.g., administrators) with responsibilities for
employing the concept of least privilege. Confirmed that the implementation of least privilege is applied as intended.

A.9.4.2 Secure log-on procedures Microsoft, where required by the access control policy, controls access to Office 365 systems and applications by a secure log-on Interviewed Office 365 security personnel and determined that access authorization to the Office 365 environment is managed by account management tools which were a
procedure. Office 365 systems uniquely identify and authenticate Office 365 users using Active Directory. By design, Operations staff scalable means for Microsoft to manage access controls to the Office 365 systems. All user accounts (and processes acting on behalf of users) are associated with a unique
needing to perform administrative functions must access the environment remotely. Operations staff are identified by the Active identifier which is strictly enforced by Active Directory.
Directory username specific to each system’s environment, and authenticate using a strong password and two-factor authentication.
Microsoft implements authenticator obfuscation through the use of the built-in operating system security controls that protect Tested authentication mechanisms within the Office 365 environment by observing the login process for Office 365 team members. Verified that multi-factor authentication is
passwords when authenticating to system components. Passwords are obfuscated during the login process. No feedback is required and that users must use a unique identifier for system access. This confirmed that the identity and authentication methods operate as intended.
provided during the authentication process that could lead to potential exploitation by unauthorized users. Also Microsoft has
implemented policies for Office 365 that enforce session time-out requirements. Examined a sample of server identifiers across the Office 365 environment and confirmed that the organization uniquely identifies servers in the Office 365 environment.
Without a valid universally unique identifier servers could not be joined to or authenticated in the domain and therefore could not interact with other assets in the Office 365
environment.

A.9.4.3 Management of passwords Office 365 password management systems are interactive and ensure quality passwords. For password-based authentication, Reviewed the Office 365 security plan and determined that Office 365 uses Active Directory and Group Policy to enforce the minimum complexity standards. All passwords
Microsoft enforces minimum password complexity of case sensitivity, number of characters, mix of upper-case letters, numbers, and must meet the requirement for minimum number of characters (depending on the workload) and contain a character from three (3) of the following four (4) categories:
special characters, including minimum requirements for each type. Microsoft uses Active Directory to manage enforcement of our lowercase; uppercase; numbers (0-9); special characters. All password configuration settings are enforced by Active Directory and applied to all Office 365 personnel.
password policy. Office 365 systems are configured to force users to use complex passwords. Passwords are assigned a maximum Microsoft requires Office 365 team users to change temporary passwords to a permanent password immediately upon login.
age and a minimum length of characters. Password handling requirements include the changing of contractor supplied default
passwords prior to introducing the associated service or system into any Office 365 owned or operated environment. Each Office Examined documentation describing the current configuration settings for a sample of the automated mechanisms and confirmed that the mechanisms are properly
365 team has a local administrator password manager to securely maintain and store local administrator passwords for service configured to enforce the password complexity requirements.
systems.
Examined a sample of Group Policy Object (GPO) exports provided by multiple Office 365 teams and validated that the GPO settings are operative in enforcing the password
complexity requirements for user accounts.

Examined a sample of GPO exports provided by multiple Office 365 teams and validated that the GPO settings were operational in preventing password reuse for more than
20 password iterations. This setting ensures that at least one character must be changed when a password is updated.

A.9.4.4 Usage of privileged utility Microsoft restricts and tightly controls the use of utility programs that might be capable of overriding system and application Examined Office 365 system security plan as well as configuration of access & identity control mechanisms to determine that Office 365 restricts and tightly controls the use of
programs controls. Microsoft requires that users of information system accounts, or roles, with access to security functions or security-relevant utility programs that might be capable of overriding system and application controls.
information, use non-privileged accounts or roles, when accessing non-security functions. Non-privileged actions (for example, use
of Web browsers, email clients, etc.) are not allowed within the production environment.

A.9.4.5 Source code access controls Microsoft restricts access to program source code. Microsoft enforces access restrictions and supports auditing of the enforcement Examined Office 365 system security plan as well as the configuration of various Active Directory forests to determine that Office 365 restricts access to program source code.
actions. Access to the Office 365 source code libraries is limited to authorized Office 365 staff and contractor staff. Where feasible,
source code libraries maintain separate project workspaces for independent projects. Office 365 staff and contractor staff are Examined by the way of trying to access source code libraries without proper credentials and noticed that access was denied.
granted access only to those workspaces to which they need access to perform their duties. An audit log that details modifications
to the source code library is maintained. Office 365 teams use Active Directory to control access to change functions. All actions
taken (account creation, change, disabling, and removal) are automatically audited.
A.10.1.1 Cryptographic controls policy Microsoft has developed and implemented a policy on the use of cryptographic controls for protection of Office 365 information. Reviewed the Office 365 information security policy and determined that Microsoft has developed and implemented a policy on the use of cryptographic controls for
Encryption mechanisms and techniques used by the Office 365 teams follow the requirements and restrictions outlined in the Office protection of information.
365 information security policy. Service data and information are handled in accordance with the requirements and restrictions
specified in the Asset Classification and Data Handling Standards when cryptography is used. The Asset Classification and Data Interviewed members of the Office 365 Compliance team who confirmed that TLS connections are used.
Handling Standards establish the mandatory minimum requirements for Office 365 asset ownership, classification, and protection.
Cryptographic controls are designed and implemented to protect the confidentiality, integrity, and availability of Office 365 Examined screenshots of enabled use of FIPS-validated algorithms, a screenshot of enabled encryption, a screenshot of server certificate encryption strength, and the contents
information. Microsoft provides digital certificates on public-facing, Web sites. Office 365 support personnel use TLS (FIPS 140-2 of a TechNet article on how cryptographic modules are employed in Microsoft products. Determined that that FIPS-validated algorithms are implemented within the Office
Level 2 validated) encryption for connections that travel outside the boundary of Office 365. TLS employs cryptographic mechanisms 365 environment.
that allow client/server applications to communicate across the network in a way designed to prevent eavesdropping and
tampering. For more information, see FIPS 140 Validation (https://technet.microsoft.com/en-us/library/security/cc750357.aspx).

A.10.1.2 Key management policy Microsoft has developed and implemented a policy on the use, protection, and lifecycle of cryptographic keys. Microsoft establishes Examined the Office 365 secrets management playbook and determined that Microsoft has developed procedural documentation and custom-made tools to address the
and manages cryptographic keys for required cryptography employed within the information system in accordance with defined cryptographic key generation, distribution, storage, access, and destruction of secrets (e.g., private keys, passwords protecting keys, and x.509 certificate information) used in
requirements for key generation, distribution, storage, access, and destruction. In accordance with Microsoft and Office 365 security Office 365.
policies, Office 365 uses the cryptographic capabilities that are built into the Windows operating system for certificates and
authentication mechanisms (e.g., Kerberos). These cryptographic modules have been certified by NIST as being FIPS 140-2 validated. Examined the process and system by which Office 365 endpoint certificates are created and managed and determined that the appropriate key management tools are used to
Relevant NIST certificate numbers for Microsoft can be found at FIPS 140-1 and FIPS 140-2 List generate, get approved, and store x.509 certificates for use in public-facing endpoints.
(http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm). Any time cryptographic capabilities are employed to
protect the confidentiality, integrity, or availability of data within Office 365, the modules and ciphers used are FIPS 140-2 validated. Interviewed an Office 365 Trust team Principal Lead and Senior Program Managers and determined that key management tool are being used to establish and manage
For more information, see FIPS 140 Validation (http://technet.microsoft.com/en-us/library/cc750357.aspx). cryptographic keys and certificates. Tested the key management tools with the assistance of Senior Program Managers and confirmed that key management mechanisms are
operating as intended through the use of the key management portal. Any time that certificates needed to be generated, they are established through the key management
tool.

A.11.1.1 Physical perimeter security Microsoft defines and uses security perimeters to protect areas that contain either sensitive or critical information and information Examined the Office 365 security plan and determined that Office 365 relies on Microsoft Cloud Infrastructure & Operations (MCIO) for the implementation of this control.
processing facilities. Microsoft enforces physical access authorizations at defined entry/exit points to facilities where the information Please review the ISO and SOC audit reports for MCIO for further details, which are available in the Compliance Reports of the Service Assurance portal.
system resides by verifying individual access authorizations before granting access to the facility. The exteriors of the datacenter
buildings are non-descript and do not advertise that they are Microsoft datacenters. Depending on the design of a datacenter,
physical access authorizations at Microsoft datacenters may begin at a controlled perimeter gate or secured facility door that
requires either access badge authorization or security officer authorization. Main access to Microsoft datacenter facilities is restricted
to a single point of entry that is staffed 24x7 by security personnel. Emergency exits are alarmed and under video surveillance.
Electronic access control devices are installed on doors separating the reception area from the facilities’ interior to restrict access to
approved personnel only. Microsoft datacenters have a security operations desk located in the reception area and in line of sight of
the single entry point. The datacenter lobbies have restricted portal devices that require access card and biometric hand geometry
or fingerprint authentication to pass beyond the lobby. Areas within Microsoft datacenters that contain critical systems (e.g., co-
locations, critical environments, MDF rooms, etc.) are further restricted through various security mechanisms such as electronic
access control, biometric devices, and anti-pass back controls. Additionally, doors are alarmed and under video surveillance. In
addition to the physical entry controls that are installed on various doors within the datacenter, Microsoft has implemented
operational procedures to restrict physical access to authorized employees, contractors and visitors:

- Authorization to grant temporary or permanent access to Microsoft datacenters is limited to authorized staff. The requests and
corresponding authorization decisions are tracked using a ticketing and access control system.

- Visitors are required to be escorted at times. The escort’s access within the datacenter is logged and if necessary can be correlated
to the visitor for future review.

- Badges are issued to personnel requiring access after verification of identification. Microsoft performs a quarterly access list
review. As a result of this review, appropriate actions are taken.

A.11.1.2 Physical access controls Microsoft protects secure areas by appropriate entry controls to ensure that only authorized personnel are allowed access. Microsoft Examined the Office 365 security plan and determined that Office 365 relies on Microsoft Cloud Infrastructure & Operations (MCIO) team for the implementation of this
around distribution and controls physical access to information system distribution and transmission lines within organizational facilities using security control. Please review the ISO and SOC audit reports for MCIO for further details, which are available in the Compliance Reports of the Service Assurance portal.
transmission safeguards. Microsoft has implemented access control for transmission medium through the design and building of the Main
Distribution Frame (MDF) rooms and co-locations to protect information system distribution and transmission lines from accidental
damage, disruption, and physical tampering. Access to MDF rooms and co-locations require two-factor authentication (access
badge and biometrics). This ensures that access is restricted to only authorized personnel. Within the MDF, transmission and
distribution lines are protected from accidental damage, disruption, and physical tampering through the use of metal conduits,
locked racks or cages, and cable trays.

A.11.1.3 Security around offices, Microsoft designs and applies physical security for offices, rooms and facilities. Microsoft provides security safeguards to control Examined the Office 365 security plan and determined that Office 365 relies on Microsoft Cloud Infrastructure & Operations (MCIO) team for the implementation of this
rooms, and facilities access to areas within the facility officially designated as publicly accessible. Microsoft datacenters use physical access devices such control. Please review the ISO and SOC audit reports for MCIO for further details, which are available in the Compliance Reports of the Service Assurance portal.
as perimeter gates, electronic access badge readers, biometric readers, mantraps, anti-tailgate devices, and anti-pass back controls,
as well as security officers to control access to the datacenters.
A.11.1.4 External and environment Microsoft designs and applies physical protection against natural disasters, malicious attack, or accidents. Microsoft develops, Examined the Office 365 security plan and determined that Office 365 relies on Microsoft Cloud Infrastructure & Operations (MCIO) team for the implementation of this
threat protection documents, and distributes to relevant personnel or roles procedures to facilitate the implementation of the physical and control. Please review the ISO and SOC audit reports for MCIO for further details, which are available in the Compliance Reports of the Service Assurance portal.
environmental protection policy and associated physical and environmental protection controls. The policy is updated annually.
Microsoft has implemented the location of information system components control through strategic datacenter design approach.
Microsoft’s equipment is placed in locations which have been engineered to be protected from environmental risks such as theft,
fire, explosives, smoke, water, dust, vibration, earthquake, harmful chemicals, electrical interference, power outages, electrical
disturbances (spikes), and radiation. The facility and infrastructure have implemented seismic bracing for protection against
environmental hazards. The co-location and Main Distribution Frame (MDF) rooms are protected by access control, alarms, and
video. The facility is also patrolled by security officers 24x7. Microsoft assets are locked or fastened in place in order to provide
protection against theft or movement damage.
A.11.1.5 Secure area work procedures Microsoft designs and applies procedures for working in secure areas. Microsoft develops, documents, and disseminates to relevant Examined the Office 365 security plan and determined that Office 365 relies on the MCIO team for the implementation of this control. Please review the ISO and SOC audit
personnel or roles a physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, reports for MCIO for further details, which are available in the Compliance Reports of the Service Assurance portal.
management commitment, coordination among organizational entities, and compliance. Microsoft has implemented physical and
environmental security policies and procedures to allow for the secure operation of Office 365 networks and datacenters. The
Microsoft Security Policy, Microsoft's online services physical and environmental security standards, asset classification standards,
and asset protection standards are maintained by Microsoft’s Cloud Infrastructure & Operations (MCIO) team and reviewed and
published annually. These documents address the purpose, scope, roles, responsibilities, compliance requirements, and required
coordination among the various Microsoft organizations that provide physical and environmental support to Microsoft’s online
services. The objective of the physical and environmental security policy in the Microsoft Security Policy is to prevent unauthorized
access, damage or interference to Microsoft production facilities (datacenters). The Microsoft Security Policy applies across the
company to information and processes used in the conduct of Microsoft's business. Microsoft employees and contingent staff are
accountable and responsible for complying with these guiding principles within their designated roles. Specific security groups
(organizations which implement security programs that support this policy) provide standards with specific details for the
satisfaction of the requirements in this policy. These standards are followed within the scope of each security group’s authority. Any
exceptions or changes to the policy must be approved by the policy owner. Exceptions or changes to standards which support this
policy must be approved by the applicable security group. The Microsoft Security Policy has been reviewed, approved, and endorsed
by Microsoft’s senior management. The Microsoft Security Policy is maintained and aligned with supporting corporate policies and
functions including, but not limited to, functions performed by the Human Resources, Corporate, External and Legal Affairs, and
Privacy teams at Microsoft. Microsoft staff is required to strictly adhere to applicable security policies, standards, regulations, and
requirements. 

A.11.1.6 Controls for delivery and Microsoft controls access points such as delivery and loading areas and other points where unauthorized persons could enter the Examined the Office 365 security plan and determined that Office 365 relies on Microsoft Cloud Infrastructure & Operations (MCIO) team for the implementation of this
loading areas premises from, and where possible, isolates information processing facilities to avoid unauthorized access. Microsoft enforces control. Please review the ISO and SOC audit reports for MCIO for further details, which are available in the Compliance Reports of the Service Assurance portal.
physical access authorizations at ingress and egress points to facilities containing information systems by using physical access
control systems, devices, and guards. The exteriors of the datacenter buildings are non-descript and do not advertise that they are
Microsoft datacenters. Depending on the design of a datacenter, physical access authorizations at Microsoft datacenters may begin
at a controlled perimeter gate or secured facility door that requires either access badge authorization or security officer
authorization. Additionally, doors are alarmed and under video surveillance. In addition to the physical entry controls that are
installed on various doors within the datacenter, Microsoft has implemented operational procedures to restrict physical access to
authorized employees, contractors and visitors:

- Authorization to grant temporary or permanent access to Microsoft datacenters is limited to authorized staff. The requests and
corresponding authorization decisions are tracked using a ticketing and access control system.

- Visitors are required to be escorted at times.

A.11.2.1 Controls for equipment siting Microsoft manages sites and protects equipment to reduce the risks of environmental threats and hazards, and opportunities for Examined the Office 365 security plan and determined that Office 365 relies on Microsoft Cloud Infrastructure & Operations (MCIO) team for the implementation of this
and protection unauthorized access. Microsoft positions information system components within the facility to minimize potential damage from control. Please review the ISO and SOC audit reports for MCIO for further details, which are available in the Compliance Reports of the Service Assurance portal.
physical and environmental hazards and to minimize the opportunity for unauthorized access. Microsoft has implemented the
location of information system components control through strategic datacenter design approach. Equipment used by Microsoft's
services is placed in locations which have been engineered to be protected from environmental risks such as theft, fire, explosives,
smoke, water, dust, vibration, earthquake, harmful chemicals, electrical interference, power outages, electrical disturbances (spikes),
and radiation. The facility and infrastructure have implemented seismic bracing for protection against environmental hazards. All of
the co-location and Main Distribution Frame rooms are protected by access control, alarms, and video. The facility is also patrolled
by security officers 24x7. Portable Microsoft assets are locked or fastened in place in order to provide protection against theft or
movement damage.

A.11.2.2 Controls for supporting Microsoft protects equipment from power failures and other disruptions caused by failures in supporting utilities. Microsoft protects Examined the Office 365 security plan and determined that Office 365 relies on Microsoft Cloud Infrastructure & Operations (MCIO) team for the implementation of this
utilities power equipment and power cabling for the information system from damage and destruction. Microsoft datacenters have a control. Please review the ISO and SOC audit reports for MCIO for further details, which are available in the Compliance Reports of the Service Assurance portal.
dedicated 24x7 uninterruptible power supply (UPS) and emergency power support from generators, and regular maintenance and
testing is conducted for both. Microsoft has also made arrangements for emergency fuel delivery. Power systems are redundant;
datacenters use multiple power and utility feeds into the facility and redundant generators and UPS systems. Generator and UPS
system components undergo regular maintenance procedures to ensure they are in proper working order. Cables, electrical lines,
and backup generators—must be placed in environments that have been engineered to be protected from environmental risks such
as theft, fire, explosives, smoke, water, dust, vibration, earthquake, harmful chemicals, electrical interference, power outages,
electrical disturbances (spikes). Each datacenter has a dedicated Facility Operations Center to monitor:

- Power systems, including critical electrical components

- Generators, transfer switch, main switchgear, power management module, and uninterruptible power supply equipment.

- The heating, ventilation and air conditioning (HVAC) system, which controls and monitors space temperature and humidity within
the datacenters, space pressurization and outside air intake.

Fire Detection and Suppression systems exist at datacenters. Additionally, portable fire extinguishers are available at various
locations in the datacenter. Routine maintenance is performed on facility and environmental protection equipment.
A.11.2.3 Controls for cabling security Microsoft protects power and telecommunications cabling carrying data or supporting information services from interception, Examined the Office 365 security plan and determined that Office 365 relies on Microsoft Cloud Infrastructure & Operations (MCIO) team for the implementation of this
interference, and damage. Microsoft has implemented access controls for transmission medium through the design and building of control. Please review the ISO and SOC audit reports for MCIO for further details, which are available in the Compliance Reports of the Service Assurance portal.
the Main Distribution Frame (MDF) rooms and co-locations to protect information system distribution and transmission lines from
accidental damage, disruption, and physical tampering. Access to MDF rooms and co-locations require two-factor authentication
(access badge and biometrics). Microsoft has implemented the protection of power equipment and power cabling by providing
protective spaces and appropriate labeling for cables. Microsoft infrastructure equipment—for example, cables, electrical lines, and
backup generators—must be placed in environments which have been engineered to be protected from environmental risks such as
theft, fire, explosives, smoke, water, dust, vibration, earthquake, harmful chemicals, electrical interference, power outages, electrical
disturbances (spikes), and radiation. Power and information system cables within any Microsoft datacenter environment are labeled
appropriately and protected against interception or damage. Power and information system cables are separated from each other at
points within an environment to avoid interference. All electrical spaces are behind card readers or additional key locks as
appropriate. Access hallways as well as exterior entrances and equipment yards approaching the protective spaces are monitored
using video surveillance. 

A.11.2.4 Controls for equipment Microsoft correctly maintains equipment to ensure its continued availability and integrity. Microsoft schedules, performs, Examined the Office 365 security plan and determined that Office 365 relies on Microsoft Cloud Infrastructure & Operations (MCIO) team for the implementation of this
maintenance documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer control. Please review the ISO and SOC audit reports for MCIO for further details, which are available in the Compliance Reports of the Service Assurance portal.
or vendor specifications and/or organizational requirements. The Critical Environment (CE) team schedules, performs, documents,
and reviews maintenance activities performed on CE components. Microsoft datacenters rely on a computerized maintenance
management system (CMMS) to manage maintenance schedules and work order management. Work orders are generated based
on original equipment manufacturer guidelines and assigned for completion. All maintenance work performed at a Microsoft
datacenter must follow approved instructions that are detailed in a Method of Procedure (MOP) document. A MOP must have
datacenter management approval before work can begin. Completed MOPs are reviewed and receive datacenter management sign-
off to indicate completion. Details of completed MOPs are stored in the CMMS and then the work order closed.

A.11.2.5 Controls for removal of Microsoft ensures that equipment, information, and software shall not be taken off-site without prior authorization. Microsoft Examined the Office 365 security plan and determined that Office 365 relies on Microsoft Cloud Infrastructure & Operations (MCIO) team for the implementation of this
assets approves and monitors maintenance activities, whether performed on site or remotely and whether the equipment is serviced on control. Please review the ISO and SOC audit reports for MCIO for further details, which are available in the Compliance Reports of the Service Assurance portal.
site or removed to another location. Datacenter management generally consists of Microsoft full-time employees who serve in the
following roles:

- Datacenter Manager (DCM)


- Facilities Program Manager (FPM)
- Technical Program Manager (TPM)

The FPM and DCM are responsible for work occurring in the critical environment. Critical environment maintenance is detailed in a
Method of Procedure (MOP) document. A MOP must have datacenter management approval before work can begin. Completed
MOPs are reviewed and receive datacenter management sign-off to indicate completion. Critical environment maintenance is
performed in areas of the datacenter that are controlled and protected by physical security mechanisms (e.g., approved access,
cameras, two-factor authentication that includes access badges and biometrics, and security patrols) and therefore enforces
controls for removal of assets.

A.11.2.6 Controls for security of Microsoft applies security to off-site assets taking into account the different risks of working outside the organization’s premises. Examined the Office 365 security plan and determined that Office 365 relies on Microsoft Cloud Infrastructure & Operations (MCIO) team for the implementation of this
equipment and assets off- Microsoft implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media control. Please review the ISO and SOC audit reports for MCIO for further details, which are available in the Compliance Reports of the Service Assurance portal.
premises during transport outside of controlled areas. The use or storage of Microsoft managed information processing equipment and/or
media containing High Business Impact (HBI) or Medium Business Impact (MBI) data (as defined by the Microsoft Security Policy)
outside a Microsoft Online Services managed facility must be approved by the asset owner(s). Protection afforded to equipment
and/or media located outside a Microsoft Online Services managed facility is commensurate with protection afforded to equipment
and media located in a Microsoft-managed facility.

A.11.2.7 Controls for secure disposal Microsoft verifies items of equipment containing storage media to ensure that any sensitive data and licensed software has been Examined the Office 365 security plan and determined that Office 365 relies on Microsoft Cloud Infrastructure & Operations (MCIO) team for the implementation of this
or reuse of equipment removed or securely overwritten prior to disposal or re-use. Microsoft employs sanitization mechanisms with the strength and control. Please review the ISO and SOC audit reports for MCIO for further details, which are available in the Compliance Reports of the Service Assurance portal.
integrity commensurate with the security category or classification of the information. Microsoft uses data erasure units and
processes to cleanse and purge data in a manner consistent with NIST SP 800-88, and which are commensurate with the Microsoft
asset classification of the asset. For assets requiring destruction, Microsoft uses onsite asset destruction services.

A.11.2.8 Controls for unattended user Microsoft prevents access to the system by initiating a session lock after a period of inactivity or upon receiving a request from a Examined the Active Directory Group Policy Objects configuration for the Terminal Service Gateways to confirm that an automatic 15-minute session inactivity lock is
equipment user. Microsoft has implemented policies that enforce session time-out requirements in Office 365. implemented for systems.

Tested the automatic 15-minute session inactivity lock and requirement to re-authenticate following the lock by means of observing various Office 365 team members'
sessions time-out which required them to present authentication credentials.

Examined through observation that the default lock screen in Windows is displayed when the session lock initiates either as a result of inactivity or through a disconnect or
restart of the Remote Desktop Protocol session.

Examined the Office 365 security plan and determined that Office 365 relies on Microsoft Cloud Infrastructure & Operations (MCIO) team for the implementation of this
control. Please review the ISO and SOC audit reports for MCIO for further details, which are available in the Compliance Reports of the Service Assurance portal.
A.11.2.9 Controls for secure disposal Microsoft physically controls and securely stores digital and non-digital media in controlled areas. Microsoft has implemented a Examined the Office 365 security plan and determined that Office 365 relies on Microsoft Cloud Infrastructure & Operations (MCIO) team for the implementation of this
or reuse media protection policy, which describes how important organizational records relating to the Microsoft's information security control. Please review the ISO and SOC audit reports for MCIO for further details, which are available in the Compliance Reports of the Service Assurance portal.
of equipment program, independent of media type, must be retained, stored, protected, and, if appropriate, destroyed according to the
established information handling procedures for the records. Such records must be retained in controlled facilities for protection
against loss, destruction, and falsification. In addition, measures must be put in place to ensure the ability to recover these records
into a useable format for the duration of the records’ retention period. The Asset Classification Standard and Asset Protection
Standard define appropriate handling and protection mechanisms of assets based on their classification. Furthermore, the Asset
Classification Standard and Asset Protection Standard addresses the purpose, scope, roles, responsibilities, compliance
requirements, and required coordination among the various Microsoft organizations that provide some level of support to
Microsoft’s online services for media protection. Microsoft’s Online Services Asset Classification and Protection Standards
demonstrate a high level of management commitment and are a component of Microsoft' s Cloud Information and Operations
(MCIO) team's Risk Management Program strategy. The document provides online services staff with a current set of clear and
concise information security requirements as they pertain to media protection. The Asset Classification Standard and Asset
Protection Standard are reviewed annually by the management teams of online properties adhering to the Microsoft Security Policy.
This satisfies the media protection policy and procedures through the effective management and monitoring of the risks associated
with this control.

A.12.1.1 Operating procedures Microsoft documents Office 365 operating procedures and makes them available to users who need them. The Office 365 Examined online repositories containing the user documentation for the Office 365 information system. The repository was demonstrated to contain administrative
Information Security Policy contains rules and requirements that must be met in the delivery and operation of Office 365. More documentation pertaining to the proper functioning and operations of the Office 365 information system. These administrative guides and SOPs contained information on
detailed requirements are established within Office 365 security procedures and Office 365 team-specific standard operating security, monitoring and alerts, as well as architecture details.
procedures (SOPs). These standards and procedures act as adjuncts to the security policy and provide implementation level details
to carry out specific operational tasks. Examined the user documentation that describes the operational and security functions of the Office 365 information system and determined that documentation was
maintained electronically and was publicly available.

Examined the Help function available within the Office 365 environment and determined that documentation was readily available to end-users of the Office 365 information
system.

Microsoft had also provided links to several Web sites:

1. Office 365 Trust Center (https://products.office.com/en-us/business/office-365-trust-center-cloud-computing-security)

2. Office 365 Security and Compliance Center - Service Assurance (http://aka.ms/ServiceAssurance)

3. Microsoft Service Trust Portal (http://aka.ms/STPHelp)

that are used to provide end-users with security details regarding Office 365. A plethora of tools and user documents exist to assist the end-user with maintaining the security
of Office 365 and its components.

A.12.1.2 Change management Microsoft controls changes to it's organization, business processes, information processing facilities and systems that affect Examined the Office 365 security plan and determined that Office 365 software developers are required to follow the Office 365 change management plan and the security
procedures information security. Microsoft implements approved controlled changes to the Office 365 information system. An operational development lifecycle (SDL) during information system design, development, implementation, and operation.
change control procedure is in place for Office 365 and related system changes. This procedure includes a process for Office 365
management review and approval. This change control procedure is communicated to parties who perform system maintenance on, Examined records from multiple Office 365 teams of proposed changes and determined that changes to the information system are reviewed, and approved or disapproved
or in, any Office 365 facility. The operational change control procedure considers the following actions: with explicit consideration for security impact analysis. In addition, for changes that may affect more than just the specific Office 365 team implementing the change,
determined that the ticket tracking tool provides additional records of changes showing post-deployment verification steps. Office 365 developers leverage software tools to
- The identification and documentation of the planned change document, manage, and control the integrity of changes in the development environment. These tools provide technical enforcement of the documented change
management processes and the SDL. Among other features, they prevent changes to source code that were not tied to an approved change request. Developers of Office 365
- An assessment process of possible change impact implement only approved changes to the system. The Office 365 teams follow the change management processes when implementing changes. Changes are approved and
tracked through system software tools.
- Change testing in an approved non-production environment
Interviewed Senior Office 365 Foundations team Lead and Risk Program Managers and Office 365 Service team personnel and determined that there is a three-tiered process
- Change communication plan for proposed operational changes, depending on the level of system impact. A description of the risk is inserted into the change request to ensure that the members of
management had clear visibility into what, if any, side effects the requested change may have on the information system. Also determined that, as a part of this process, the
- Change management approval process security team integrates the Microsoft threat modelling tool to assist developers with completing an initial security risk assessment. Confirmed that changes need to be
approved and integrated with the tool used to assign and track work to personnel and for retention and historical review of changes to the system.
- Change abort and recovery plan (when applicable)

A.12.1.3 Capacity planning and Microsoft monitors, tunes, and makes projections of future capacity requirements to ensure the required system performance for Examined the Office 365 security plan and determined that each Office 365 team includes capacity planning as a key feature of their datacenter models. Examined various
management Office 365. Microsoft conducts capacity planning so that necessary capacity for information processing, telecommunications, and capacity planning documents to determine that capacity was reviewed at least monthly.
environmental support exists during contingency operations. Microsoft proactively monitors and continuously measures the
performance of key subsystems of the Office 365 platform against the established boundaries for acceptable service performance Interviewed Senior Security Engineers and Program Managers and confirmed that capacity planning, in conjunction with business continuity planning, is conducted by each
and availability. When a threshold is reached or an irregular event occurs, the monitoring system generates warnings so that Office 365 team through periodic meetings.
Operations staff can address the threshold or event. System performance and capacity use is proactively planned to optimize the
environment. The proactive capacity management is based on defined thresholds or events, such as hardware and software Examined various meeting minutes and supporting documents to determine that Microsoft monitors, tunes, and makes projections of future capacity requirements to ensure
subsystem monitoring for acceptable service performance and availability, CPU utilization, service utilization, storage utilization and the required system performance.
network latency.
A.12.1.4 Development, testing, and Microsoft separates the development, testing, and production environments for Office 365 to reduce the risks of unauthorized Determined that Office 365 employs separation between development, testing, and production environment via change management as well as network access management
operational environment access or changes to the production environment. Microsoft analyzes changes to the Office 365 information system in a separate controls as tested below.
separation test environment before implementation in a production environment. This includes looking for security issues due to flaws,
weaknesses, incompatibility, or intentional malice. Office 365 systems are partitioned at multiple layers to support system Examined the Office 365 System Security Plan (SSP), and determined that Office 365 teams must test potential software and firmware changes prior to deployment, either in a
confidentiality, integrity and availability. These partitions can be divided into two categories: physical partitions and logical separate test environment, or by removing a server from production, making changes, testing, and returning it to production upon successful completion.
partitions. Office 365 systems are also housed in datacenters that are under strong physical protections. Physical access is restricted
to datacenter personnel only, and governed by least privilege. Additionally, logical partitions provide a layered defense for Office Examined tickets for a change being tested prior to implementation in production and determined that the changes for Office 365 are first tested in the development
365 systems. The preferred method for logically partitioning systems, at the network level, are router access control lists, virtual local environment. The ticket demonstrated that sign-off was required before the changes were deployed in production. These tickets show the changes being pushed first to
area networks, and appropriately placed firewalls. Microsoft operates both types of devices for Office 365 facilities. This partitioning testing and then to production.
strategy is used to separate front-end components (e.g., Web servers) from the back-end components (e.g., databases or
management devices) of each system. Office 365 production environments are logically partitioned from other environments (e.g., Interviewed multiple Office 365 service engineers and confirmed that software implementation must be tested within a development as well as a testing environment and
various development environments) in the same manner. must be approved prior to the implementation on any production server.

Interviewed senior security and engineering Leads and members of the Office 365 Trust team about the definition of required user attributes that must be validated prior to
granting Office 365 development, testing, and production system access. Determined that managers must review and approve requests, based on their knowledge of an
individual's role, prior to access being granted to that individual. Additionally, individual accounts with any special access requirements must complete specialized training and
undergo background checks (such as a Public Trust Security Clearance investigation) prior to accounts becoming active.

A.12.2.1 Malware prevention controls Microsoft implements detection, prevention and recovery controls, combined with appropriate user awareness, to protect Office 365 Examined the Office 365 information security policy and determined that the use of antivirus and anti-malware software is a principal mechanism for protection of Office 365
against malware. The use of antivirus and anti-malware software is a principal mechanism for protection of Office 365 assets from assets from malicious software.
malicious software. The software is designed to detect and prevent the introduction of computer viruses and worms onto the service
systems. The software will also quarantine infected systems, and prevent further damage until remediation steps are taken. Antivirus Examined malicious code detection configurations on a sample of servers and determined that scans run daily at a specified time and that real-time protection is enabled to
software provides both preventive and detective control over malicious software, and it is installed as part of the initial build of scan downloads, monitor file and program activity, and perform heuristic behavior based monitoring.
systems. Once the appropriate antivirus software is installed, the following functions are centrally managed:
Examined a sample of screenshots from anti-malware software services and determined that the anti-malware configurations are set to quarantine malicious code, to be
- Periodic scans of the file system automatically updated as new updates are available, and to check for updates at least daily. Anti-malware software provided both preventive and detective control over
- Automatic scans of the environment malicious software. In addition, Microsoft has configured malicious code protection mechanisms in Office 365 that perform periodic scans of the file systems (at least weekly)
- Testing, identification, and rectification of false positives generated by the tool and run real-time scans of files as they are downloaded, opened, or executed.

Office 365 is an isolated, server-centric environment where mobile code (software code which transfers from one computer to Tested by installing a known virus test file on a server and confirmed that the anti-malware software is able to successfully detect and quarantine the malicious code. The
another computer and then executes automatically and performs a specific function with little or no user interaction) isn’t as software detected and prevented the introduction of computer viruses, malware, rootkits, worms, and other malicious software onto the service systems.
prevalent in a server-based environment as it is in a desktop environment. In addition, mobile code in use in the environment is
developed or reviewed by the Office 365 team. Releases have release-specific implementation guidance and testing to ensure that
only acceptable code is released. Antivirus tools scan mobile code when that code is loaded onto each server. Additional mobile
code protection is a function of the application as well.

A.12.3.1 Backup procedures Microsoft uses datacenter replication solutions for Office 365. Each of the applicable Business Continuity Plans detail the procedures Examined Office 365 replication architecture and standard operating procedures to determine that Office 365 uses datacenter replication solutions.
in place for the replication of Office 365 data.
Obtained and inspected evidence for a selection of backups and replications to ascertain that data backups and replication is occurring according to defined procedures and
Data for applications and support services is replicated for redundancy, high availability, and disaster recovery purposes. Data alternative data instances are available for restoration or activation.
replication occurs within the same datacenter and to one or more geographically-dispersed datacenters. The typical configuration
for replication is one primary server, which is replicated within the same datacenter to a secondary server and replicated across the
geographically-dispersed datacenters. In general, the primary server data is replicated to three other servers with three other copies.
Multiple copies replicate in real-time and other copies have a short, intentional lag. At a given time, data is accessible via (1) the
primary server; (2) a secondary server with real-time replicated data within the same datacenter where the primary server resides; (3)
a secondary server with real-time replicated data in a geographically-dispersed datacenter; or (4) a server with a few minutes lag
replicated to a geographically-dispersed datacenter.

As data is accessible for redundancy, high availability, or disaster recovery purposes for applications and support services through
the data replication process described above, data backup is only performed on specific applications to meet Service Level
Agreement requirements.

A.12.4.1 Event logs Microsoft produces, keeps, and regularly reviews event logs recording Office 365 user activities, exceptions, faults, and information Interviewed Office 365 engineers about Office 365 auditing and logging functions and determined that event logs recording Office 365 user activities, exceptions, faults and
security events. The Office 365 Security Service Engineering team has developed a general set of auditable events, specific to Office information security events are produced, kept, and regularly reviewed.
365 based on ongoing risk assessments of the system, which incorporate identified vulnerabilities, business requirements, and Office
365 security standards. The general event set is reviewed by the appropriate security team when a significant change to the system Interviewed key personnel and administrators from Office 365 teams and determined that Office 365 audit logs are pushed to central storage every five to fifteen minutes,
is made to ensure that any vulnerabilities exposed are being addressed by the set of auditable events. New events may be making these logs then available for the purpose of taking statistical pattern analysis measurements to detect inappropriate or unusual activity.
incorporated when a new service is brought online or when a vulnerability or threat is identified (e.g., through security assessments
or security bulletins). When changes to Office 365 need to be made, they are executed through the Office 365 change management Tested through the review of security team-generated Office 365 Product Studio tickets or associated auto-generated emails sent to various Office 365 teams, based on traffic
process which includes a risk assessment of the change. Office 365 has in-service logs and compliance features that enable or system events and determined that the statistical pattern analysis measurements are used to detect inappropriate or unusual activity.
customers to directly view a subset of logs to verify who has accessed what data and what they did with that data. This includes
viewing mailbox usage in Exchange Online, administrative activities, and activities on SharePoint Online sites. In-service features that Tested by examining Active Directory group policy objects, audit log settings, and centrally collected logs for multiple Office 365 teams to determine that the Office 365 teams
provide this visibility include Exchange Online auditing, SharePoint Online auditing, the Office 365 Security & Compliance Center, implement system auditing in accordance with the guidance provided by the Office 365 Security team and aligned with audit record generation.
and the Office 365 admin center. More information can be found at Office 365 Reports (https://technet.microsoft.com/en-
us/library/office-365-reports.aspx).

A.12.4.2 Log protection Microsoft protects Office 365 facilities and log information against tampering and unauthorized access. Audit records are continually Examined data within audit storage to determine that collected audit events were uploaded to a centralized auditing system using an encrypted format that ensures integrity
analyzed for indications of inappropriate or unusual activity using a formal monitoring process. Findings are reported using a of the data and confidentiality of any sensitive data, as well as provided a means to protect audit records from unauthorized access, modification, or deletion. Additionally,
security incident response process. Microsoft's assumed breach stance involves auditing operator (administrator) access and actions. Office 365 audit logs are pushed to storage every five to fifteen minutes, greatly limiting the effect in which any modification would have resulted.

Reviewed collected audit events uploaded to a centralized auditing storage system and audit log access within Office 365 team systems and determined that only system
administrators have the ability to view local logs.
A.12.4.3 Administrative and Office 365 logs system administrator and system operator activities and the logs are protected and regularly reviewed. Office 365 Examined the Office 365 information security policy and audit and accountability procedures and determined that the Office 365 security team has developed a list of
operational logs protects audit information and audit tools from unauthorized access, modification, and deletion. Microsoft's assumed breach stance auditable events that needed to be audited for all systems. For operating systems, this list includes, at a minimum, successful and unsuccessful account logon events, account
involves auditing operator (administrator) access and actions. The Office 365 Security Service Engineering team has developed a management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications, this list includes, at a minimum,
general set of auditable events specific to Office 365 based on ongoing risk assessments of the system which incorporate identified administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes.
vulnerabilities, business requirements, and Office 365 Security Standards. The general event set is reviewed by the Security Service
Engineering team when a significant change to the system is made to ensure any vulnerabilities exposed are being addressed by the Interviewed Office 365 engineering personnel about auditing and logging functions and determined that a weekly meeting is held to discuss the current state of Office 365
set of auditable events. New events may be incorporated when a new service is brought online or when a vulnerability or threat is system security and security monitoring. The list of auditable events is reviewed as a part of this meeting and guidance for Office 365 teams is updated as needed.
identified (e.g., through security assessments or security bulletins).
Also determined that Office 365 systems generate audit records and that audit events are uploaded to a centralized auditing system for Office 365 security team members to
perform statistical pattern analysis.

Tested by examining Active Directory group policy objects for audit log settings, and centrally collected audit logs for multiple Office 365 teams and determined that the
Office 365 teams implement system auditing in accordance with the guidance provided by the Office 365 security team and are aligned with audit record generation as
defined in security policies.

Examined data within audit storage and determined that collected audit events are uploaded to a centralized auditing system, using an encrypted format that ensures
integrity of the data and confidentiality of any sensitive data, as well as providing a means to protect all audit records from unauthorized access, modification, or deletion.
Additionally, Office 365 audit logs are pushed to storage every five to fifteen minutes, greatly limiting the impact that any modification would have incurred.

A.12.4.4 Clock synchronization Microsoft synchronizes the clocks of relevant information processing systems within an organization or security domain to a single Tested through the examination of the system time configuration data and associated timestamp data within system logs for multiple Office 365 servers and determined that
process reference time source. Microsoft records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or NTP is used to compare the internal system clocks and that systems are configured to synchronize at least hourly and to update their clock if it is off by 1 millisecond or more.
Greenwich Mean Time (GMT). Audit records and events generated by Office 365 servers are logged with timestamps. Servers are The Active Directory domain controllers that serve as time servers either directly reached outside of the Office 365 boundary to pull the authoritative time from Microsoft
configured to synchronize internal clocks with Active Directory domain controllers using the Network Time Protocol NTP). Servers Cloud Infrastructure & Operations (MCIO) systems or pointed to a central domain controller (which pulls the authoritative time from MCIO systems). MCIO systems are
are joined to an Active Directory domain and configured to receive authenticated time updates from a local domain controller using Stratum 1 time servers that sync with Global Positioning System satellites.
NTP at least hourly.
A.12.5.1 Software installation Microsoft implements procedures to control the installation of software on Office 365 production systems. Microsoft develops, Examined the Office 365 information security policy and change management plan and determined that all changes to operational systems must go through the change
documents, and disseminates to relevant personnel or roles, procedures to facilitate the implementation of the change management process and be approved by the appropriate stakeholders prior to being released. The following policies are in place regarding the installation of software,
management policy and associated change management controls. Patches, updates and threat mitigation are covered by the including open source software, within the Office 365 environment:
Microsoft Security Development Lifecycle (https://www.microsoft.com/en-us/sdl/default.aspx) (SDL). Part of the SDL has been built
upon investments in Microsoft Trustworthy Computing (http://www.microsoft.com/en-us/twc/default.aspx). - Software (including tools and utilities) installed within Office 365 must be approved by the appropriate stakeholders prior to being released into production

Microsoft has various patch management release cycles and engagement models that allow it to mitigate new threats as quickly as - Software must be tested in a suitable manner suitable to evaluate its impact on system performance, stability (failure and recovery characteristics) and security state (security
possible within the Office 365 service. The following guidelines have been established by the Microsoft Security Policy regarding the controls work as expected and the product does not contain malicious code) prior to deployment in Office 365
installation of software within the Office 365 environment:
- Software submitted for approval must have a legitimate business purpose
- Software (including tools and utilities) installed within the Office 365 environment must be approved by the appropriate
stakeholders prior to being released into production Interviewed service engineers and confirmed that all software must be tested and approved prior to implementation on any production server. Partners and customers do not
have the ability to install software in the production environment under any circumstances.
- Software must be tested in a suitable manner suitable to evaluate its impact on system performance, stability (failure and recovery
characteristics), and security state (security controls work as expected and the product does not contain malicious code) prior to Examined records of changes from multiple Office 365 teams and determined that changes to the information system are reviewed, and approved or disapproved with explicit
deployment in any Office 365 production environment consideration for security impact analysis. In addition, determined that the ticket tracking tool provides additional records showing post-deployment verification steps for
changes that may affect more than just the specific Office 365 team implementing the change.
- Software submitted for approval must have a legitimate business purpose

Additionally, installation of software in Office 365 environments is governed by access controls.


A.12.6.1 Vulnerabilities management Microsoft obtains information in a timely fashion about technical vulnerabilities of information systems being used through daily Interviewed Office 365 Program Managers and Risk Managers and determined that the Microsoft has effectively implemented daily and weekly vulnerability scanning and
vulnerability scans. Microsoft's exposure to such vulnerabilities is evaluated and appropriate measures are taken to address the prepared standardized reporting for all Office 365 teams based on normalized scan data. Also confirmed that the vulnerability related information is being disseminated to
associated risk. Microsoft identifies, reports, and corrects information system flaws through vulnerability management, incident Office 365 teams on an ongoing basis. This process helps to eliminate similar vulnerabilities and better coordinate corrective and remediation actions across Office 365
response management, and patch and configuration management processes. The Office 365 Security Incident Response team systems.
assists with identifying and reporting information system flaws. Microsoft receives vulnerability-related data from multiple sources of
information which include the Microsoft Security Resource Center (MSRC), vendor Web sites, other third-party services (e.g., Internet Interviewed Office 365 Patch, Antivirus, Vulnerability, Configuration (PAVC) staff and determined that the vulnerability scanning consists of using industry standard
Security Systems), the US Computer Emergency Readiness Team, and internal and external vulnerability scanning of services. The vulnerability assessment tools with available plug-ins activated, privileged accounts used, and IP ranges selected in order to provide maximum coverage and full enumeration
Office 365 Security Service Engineering team determines which updates are applicable within the Office 365 environment. Potential of hosts, software and configurations. This ensures that the scanners are configured to identify and report new vulnerabilities that may affect Office 365 systems. Also
changes are tested in advance. Microsoft works with a variety of different industry bodies and security experts to understand new determined that the scans are securely transported to a database system on Microsoft's corporate network for standard formatting and initial analysis, which includes
threats and evolving trends. Microsoft constantly scans Office 365 systems for vulnerabilities and contracts with external penetration identification of the severity level for each vulnerability.
testers who also constantly scan the systems.
Examined PAVC vulnerability scan data across various Office 365 teams and observed that recent vulnerability signatures are identified and verified that the organization has
implemented vulnerability scanning using all available plug-ins.

Examined vulnerability scan report parsed findings and associated dashboards used by Office 365 personnel with vulnerability management responsibilities and determined
that the vulnerability management measures are effectively applied and are used for performing corrective and remediation actions.

Tested through observation of scanner configurations and PAVC dashboard views (scan data) during interviews with an Office 365 Program Manager Lead and other Office
365 team personnel possessing remediation responsibilities and determined that the scanners use all available plug-ins and perform an update against an Office 365 security
center instance prior to each scan. Scanners all receive the most current set of available plug-ins in order to update scan policy and the associated information was displayed
in the PAVC dashboard views.

Examined alerts generated by security teams that were sent to Office 365 teams and determined that the organization receives external information and disseminates that
information on a regular basis to the service operations and security managers. The Office 365 Security team subscribes to the mailing list for notifications from the US
Computer Emergency Readiness Team (US-CERT), and reviews the US-CERT Web site daily for new notifications.

Examined a sample of emails that were sent to the Office 365 teams and determined that the security alerts and advisories are disseminated to all Office 365 teams via
monthly mailings.

Interviewed senior security personnel and determined that monthly mailings are sent from the PAVC team to Office 365 teams informing them of their progress on
remediating vulnerabilities and notifying them of critical vulnerabilities that should be prioritized.
A.12.6.2 Software installation Microsoft implements procedures to control the installation of software on operational systems in the Office 365 production Examined the Office 365 information security policy and change management plan and determined that all changes to operational systems go through the change
restrictions environment. Partners and customers do not and cannot perform any traditional software installation in the Office 365 production management process and must be approved by the appropriate stakeholders prior to being released. The following policies are in place regarding the installation of software
environment. Microsoft develops, documents, and disseminates to relevant personnel or roles, procedures to facilitate the (including open source software) within the Office 365 environment:
implementation of the change management policy and associated configuration management controls. Patches, updates, and threat
mitigation are covered by the Microsoft Security Development Lifecycle (https://www.microsoft.com/en-us/sdl/default.aspx) (SDL). - Software (including tools and utilities) installed within Office 365 must be approved by the appropriate stakeholders prior to being released into production.
Part of the SDL has been built upon investments in Microsoft Trustworthy Computing (https://www.microsoft.com/en-
us/twc/default.aspx). - Software must be tested in a suitable manner to evaluate its impact on system performance, stability (failure and recovery characteristics) and security state (security controls
work as expected and the product does not contain malicious code) prior to deployment in Office 365.
Microsoft has various patch management release cycles and engagement models that allow it to mitigate new threats as quickly as
possible within the Office 365 service. As established by the Microsoft Security Policy, the following guidelines are in place regarding - Software submitted for approval must have a legitimate business purpose.
the installation of software within the Office 365 environment:
Interviewed service engineers and confirmed that all software implementations must be tested and approved prior to implementation on any production server. Partners and
- Software (including tools and utilities) installed within the Office 365 environment must be approved by the appropriate customers do not have the ability to install software in the production environment under any circumstances.
stakeholders prior to being released into production.
Examined records of changes from multiple Office 365 teams and determined that changes to the information system are reviewed, and approved or disapproved with explicit
- Prior to deployment in any Office 365 environment, software must be tested in a suitable manner to evaluate its impact on system consideration for security impact analysis. In addition, determined that the ticket tracking tool provides additional records showing post-deployment verification steps for
performance, stability (failure and recovery characteristics), and security state (security controls work as expected and the product changes that may affect more than just the specific Office 365 team implementing the change.
does not contain malicious code).

- Software submitted for approval must have a legitimate business purpose. Additionally, installation of software in Office 365
environments is governed by access controls.

A.12.7.1 Information systems audit Microsoft carefully plans and agrees to minimize disruptions to Office 365 and other business processes for audit requirements and Examined the Office 365 security plan, the Office 365 Information Security Policy, Office 365 framework controls, and associated standard operating procedures related to
controls activities involving verification of operational systems. Microsoft regularly reviews and updates the current audit and accountability security assessment and authorization, and determined that Microsoft contracts with third-party external auditors to create an audit assessment plan based on the
policy. A scope and approach is detailed as part of the compliance planning phase for both internal and external independent audits documentation developed by Microsoft. In addition, determined that security controls are assessed annually or whenever a significant system, risk posture or vulnerability
which identify the controls to be tested, the tools and techniques to be used. Coordination with the asset owners and management change occurred.
is done to communicate compliance assessment or audit plans, identify potential project risks, verify available service personnel
support, and identify risks to services and strategies posed by assessments and audits. Plans are agreed to in order to mitigate the Interviewed Office 365 Program Managers and determined that Microsoft was provided a copy of the audit assessment plan, which describes the scope of the assessment, the
risk to services while still enabling compliance assessment objectives to be achieved in a timely manner. security controls to be tested, the assessment procedures to be used, the assessment environment, the assessment team, and assessment roles and responsibilities.

Examined the Office 365 security assessment report, the Office 365 report on controls at the service organization relevant to security and availability, the report on a
description of Office 365, the suitability of the design and operating effectiveness of controls, and a signed copy of the Office 365 accreditation memorandum, and
determined that results of the security control assessments are documented within the reports.

Interviewed Office 365 Trust team Lead and Senior Program Manager and determined that the Office 365 Trust team coordinates annual ongoing audit activities with Office
365 teams in a proactive manner to plan the mitigation of any risk to services while still enabling compliance assessments objectives to be achieved in a timely manner.
A.13.1.1 Controls for network Microsoft manages and controls networks to protect information in systems and applications. Microsoft protects the confidentiality Interviewed security and compliance personnel and determined that Office 365 connects to external networks or information systems only through MCIO’s managed
management and integrity of transmitted information. Multiple techniques are used to control information flows, including but not limited to: networks or secure Terminal Services Gateways. The network interfaces provide boundary protection using tiered ACLs and are arranged in accordance with the security
architecture of deny all, and permit only by exception. MCIO is responsible for implementing and monitoring all networking connectivity to the environment.
- Physical separation: Network segments are physically separated by routers that are configured to prevent specific communication
patterns. Examined multiple samples of the router and firewall ACLs in use on perimeter devices and verified that settings are employed to monitor and control communications at the
external boundary of the information system and at key internal boundaries within the system.
- Logical separation: Virtual LAN (VLAN) technology is used to further separate communications.
Tested the current configuration of the active ACLs by means of attempting a connection on a known open port on a server from beyond the Office 365 team boundary.
- Firewalls: Firewalls and other network security enforcement points are used to limit data exchanges with systems that are exposed Observed that the connection was denied as intended by the ACLs in order to confirm proper implementation.
to the Internet, and to isolate front-end systems from back-end systems managed by Office 365.
Examined the Office 365 security plan and determined that Office 365 relies on Microsoft Cloud Infrastructure & Operations (MCIO) team for the implementation of this
- Protocol restrictions: traffic to and from customers is transmitted over encrypted connections. Microsoft implements boundary control. Please review the ISO and SOC audit reports for MCIO for further details, which are available in the Compliance Reports of the Service Assurance portal.
protection through the use of controlled devices at the network boundary and at key points within the network.

The primary goal of network security is to allow only connections and communications that are necessary for system operation;
blocking other ports, protocols and connections by default. Access Control Lists (ACLs) are the preferred mechanism to restrict
network communications by source and destination networks, ports and protocols. Approved mechanisms to implement
networked-based ACLs include: Tiered ACLs on routers managed by Microsoft's Cloud Infrastructure & Operations (MCIO) team,
IPsec policies applied to hosts to restrict communications (when used in conjunction with tiered ACLs), firewall rules, and host-based
firewall rules.

Microsoft implements information flow control by allowing only connections and communication that are necessary to allow system
operation, blocking other ports, protocols and connections by default, as defined in Microsoft's Online Services security standard.
Microsoft manages ACL approvals through a Request for Change process (that includes review and risk acceptance) and MCIO
implements the approved change.

Office 365 uses FIPS 140-2 Level 2-validated ciphers for customer, third-party, and remote access connections into the accreditation
boundary. Office 365 support personnel use FIPS 140-2-validated TLS encryption for connections that travel outside the boundary of
Office 365. TLS employs cryptographic mechanisms that allow client/server applications to communicate across the network in a way
that is designed to prevent eavesdropping and tampering.

A.13.1.2 Network service agreements Microsoft identifies and includes security mechanisms, service levels, and management requirements of network services in network Examined the MMVA and determined that suppliers must comply with physical and information security policies set out in the SOW or otherwise provided to the supplier by
services agreements, whether these services are provided in-house or outsourced. Office 365 authorizes connections from the Microsoft. Determined that, per the MMVA, the supplier must also use security procedures to prevent disclosure of Microsoft Confidential Information to unauthorized third
information system to other information systems through the use of Interconnection Security Agreements. Microsoft requires third parties and that suppliers must have controls in place for system access, system and application development and maintenance, change management, asset classification and
parties (external information system services) that are engaged with Office 365 to sign a Microsoft Master Vendor Agreement control, incident response, physical & environmental security, disaster recovery, and employee training. Finally, determined that vendors and contractors must sign the MMVA
(MMVA). The MMVA requires the third party to comply with applicable Office 365 security policies and to implement security prior to beginning work at Microsoft. Security requirements are detailed in the MMVA, which must be signed prior to beginning the engagement. Also interviewed Office 365
procedures to prevent disclosure of Office 365 confidential information. Office 365 includes provisions in the MMVA and any Trust team personnel and determined that vendors and contractors are subject to the MMVA and to the disclosure agreements.
associated Statement of Work (SOW) with each vendor addressing the need to use appropriate security controls. Vendors that
handle sensitive data must be in compliance with Office 365 vendor privacy practices and data protection requirements. Examined the Office 365 System Security Plan and determined that vendors and contractors are subject to the same screening requirements as Microsoft personnel. Microsoft
requires that approved screening vendors submit screening outcomes for third-party personnel directly to Microsoft, where they are tracked in a Human Resources
Information System (HRIS). Also examined the MMVA and determined that it defines personnel security requirements for vendors and contractors.

Interviewed Office 365 Program Managers and determined that interconnection service agreements (ISAs) are used to identify system interconnections and data flow
diagrams that are documented detail information flows. ISAs are reviewed annually.

Examined several Office 365 ISAs and associated control matrices and determined that Microsoft authorizes identified connections from the information system to other
information systems through the use of interconnection security agreements.

Examined several Office 365 ISAs and associated control matrices and determined that the ISAs document the interface characteristics, security requirements, and nature of
the information communicated respectively.

A.13.1.3 Network segregation Microsoft segregates groups of information services, users, and information systems on networks. Office 365 separates user Interviewed security and compliance team personnel and determined that Office 365 connects to external networks or information systems only through managed networks
functionality (including user interface services) from information system management functionality. The primary principle of network and secure gateways (TSGs). The network interfaces provided boundary protection using tiered Access Control Lists (ACLs) and were arranged in accordance with the security
security is to allow only connection and communication that is necessary for system operation, blocking other ports, protocols, and architecture. Microsoft's Cloud Infrastructure & Operations (MCIO) team is responsible for implementing and monitoring all networking connectivity to the environment.
connections by default. The networks within Office 365 datacenters are designed to create multiple separate network segments. This
segmentation helps to provide physical separation of critical, back-end servers, and storage devices from the public-facing Examined multiple Office 365 team samples of the router and firewall ACLs in use on the perimeter devices to verify settings are used to monitor and control communications
interfaces. Data storage and processing is logically segregated among customers of the same service through Active Directory at the external boundary of the information system and at key internal boundaries within the system.
structure and capabilities specifically developed to help build, manage, and secure multi-tenant environments. The multi-tenant
security architecture ensures that customer data stored in Office 365 datacenters is not accessible by or compromised to any other Tested the current configuration of the active ACLs by means of attempting a connection on a known open port on a server from beyond the Office 365 system boundary.
organization. Active Directory is used to control and prevent the unauthorized and unintended information transfer via shared Observed that the connection was denied as intended by the ACLs in order to confirm proper implementation.
system resources. Tenants are isolated from one another based on custom code and security boundaries, or silos, enforced logically
through Active Directory. Tested multi-tenant separation by having an administrator provide a URL to an Office 365 resource (associated with his account) to an administrator of another tenant. Upon
failure to access the data, it was determined that the second administrator had no access to the data for another tenant.

Tested multi-tenant separation by having an administrator show live tenant resources via PowerShell for Microsoft's own Office 365 groups and determined that each receives
their own Organization ID, Program ID, and GUID.
A.13.2.1 Policies and procedures for Microsoft has formal transfer policies, procedures, and controls in place to protect the transfer of information through the use of Examined samples of Office 365 firewall rules and ACLs in place to implement the exception information flow policy used at Office 365 system boundaries as well as the router
information transfer various types of communication facilities. Microsoft implements boundary protection through the use of controlled devices at the and firewall ACLs in use on the perimeter devices. This confirmed that the approved mechanisms used to control the flow of information within the system and between
network boundary and at key points within the Office 365 network. The primary principle of network security is to allow only interconnected systems are implemented.
connection and communication that is necessary for system operation, blocking other ports, protocols and connections by default.
Access Control Lists (ACLs) are the preferred mechanism through which to restrict network communications by source and Tested the current configuration of the active ACLs by means of attempting a connection to a known open port on a server beyond the Office 365 system boundary, and
destination networks, protocols, and port numbers. Approved mechanisms to implement networked-based ACLs include: observed that the connection was denied as intended by the ACLs.

- Tiered ACLs on routers managed by Microsoft's Cloud Infrastructure & Operations (MCIO) team

- IPsec policies applied to hosts to restrict communications (when used in conjunction with tiered ACLs), firewall rules, and host-
based firewall rules

Office 365 uses FIPS 140-2 Level 2-validated ciphers for customer, third-party, and remote access connections into the Office 365
accreditation boundary. Office 365 support personnel use FIPS 140-2-validated TLS encryption for connections that travel outside
the boundary of Office 365. TLS uses cryptographic mechanisms that allow client/server applications to communicate across the
network in a way designed to prevent eavesdropping and tampering.

A.13.2.2 Information transfer Microsoft's agreements address the secure transfer of business information between Microsoft and external parties. Microsoft Examined the MMVA and determined that suppliers must comply with physical and information security policies set out in the SOW or otherwise provided to the supplier by
agreements documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information Microsoft. Determined that, per the MMVA, the supplier must also use security procedures to prevent the disclosure of Microsoft Confidential Information to unauthorized
communicated. Microsoft requires third parties (external information system services) that are engaged with Office 365 to sign a third parties. Suppliers must have controls in place to protect the system access, system and application development and maintenance, change management, asset
Microsoft Master Vendor Agreement (MMVA) and an Interconnection Security Agreement (ISA). The MMVA requires the third party classification and control, incident response, physical & environmental security, disaster recovery, and employee training. Finally, determined that vendors and contractors
to comply with applicable Office 365 security policies and to implement security procedures to prevent the disclosure of Microsoft must sign the MMVA prior to beginning work at Microsoft. Security requirements are detailed in the MMVA that must be signed prior to beginning the engagement. Also
Confidential Information. Office 365 includes provisions in the MMVA and any associated Statement of Work (SOW) with each interviewed Office 365 Trust team personnel and determined that vendors/contractors are subject to the MMVA and to non-disclosure agreements.
vendor addressing the need to use the appropriate security controls. Vendors that handle sensitive data must be in compliance with
Microsoft's vendor privacy practices and data protection requirements. Examined the Office 365 System Security Plan (SSP) and determined that vendors and contractors are subject to the same screening requirements as Microsoft personnel.
Microsoft requires that approved screening vendors submit screening outcomes for third-party personnel directly to Microsoft, where they are tracked in a Human Resources
Information System (HRIS). Also examined the MMVA and determined that it defines personnel security requirements for vendors and contractors.

Interviewed Office 365 Program Managers and determined that ISAs are used to identify system interconnections and that the data flow diagrams detail these information
flows. ISAs are reviewed annually. Examined several Office 365 ISAs and associated control matrices and determined that Microsoft authorizes identified connections from the
information system to other information systems through the use of interconnection security agreements.

Examined several Office 365 ISAs and associated control matrices and determined that the ISAs document the interface characteristics, security requirements, and nature of
the information communicated respectively.

Examined several Office 365 ISAs and associated control matrices and determined that the terms and conditions of the ISAs are valid for one year after the last date of the
signature lines and are updated, reviewed, and reauthorized annually.

A.13.2.3 Electronics messaging Microsoft appropriately protects information involved in electronic messaging. Microsoft maintains the confidentiality and integrity Interviewed senior service engineers and a program manager and determined that Office 365 used encryption to protect the integrity and confidentiality of transmitted
of information during preparation for transmission and during reception. Procedures for the handling of assets in various forms are information and that Office 365 appropriately protected information involved in electronic messaging. Specifically, Office 365 provided FIPS 140-2 Level 2-validated ciphers
in accordance with the relevant standards and procedures. and TLS protocols for customer connections, interconnected system connections, and remote access connections to Office 365.

Interviewed Office 365 architects and determined that certificates are generated internally by a secure certification generation tool.

Tested by examining the TLS configuration best practices and determined that acceptable cipher suites and protocols are identified to protect the confidentiality and integrity
of transmitted information.

Tested by examining the certificate deployment configuration script, screenshots of certificate path, screenshot of key certificate details, screenshot verifying use of AES 256
and TLS 1.2 and determined that deployment scripts make calls to secrets management and that current settings are configured as required.

Tested by examining screenshots of certificate key usage, screenshots of general certificate information, screenshots of certificate root trust, screenshots of certificate SANS,
screenshot of certificates management system and determined that the system is used to request certificates from the Microsoft Certificate Authority which is configured as
required.

A.13.2.4 Agreements for Microsoft identifies, regularly reviews, and documents requirements for confidentiality or non-disclosure agreements reflecting the Examined the Office 365 System Security Plan and Resource Access Agreement and determined that all Office 365 staff are required to sign confidentiality and non-disclosure
confidentiality / non- organization’s needs for the protection of information. Office 365 ensures that access to classified information requiring special agreements and the Microsoft Employee Handbook at the time of hire as a condition of employment and access to Office 365. In addition, vendors and contractors are
disclosure protection is granted only to individuals who have read, understood, and signed a non-disclosure agreement (NDA). Microsoft's required to sign the Microsoft Master Vendor Agreement (MMVA) to ensure compliance with Microsoft policies on required engagements. The Employee Handbook,
Acceptable Use Policy outlines the specific acceptable usage standards of Microsoft's infrastructure and services technology assets. confidentiality and non-disclosure agreements, and MMVA are reviewed and updated annually to reflect changes to the Microsoft environment.
Additionally, the Office 365 General Use Standard describes user responsibilities and establishes expected behavior when using
Office 365 and its systems. Users, including employees, vendors, and contractors are required to follow the rules of behavior, which Interviewed Office 365 Trust personnel and determined that rules of behavior are embedded in the Microsoft Employee Handbook. The Employee Handbook is available
are outlined in the General Use Standard. The agreements are put in place to protect trade secrets, sensitive, or business confidential online to all employees on the Microsoft Human Resources portal. Additionally, Office 365 team users are provided with the rules of behavior as part of their annual security
information and assets. The NDA, the Microsoft Employee Handbook, and the Microsoft Security Policy include statements awareness training. Determined that users are asked to provide explicit acknowledgement during this training and that submission of training completion constitutes
regarding information and asset protection responsibilities. They also describe the penalties for violation of these responsibilities. agreement that the user understood this document.

Examined the View & Sign agreement for employees and determined that the organization requires that users acknowledge that they have read, understood, and accept all
modifications to the Employee Handbook on an annual basis.

Examined a training report and determined that annual security awareness training is conducted in accordance with the annual frequency, and constitutes the agreement with
the rules of behavior contained in the Employee Handbook.
A.14.1.1 Information security Microsoft includes information security-related requirements in the requirements for new information systems or enhancements to Reviewed the Office 365 security plan and the SDL summary, which provide a detailed outline of the processes followed by engineering and development projects and
requirement analysis and existing information systems. Microsoft has developed an information security architecture for the information system that describes determined that Office 365 includes the information security related requirements in the requirements for new information systems or enhancements to existing information
specification the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and systems. Determined that the SDL is a software development model that includes specific security considerations for all software, services, and devices.
availability of organizational information. Microsoft's implementation of lifecycle support is outlined through the Microsoft Security
Development Lifecycle (https://www.microsoft.com/en-us/sdl/default.aspx) (SDL) process that is followed by engineering and Examined the SDL site and determined that the entire purpose for the SDL is to enforce security engineering principles all throughout the system's lifecycle, including the
development projects. A security requirements analysis must be completed for development projects. This analysis document acts as specification, design, development, implementation, and modification of system code and components.
a framework and includes the identification of possible risks to the finished development project as well as mitigation strategies that
can be implemented and tested during the development phases. Critical security review and approval checkpoints are included Interviewed Office 365 Program Managers and determined that Microsoft effectively implements and documents secure engineering principles within the Office 365
during the development lifecycle. Members of software development teams receive appropriate training to stay informed about environment. Updates to the information system or changes to a component’s code must proceed through a change management process outlined under change
secure development. Microsoft implements acquisitions control through enforcement of the Microsoft Security Policy. The Microsoft management controls. Security measures, such as static and dynamic code analysis, have been included within this process to ensure that updated code meets the level of
Security Policy dictates that where a third party is allowed to (i) access, process, host or manage Office 365’s online services’ security required by Microsoft. Each individual service group maintains their own set of standard operating procedures. Sign-offs are required from Release Managers for each
information assets or information processing facilities, or (ii) add products or services to Office 365’s online services’ information step of the process.
processing facilities, arrangements must be made in a formal contract to define responsibility and requirements for the security,
confidentiality, integrity and availability of the information assets involved. Appropriate security standards are addressed in the Examined the SDL interface called Quality Essentials. This tracking mechanism allows administrators to have a quick, efficient view of where the development is in the SDL
agreement, to provide a level of protection. process and how long the stage will last. This interface can be filtered on a wide variety of parameters to allow an administrator fast access to any SDL entry.

A.14.1.2 Application security over Microsoft protects information involved in application services passing over public networks from fraudulent activity, contract Interviewed Senior Service Engineers and a Program Manager and determined that Office 365 uses encryption to protect the integrity and confidentiality of transmitted
public networks dispute, and unauthorized disclosure and modification. Microsoft implements cryptographic mechanisms to prevent unauthorized information between Office 365 teams. Specifically, Office 365 provides FIPS 140-2 Level 2-validated cipher support and TLS protocols for customer connections,
disclosure of information and detect changes to information during transmission unless otherwise protected by alternative physical interconnected system connections, and remote access connections to Office 365.
safeguards. Microsoft implements boundary protection through the use of controlled devices at the network boundary and at key
points within the network. The primary principle of network security is to allow only connection and communication that is Examined screenshot of enabled use of FIPS mode, a screenshot of enabled encryption, a screenshot of server certificate encryption strength, and a TechNet article on how
necessary for system operation, blocking other ports, protocols and connections by default. Office 365 teams also implement cryptographic modules are employed in Microsoft products. Determined that the algorithms are implemented within the Office 365 environment.
encryption mechanisms on communications between partners and between customers. Encryption modules are operated in FIPS
mode which has been FIPS 140-2 Level 2-validated. This ensures the confidentiality and integrity of communications between Interviewed Office 365 architects and determined that certificates are generated internally by a secure certification generation tool.
services teams, partners, and customers are protected. Office 365 provides FIPS 140-2 Level 2 cipher support for customer, third-
party, and remote access connections into the accreditation boundary. Office 365 support personnel use FIPS 140-2-validated TLS Tested by examining the certificate deployment configuration script, screenshots of certificate path, screenshot of key certificate details, screenshot verifying use of AES 256
encryption for connections that travel outside the boundary of Office 365. TLS employs cryptographic mechanisms that allow and TLS 1.2 and determined that deployment scripts make calls to secrets management and that current settings were configured as required.
client/server applications to communicate across the network in a way designed to prevent eavesdropping and tampering. The
encryption modules used for transmitted information are certified by NIST and relevant NIST certificate numbers for Microsoft can Tested by examining screenshots of certificate key usage, screenshots of general certificate information, screenshots of certificate root trust, screenshots of certificate SANS,
be found at FIPS 140-1 and FIPS 140-2 List (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm). For more screenshot of certificate management system and determined that the management system is used to request certificates from the Microsoft Certificate Authority, which is
information, see FIPS 140 Validation (https://technet.microsoft.com/en-us/library/cc750357.aspx). configured as required.

A.14.1.3 Application service Microsoft protects information involved in application service transactions to prevent incomplete transmission, mis-routing, Interviewed Senior Service Engineers and a Program Manager and determined that Office 365 uses encryption to protect the integrity and confidentiality of transmitted
transactions protection unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. Microsoft implements information between Office 365 teams. Specifically, Office 365 provides FIPS 140-2 Level 2-validated cipher support and TLS protocols for customer connections,
cryptographic mechanisms to prevent the unauthorized disclosure of information and to detect changes to information during interconnected system connections, and remote access connections to Office 365.
transmission unless otherwise protected by alternative physical safeguards. Office 365 support personnel utilize FIPS 140-2 Level 2-
va;idated TLS encryption for connections that travel outside the boundary of Office 365. TLS employs cryptographic mechanisms Examined screenshot of enabled use of FIPS mode, a screenshot of enabled encryption, a screenshot of server certificate encryption strength, and a TechNet article on how
that allow client/server applications to communicate across the network in a way designed to prevent eavesdropping and cryptographic modules are employed in Microsoft products. Determined that the algorithms are implemented within the Office 365 environment.
tampering. The encryption modules used for transmitted information are certified by NIST and relevant NIST certificate numbers for
Microsoft can be found at FIPS 140-1 and FIPS 140-2 List (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm). Interviewed Office 365 architects and determined that certificates are generated internally by a secure certification generation tool.
For more information, see FIPS 140 Validation (http://technet.microsoft.com/en-us/library/cc750357.aspx).
Tested by examining the certificate deployment configuration script, screenshots of certificate path, screenshot of key certificate details, screenshot verifying use of AES 256
and TLS 1.2 and determined that deployment scripts make calls to secrets management and that current settings were configured as required.

Tested by examining screenshots of certificate key usage, screenshots of general certificate information, screenshots of certificate root trust, screenshots of certificate SANS,
screenshot of the certificate management system and determined that the certificate management system is used to request certificates from the Microsoft Certificate
Authority, which is configured as required.
A.14.2.1 Policy for secure Microsoft has established and applied rules for the development of software and systems to developments within the organization. Determined through examination of development changes and on-site testing of secure development processes that each Office 365 development team has implemented the
development Office 365 manages the information system using a Security Development Lifecycle (SDL) that incorporates information security Microsoft SDL to ensure that all code releases are vetted prior to release and to ensure that proper security engineering principles were being applied to the design of the
considerations. Microsoft applies information system security engineering principles in the specification, design, development, information system. The SDL process is in place to enforce security engineering principles throughout the system's lifecycle, including the specification, design, development,
implementation, and modification of the information system. The Microsoft Security Development Lifecycle implementation, and modification of system code and components.
(https://www.microsoft.com/en-us/sdl/default.aspx) (SDL) process is followed for engineering and development projects. The SDL
process includes the following phases which implement standard security engineering principles across Office 365 systems: Examined the Microsoft Security Development Lifecycle (https://www.microsoft.com/en-us/sdl/default.aspx) site and determined that the entire purpose for the SDL is to
enforce security engineering principles all throughout the system's lifecycle, including the specification, design, development, implementation, and modification of system
- Phase 1: Requirements - This includes the project inception (when the organization considers security and privacy at a code and components.
foundational level) and a cost analysis (when determining if development and support costs for improving security and privacy are
consistent with business need. Interviewed Office 365 Program Managers and determined that the organization effectively implemented and documented secure engineering principles within the Office 365
environment. Updates to the information system or changes to a component’s code must proceed through a change management process outlined under change
- Phase 2: Design - This is when the organization builds the plan for how to take the project through the rest of the SDL process, management controls. Security measures, such as static and dynamic code analysis, have been included within this process to ensure that updated code meets the level of
from implementation, to verification, to release. During the design phase the organization establishes best practices to follow for security required by Microsoft. Each individual service group maintains their own set of standard operating procedures. Sign-offs are required from Release Managers for each
this phase by way of functional and design specifications, and by performing risk analysis to identify threats and vulnerabilities in the step of the process.
software.
Examined the SDL interface called Quality Essentials. This tracking mechanism allows administrators to have a quick, efficient view of where the development is in the SDL
- Phase 3: Implementation - This is when the organization creates the documentation and tools the customer uses to make process and how long the stage will last. This interface can be filtered using a wide variety of parameters to allow an administrator fast access to any SDL entry.
informed decisions about how to deploy the software securely. The implementation phase is when the organization establishes
development best practices to detect and remove security and privacy issues early in the development cycle.

- Phase 4: Verification - During this phase, the organization ensures that the code meets the security and privacy tenets established
in the previous phases. This is done through security and privacy testing, and a security push, which is a team-wide focus on threat
model updates, code review, testing, and thorough documentation review and edit. A publicly released privacy review is also
completed during the verification phase.

- Phase 5: Release - This is when the organization prepares the software for consumption and prepares for what happens once the
software is released. One of the core concepts in the release phase is response planning (mapping out a plan of action, should any
security or privacy vulnerabilities be discovered in the release). This carries over to post-release as well, in terms of response
execution.

Final security and privacy reviews are required prior to release. As established by the Office 365 Information Security Policy,
A.14.2.2 Change control process Microsoft controls changes to systems within the development lifecycle by using a formal change control process. Microsoft Reviewed Office 365 active framework controls and associated standard operating procedures and confirmed that roles have been identified for involved entities who had
determines the types of changes to the information system that are configuration controlled. A formal change control procedure is change management responsibilities in the Office 365 environment. These documents provide additional granularity and policy clarification (engineering guidance) for
followed when making changes to any production Office 365 system. This procedure includes a review and approval process. This organization-wide configuration management procedures and details for what is expected from each Office 365 team. The documentation is made available via a SharePoint
change control procedure is communicated to the Office 365 staff with the need to know and Office 365 contractor staff with the site.
need to know and third parties who perform system maintenance on, or in, any Office 365 facility. At a minimum, the procedure
includes the following actions: Examined records of proposed changes from multiple Office 365 teams and determined that changes to the information system are reviewed and approved or disapproved
with explicit consideration for security impact analysis. In addition, determined that the ticket tracking tool provides additional records of changes showing post-deployment
- The identification and documentation of the planned change verification steps for changes that may affect more than just the specific Office 365 team implementing the change.

- Assessment of the change impact

- Change testing in an appropriate non-production environment

- Change communication plan

- Change management approval process

- Change abort and recovery plan

A centralized change management tool is used to document evidence of approval and to track changes.

A.14.2.3 Application change reviews Microsoft reviews and tests business critical applications to ensure that there is no adverse effects on organizational operations or Examined multiple artifacts relating to the change control process from multiple Office 365 teams and determined that the measures to review current baselines and evaluate
security when operating platforms are changed. Microsoft tests, validates, and documents changes to the Office 365 information potential security effects prior to change implementation are being effectively applied.
system before implementing the changes on the operational system. The Office 365 team follows the Security Development
Lifecycle (SDL) process, which involves testing within a segregated environment, code review, and documentation of changes within Interviewed senior Foundation team and Risk Management team Program Managers and Office 365 team personnel and determined that there is a three-tiered process for
a change management tool. Technical reviews of significant Office 365 system changes are performed and approved by change proposed changes, depending on the level of system impact. A description of the risk is inserted into the change request to ensure that the members of management have
advisory boards. clear visibility into what side effects, if any, the requested change may have on the information system. Also determined that, as a part of this process, the compliance team
has integrated the Microsoft threat modelling tool to assist developers with completing an initial security risk assessment. Confirmed that changes must be approved and
integrated with the ticket tracking assignment tool which is used to assign and track work to personnel, as well as for retention and historical review of changes to the system.

A.14.2.4 Software change restrictions Microsoft discourages modifications, limits changes to those deemed necessary, and strictly controls changes to software packages. Examined multiple artifacts relating to the change control process from multiple Office 365 teams and determined that the measures to review current baselines and evaluate
Microsoft has implemented change management policies and procedures. Changes to production systems, other than security potential security effects prior to change implementation are being effectively applied.
patches, can be made only when there is a valid business reason to do so, such as a planned upgrade to the system. Changes
implemented within the production environment are categorized into request for change types to appropriately schedule, align Interviewed senior Foundation team and Risk Management team Program Managers and Office 365 team personnel and determined that there is a three-tiered process for
resources, and provide change metrics back into the change process for continuous improvement. Security impact analysis proposed changes, depending on the level of system impact. A description of the risk is inserted into the change request to ensure that the members of management have
considers the configurable security-related parameters of Office 365 such as registry settings, account, file, and directory settings clear visibility into what side effects, if any, the requested change may have on the information system. Also determined that, as a part of this process, the compliance team
and permissions, and settings for services, ports, protocols, and remote connections. Security impact analysis is performed for new has integrated the Microsoft threat modelling tool to assist developers with completing an initial security risk assessment. Confirmed that changes must be approved and
features and code changes. Modifications to software packages are not made unless explicitly approved by Office 365 management integrated with the ticket tracking assignment tool which is used to assign and track work to personnel, as well as for retention and historical review of changes to the system.
and version and change control procedures have occurred.
A.14.2.5 Principals for engineering Microsoft has established and applied rules for the development of software and systems to developments within the organization. Determined through examination of development changes and on-site testing of secure development processes that each Office 365 development team has implemented the
secure systems Office 365 manages the information system using a Security Development Lifecycle (SDL) that incorporates information security Microsoft SDL to ensure that all code releases are vetted prior to release and to ensure that proper security engineering principles were being applied to the design of the
considerations. Microsoft applies information system security engineering principles in the specification, design, development, information system. The SDL process is in place to enforce security engineering principles throughout the system's lifecycle, including the specification, design, development,
implementation, and modification of the information system. The Microsoft Security Development Lifecycle implementation, and modification of system code and components.
(https://www.microsoft.com/en-us/sdl/default.aspx) (SDL) process is followed for engineering and development projects. The SDL
process includes the following phases which implement standard security engineering principles across Office 365 systems: Examined the Microsoft Security Development Lifecycle (https://www.microsoft.com/en-us/sdl/default.aspx) site and determined that the entire purpose for the SDL is to
enforce security engineering principles all throughout the system's lifecycle, including the specification, design, development, implementation, and modification of system
- Phase 1: Requirements - This includes the project inception (when the organization considers security and privacy at a code and components.
foundational level) and a cost analysis (when determining if development and support costs for improving security and privacy are
consistent with business need. Interviewed Office 365 Program Managers and determined that the organization effectively implemented and documented secure engineering principles within the Office 365
environment. Updates to the information system or changes to a component’s code must proceed through a change management process outlined under change
- Phase 2: Design - This is when the organization builds the plan for how to take the project through the rest of the SDL process, management controls. Security measures, such as static and dynamic code analysis, have been included within this process to ensure that updated code meets the level of
from implementation, to verification, to release. During the design phase the organization establishes best practices to follow for security required by Microsoft. Each individual service group maintains their own set of standard operating procedures. Sign-offs are required from Release Managers for each
this phase by way of functional and design specifications, and by performing risk analysis to identify threats and vulnerabilities in the step of the process.
software.
Examined the SDL interface called Quality Essentials. This tracking mechanism allows administrators to have a quick, efficient view of where the development is in the SDL
- Phase 3: Implementation - This is when the organization creates the documentation and tools the customer uses to make process and how long the stage will last. This interface can be filtered using a wide variety of parameters to allow an administrator fast access to any SDL entry.
informed decisions about how to deploy the software securely. The implementation phase is when the organization establishes
development best practices to detect and remove security and privacy issues early in the development cycle.

- Phase 4: Verification - During this phase, the organization ensures that the code meets the security and privacy tenets established
in the previous phases. This is done through security and privacy testing, and a security push, which is a team-wide focus on threat
model updates, code review, testing, and thorough documentation review and edit. A publicly released privacy review is also
completed during the verification phase.

- Phase 5: Release - This is when the organization prepares the software for consumption and prepares for what happens once the
software is released. One of the core concepts in the release phase is response planning (mapping out a plan of action, should any
security or privacy vulnerabilities be discovered in the release). This carries over to post-release as well, in terms of response
execution.

Final security and privacy reviews are required prior to release. As established by the Office 365 Information Security Policy,
A.14.2.6 Secure development Microsoft establishes and appropriately protects secure development environments for system development and integration efforts Examined the Office 365 system security plan and determined that Office 365 teams test potential software and firmware changes prior to deployment, either in a separate
that cover the entire development lifecycle. Microsoft integrates the organizational information security risk management process test environment, or by removing a server from production, making changes, testing, and returning it to production upon successful completion.
into Security Development Lifecycle (SDL) activities. Office 365’s implementation of lifecycle support is outlined in the Microsoft
Security Development Lifecycle (https://www.microsoft.com/en-us/sdl/default.aspx). This process is followed by engineering and Examined tickets for changes being tested prior to implementation in the production environment and determined that the changes are first tested in the development
development projects. A security requirements analysis must be completed for system development projects. This analysis environment. The ticket states that sign-off was obtained before the changes were deployed in production. Tickets also show how the changes were pushed to testing and
document acts as a framework and includes the identification of possible risks to the finished development project as well as then to production environment.
mitigation strategies that can be implemented and tested during the development phases. Critical security review and approval
checkpoints are included during the development lifecycle. Members of software development teams receive appropriate training to Interviewed Office 365 security personnel and determined that all changes are tested in development and test environments prior to implementation in the production
stay informed about security practices. environment. Each step of the process requires appropriate approval before moving to the next step.

A.14.2.7 Outsourced development Microsoft does not rely on outsourced development. Thus this control is not applicable to Office 365. Microsoft does not rely on outsourced development. Thus this control is not applicable to Office 365.

A.14.2.8 Testing for system security Microsoft's testing of security functionality is carried out during development. Microsoft requires the developer of a production Examined the SDL site and determined that the entire purpose for the SDL is to ensure that system development included information security considerations.
Office 365 system component, or a production service to perform testing and evaluation during development. The development
team is responsible for ensuring that system development and maintenance activities are performed in accordance with the Interviewed Office 365 Program Managers and determined that security is the primary focus of the SDL process. Updates to the information system proceed through the
Microsoft Security Development Lifecycle (https://www.microsoft.com/en-us/sdl/default.aspx) (SDL) process. A formal review process change management (CM) process outlined under CM controls. Changes made to a component's code are subject to the change control process. Security measures, such as
is implemented to ensure that new or modified source code authored by Office 365 staff is developed in a secure fashion, no static and dynamic code analysis, have been included within this process to ensure that updated code meets the level of security required by Microsoft. Sign-offs are required
malicious code has been introduced into the system, and that proper coding practices are followed. The reviewers’ names, review from Release Managers for each step of the process.
dates, and review results are documented and maintained for audit purposes. A formal security quality assurance process is
implemented to test for vulnerabilities to known security exposures and exploits. The process includes the use of automated security Examined an SDL interface called Quality Essentials. This tracking mechanism provides administrators with a quick, efficient view of where the development is in the SDL
testing tools and requires that vulnerabilities are remediated before the system is released to production. process and how long the stage will last. This interface can be filtered on a wide variety of parameters to allow an administrator fast access to any SDL entry.

Examined the Office 365 security plan and determined that assessment plans are developed through the use of the SDL, specifically, the final three phases: Implementation,
Verification, and Release.

Interviewed Office 365 Program Managers and determined that the SDL process is in place to ensure that developers and/or integrators work, develop and implement code
and/or additional system components in a secure manner.

Examined artifacts showing static and dynamic code analysis tools were performed once code was checked into its repository.

Examined the Office 365 security plan and determined that Office 365 teams enable either Windows resources protection or Windows file protection on all servers. These
services verify the correct operation of core Windows server security functions at boot. Office 365 teams also run system file checker. The tools run on startup and restart. All
servers are rebooted at least monthly to support patching. This reboot also ensures that system verification is performed at least monthly. For more information about these
tools, see About Windows Resource Protection (https://msdn.microsoft.com/en-us/library/windows/desktop/aa382503(v=vs.85).aspx).
A.14.2.9 System acceptance testing Microsoft has established acceptance testing programs and related criteria for new information systems, upgrades, and new Interviewed Office 365 Program Managers and determined that the SDL process ensures that developers and integrators work, develop and implement code or additional
versions. Microsoft requires the developer of the production, system component, or production service to perform testing and system components in a secure manner. Many of the security vulnerabilities that are identified when dealing with code are detected by file fuzzing or static code analysis
evaluation during development. The Office 365 team is responsible for ensuring that system development and maintenance tools. These tools are run automatically when code is checked in. Administrators receive a report that outlines any discovered vulnerabilities and how to remediate them.
activities are performed in accordance with the Microsoft Security Development Lifecycle (https://www.microsoft.com/en- Using this data, the developer remediates the vulnerabilities and resubmits the code. Once it passes the security checks and is signed-off, it can move to the next step of the
us/sdl/default.aspx) (SDL) process. A formal review process is implemented to ensure that new or modified source code authored by process. Changes to the information system are performed in a test environment before they are pushed to production servers.
Office 365 staff is developed in a secure fashion, no malicious code has been introduced into the system, and that proper coding
practices are followed. The reviewers’ names, review dates, and review results are documented and maintained for audit purposes. A Examined an SDL interface called Quality Essentials. This tracking mechanism provides administrators with a quick, efficient view of where the development is in the SDL
formal security quality assurance process is implemented to test for vulnerabilities to known security exposures and exploits. The process and how long the stage will last. This interface can be filtered on a wide variety of parameters to allow an administrator fast access to any SDL entry.
process includes the use of automated security testing tools and requires that vulnerabilities are remediated before the system is
released to production. Patches, updates, and threat mitigation are covered by the SDL, a detailed, robust practice that Microsoft Examined artifacts showing that static and dynamic code analysis were performed once code is checked in.
has developed over many years. Part of the SDL has been built upon investments in Trustworthy Computing. Microsoft has various
patch management release cycles and engagement models that allow Microsoft to mitigate new threats as quickly as possible within
the service. The SDL conforms to ISO/IEC 27034-1:2011.

A.14.3.1 Test data security Microsoft carefully selects, protects and controls test data. Microsoft requires the developer of an Office 365 information system, Examined the SDL site and determined that the SDL is purposefully designed to ensure that system development includes information security considerations.
system component, or information system service to create and implement a security assessment plan. In accordance with the
Microsoft Security Development Lifecycle (SDL), security testing occurs in several phases throughout the SDL process. Specifically, Interviewed Office 365 Program Managers and determined that security is a primary focus in the development of the SDL process. Updates to the information system proceed
security testing occurs during the following phases of the SDL: Implementation, Verification, and Release. through the change management (CM) process outlined under CM controls. Changes made to a component's code are subject to the change control process. Security
measures, such as static and dynamic code analysis, are included within this process to ensure that updated code meets the level of security required by Microsoft. Sign-offs
are required from Release Managers for each step of the process.

Examined an SDL interface called Quality Essentials. This tracking mechanism provided administrators with a quick, efficient view of where the development is in the SDL
process and how long the stage will last. This interface can be filtered on a wide variety of parameters to allow an administrator fast access to any SDL entry.

Examined the Office 365 security plan and determined that assessment plans are developed through the use of the SDL, specifically, the final three phases: Implementation,
Verification, and Release.

Interviewed Office 365 Program Managers and determined that the SDL process is in place to ensure that developers or integrators work, develop, and implement code or
additional system components in a secure manner.

Examined artifacts showing static and dynamic code analysis tools are performed once code is checked in.

Examined the Office 365 security plan and determined that Office 365 teams enable either Windows resources protection or Windows file protection on all servers. These
services verify the correct operation of core Windows server security functions at boot. Microsoft also runs system file checker. The tools run on startup and restart. All servers
are rebooted at least monthly to support patching. This reboot also ensures that system verification is performed at least monthly. For more information about these tools,
see About Windows Resource Protection (https://msdn.microsoft.com/en-us/library/windows/desktop/aa382503(v=vs.85).aspx).

A.15.1.1 Information security Microsoft enters into agreements with suppliers and documents information security requirements for mitigating the risks Interviewed Office 365 Program Managers and determined that ISAs are reviewed annually and that the data flow diagram has detailed information flows to identify system
requirements for Office 365 associated with supplier’s access to the organization’s assets. Microsoft establishes personnel security requirements including interconnections.
suppliers security roles and responsibilities for third-party providers. Policies and guidelines for temporary workers and vendors can be found
on internal company Web sites. In contracts, Microsoft includes provisions to ensure that third-party providers meet or exceed the Examined several Office 365 ISAs and associated control matrices and determined that Microsoft authorizes identified connections from the Microsoft corporate information
personnel security requirements mandated by Microsoft. This includes the ability to successfully pass the Microsoft Cloud system to other information systems through the use of ISAs. Examined several Office 365 ISAs and associated control matrices and determined that the ISAs document the
Background Check, or the equivalent, as well as to obtain and maintain a clearance if the specific project requires it. Third-party interface characteristics, security requirements, and nature of the information communicated respectively.
providers are subject to the same personnel screening requirements as Microsoft employees working on the Office 365 system for
federal customers. Third-party providers are required to sign a non-disclosure agreement prior to accessing Office 365 information Examined several Office 365 ISAs and associated control matrices and determined that the terms and conditions of the ISAs are valid for one year after the last date of the
systems or resident information. Microsoft agrees upon and enforces information security requirements for Office 365 suppliers signature lines and are updated, reviewed, and reauthorized annually.
through the Interconnection Security Agreements (ISAs).

A.15.1.2 Supplier information security Microsoft establishes and agrees to relevant information security requirements with each supplier that may access, process, store, Interviewed Office 365 Trust team personnel and determined that suppliers are subject to the MMVA and to non-disclosure agreements. Examined the MMVA and
agreements communicate, or provide IT infrastructure components for Office 365. Microsoft requires that providers of external information determined that it defines the personnel security requirements for the suppliers. Examined the MMVA and determined that vendors and contractors must comply with the
system services comply with organizational information security requirements and employ security controls in accordance with physical and information security policies set out in the SOW or otherwise provided to the suppliers by Microsoft.
applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance. Microsoft requires third parties
(external information system services) that are engaged with Microsoft to sign a Microsoft Master Vendor Agreement (MMVA) and Determined that, per the MMVA, suppliers must also employ security procedures to prevent disclosure of Microsoft Confidential Information to unauthorized third parties.
Interconnection Security Agreements (ISAs). The MMVA and ISAs requires the third party to comply with applicable Office 365 Suppliers must have controls in place to protect system access, system and application development and maintenance, change management, asset classification and control,
security policies and implement security procedures to prevent disclosure of Microsoft Confidential Information. Microsoft includes incident response, physical and environmental security, disaster recovery, and employee training. Finally, determined that vendors and contractors must sign the MMVA prior
provisions in the MMVA and any associated Statement of Work (SOW) with each vendor addressing the need to employ appropriate to beginning work at Microsoft. Security requirements are detailed in the MMVA that must be signed prior to beginning the engagement.
security controls. Vendors that handle sensitive data must be in compliance with Office 365 vendor privacy practices and data
protection requirements. Examined the Office 365 System Security Plan and determined that vendors and contractors are subject to the same screening requirements as Microsoft personnel. Microsoft
requires that approved screening vendors submit screening outcomes for third-party personnel directly to Microsoft, where they are tracked in a Human Resources
Information System.
A.15.1.3 Technology supply chain Microsoft includes in agreements with suppliers requirements to address the information security risks associated with information Examined the MMVA and determined that suppliers must comply with physical and information security policies set out in the SOW or otherwise provided to the supplier by
supporting online services and communications technology services and product supply chain. Microsoft requires third parties (external information system Microsoft. Determined that, per the MMVA, the supplier must also use security procedures to prevent the disclosure of Microsoft Confidential Information to unauthorized
services) to sign a Microsoft Master Vendor Agreement (MMVA) and Interconnection Security Agreements (ISAs). The MMVA and third parties. Suppliers must have controls in place to protect the system access, system and application development and maintenance, change management, asset
ISAs requires the third party to comply with applicable Office 365 security policies and implement security procedures to prevent classification and control, incident response, physical & environmental security, disaster recovery, and employee training. In addition, determined that vendors and contractors
disclosure of Microsoft Confidential Information. Microsoft includes provisions in the MMVA and any associated Statement of Work must sign the MMVA prior to beginning work at Microsoft. Security requirements were detailed in the MMVA that must be signed prior to beginning the engagement. Also
(SOW) with each vendor addressing the need to use appropriate security controls. Vendors that handle sensitive data must be in interviewed Office 365 Trust team personnel and determined that vendors and contractors are subject to the MMVA and to the non-disclosure agreements.
compliance with Microsoft's vendor privacy practices and data protection requirements.
Examined the Office 365 system security plan and determined that vendors and contractors are subject to the same screening requirements as Microsoft personnel. Microsoft
requires that approved screening vendors submit screening outcomes for third-party personnel directly to Microsoft, where they are tracked in a human resources
information system. Also examined the MMVA and determined that it defines the personnel security requirements for vendors and contractors.

Examined several Office 365 ISAs and associated control matrices and determined that Microsoft authorizes identified connections from the information system to other
information systems through the use of ISAs. Examined several Office 365 ISAs and associated control matrices and determined that the ISAs document the interface
characteristics, security requirements, and nature of the information communicated respectively.

A.15.2.1 Supplier services monitoring Microsoft regularly monitors, reviews and audits supplier service delivery. Microsoft uses processes, methods, and techniques to Interviewed Office 365 Program Managers and determined that ISAs are reviewed annually and the data flow diagram contains detailed information flows to identify system
and review monitor security control compliance by external service providers on an ongoing basis. Microsoft signs Interconnection Security interconnections.
Agreements (ISAs) with external information systems suppliers as necessary; ISAs define Office 365 oversight. Microsoft includes
provisions in the Microsoft Master Vendor Agreement (MMVA) and any associated Statement of Work (SOW) with each vendor Examined several Office 365 ISAs and associated control matrices and determined that Microsoft authorizes identified connections from its corporate information system to
addressing the need to use appropriate security controls. Vendors that handle sensitive data must be in compliance with Microsoft's other information systems through the use of ISAs. Examined several Office 365 ISAs and associated control matrices and determined that the ISAs document the interface
vendor privacy practices and data protection requirements. characteristics, security requirements, and nature of the information communicated respectively.

Examined several Office 365 ISAs and associated control matrices and determined that the terms and conditions of the ISAs are valid for one year after the last date of the
signature lines and are updated, reviewed, and reauthorized annually.

A.15.2.2 Managing changes to Office Microsoft manages changes to the provision of services by suppliers, including maintaining and improving existing information Examined the MMVA and determined that suppliers must comply with physical and information security policies set out in the SOW or otherwise provided to the supplier by
365 supplier services security policies, procedures and controls, taking account of the criticality of business information, systems and processes involved Microsoft. Determined that, per the MMVA, the supplier must also use security procedures to prevent the disclosure of Microsoft Confidential Information to unauthorized
and re-assessment of risks. Microsoft conducts an organizational assessment of risk prior to the acquisition or outsourcing of third parties. Suppliers must have controls in place to protect the system access, system and application development and maintenance, change management, asset
dedicated information security services. A risk assessment of third-party service providers is performed as part of acquisitions classification and control, incident response, physical and environmental security, disaster recovery, and employee training. In addition, determined that vendors and
activities. Third-party vendors are required to sign the Microsoft Master Vendor Agreement (MMVA) which includes basic risk contractors must sign the MMVA prior to beginning work at Microsoft. Security requirements are detailed in the MMVA that must be signed prior to beginning the
assessment of the vendor as a business. For any party with whom Microsoft signs an Interconnection Security Agreement (ISA), engagement. Also interviewed Office 365 Trust team personnel and determined that vendors and contractors are subject to the MMVA and to the non-disclosure agreements.
Microsoft meets with them regularly and monitors the agreement and any changes within the agreement.
Examined the Office 365 system security plan (SSP) and determined that vendors and contractors are be subject to the same screening requirements as Microsoft personnel.
Microsoft requires that approved screening vendors submit screening outcomes for third-party personnel directly to Microsoft, where they are tracked in Human Resources
Information System. Also examined the MMVA and determined that it defines the personnel security requirements for vendors and contractors.

Examined several Office 365 ISAs and associated control matrices and determined that Microsoft authorizes identified connections from the information system to other
information systems through the use of ISAs. Examined several Office 365 ISAs and associated control matrices and determined that the ISAs document the interface
characteristics, security requirements, and nature of the information communicated respectively.

A.16.1.1 Incident management Microsoft responds to information security incidents in accordance with the documented procedures. Microsoft develops, Examined the Microsoft Office 365 information security policy, Office 365 framework controls and Office 365 security incident response procedures and determined that the
responsibilities and documents, and disseminates to all relevant personnel or roles; the procedures to facilitate the implementation of the incident information security policy formally documents an incident response policy that addresses the purpose, scope, roles and responsibilities, management commitment,
procedures response policy and associated incident response controls. Microsoft has developed robust processes to facilitate a coordinated coordination among organizational entities, and compliance. Policies and procedures are distributed to personnel with responsibilities for implementing those policies via
response to incidents if one was to occur. A security incident may include, but are not limited to: e-mail viruses, malware, worms, links to SharePoint. The personnel roles identified within the standard operating procedures (SOPs) include members of the Security Investigation and Response team, the
denial of service attacks, unauthorized access, and any other type of unauthorized, or unlawful activity involving Office 365 Audit and Monitoring team, Office 365 team members, and subject matter experts (as needed).
computer networks or data processing equipment.
Examined the Office 365 information security policy, Office 365 framework controls and Office 365 security incident response procedures and determined that the incident
The Office 365 Security Incident Response process follows the following phases: response SOP was developed and documented to facilitate the implementation of the incident response policy and associated incident response controls related to Office
365.
- Identification: System and security alerts may be harvested, correlated, and analyzed. Events are investigated by Office 365
operations and security organizations. If an event indicates a security issue, the incident is assigned a severity classification and Interviewed Office 365 Program Managers and determined that procedures are stored in SharePoint to enable Office 365 personnel to access them at any time. The document
appropriately escalated. This escalation will include product, security, and engineering specialists. tracking history is also stored in SharePoint. Examined an email that was digitally signed by leadership for annual acceptance of incident response policies and procedures.

- Containment: The escalation team evaluates the scope and impact of an incident. The immediate priority of the escalation team is Obtained and inspected evidence for a selection of incidents to ascertain that security incidents are documented within an incident tracking system and are resolved.
to ensure the incident is contained and data is safe. The escalation team forms the response, performs appropriate testing, and
implements changes. In the case where in-depth investigation is required, content is collected from the subject systems using best- Obtained and inspected evidence for a selection of incidents to ascertain that adverse security incidents are escalated and reviewed by the appropriate team and required
of-breed forensic software and industry best practices. action is taken.

- Eradication: After the situation is contained, the escalation team moves toward eradicating any damage caused by the security Tested by examining Office 365 team penetration test reports which were identified as containing Red Team post-mortem reports and a sample of incident handling records
breach, and identifies the root cause for why the security issue occurred. If vulnerability is determined, the escalation team reports and determined that the on-call engineer (OCE) is responsible for containing and resolving the incidents, and they work with the Office 365 team to resolve incidents. Records
the issue to product engineering. of incident investigation and eradication (post-mortems) are maintained. Office 365 engineers use the Office Service Pulse portal to help alert, detect, analyze and prepare
them for incidents.
- Recovery: During recovery, software or configuration updates are applied to the system and services are returned to a full working
capacity.

- Lessons Learned: Each security incident is analyzed to ensure that the appropriate mitigations are applied to protect against any
future reoccurrence.
A.16.1.2 Incident reporting Microsoft reports Office 365 information security events through appropriate management channels as quickly as possible. Incidents Examined the standard operating procedures (SOPs) for Office 365 breach response, Office 365 security incident response SOPs, and incident response plans and determined
are identified through internal monitoring systems, external customer communication, or internal identification. Upon identification, that Office 365 teams and personnel are required to report suspected security incidents to the Office 365 Investigation and Response team in near real-time upon discovering
incidents are immediately brought to the attention of the Office 365 Investigation and Response team. Tickets for the incidents are a suspected security incident.
entered into the tracking system, and escalated as necessary. Contractual obligations in the Data Processing Terms of the Microsoft
Online Services Terms ((http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31)) require Interviewed incident response manager and Office 365 Program Manager and determined that the incident response plan defines who manages the Incident Communications
Office 365 to notify customers promptly in the event of an incident affecting their data. Security notifications are, by nature, Team. They are responsible for notifying all parties. The reporting timelines are defined by the customer.
extremely rare, sensitive, and unique. Therefore, a formal process has been developed to tailor notifications to the specific incident
on a case-by-case basis. Notifications can occur via email, phone, broad communication, or by direct engagement, depending on
the issue and impact.

A.16.1.3 Security vulnerability Microsoft requires employees and contractors using the organization’s Office 365 information systems and services to note and Examined the standard operating procedures (SOPs) for Office 365 breach response, Office 365 security incident response SOPs, and incident response plans and determined
reporting report any observed or suspected information security weaknesses in systems or services. Microsoft employees and contractors are that Office 365 teams and personnel are required to report suspected security incidents to the Office 365 Investigation and Response team in near real-time upon discovering
required to note and report any observed or suspected information security weaknesses in systems or services. Office 365 security a suspected security incident.
incidents, weaknesses, and malfunctions are required to be reported by Microsoft and contractor staff immediately. The reporting
and handling of these events follow prescribed procedures pursuant to a defined and implemented incident response policy. Interviewed incident response manager and Office 365 Program Manager and determined that the incident response plan defines who manages the Incident Communications
Team. They are responsible for notifying all parties. The reporting timelines are defined by the customer.
A.16.1.4 Security event assessment Microsoft responds to Office 365 information security incidents in accordance with the documented procedures. Microsoft develops, Examined the standard operating procedures (SOPs) for Office 365 breach response, Office 365 security incident response SOPs, and incident response plans and determined
documents, and disseminates to all relevant personnel or roles procedures to facilitate the implementation of the incident response that Office 365 has implemented incident response procedures, which consist of technical mechanisms, organization infrastructures, and other procedures to detect, respond,
policy and associated incident response controls. Microsoft has developed robust processes for Office 365 to facilitate a coordinated and deter security incidents. Incidents are assessed for their severity and escalated to the Office 365 investigation and response team for response and mitigation.
response to incidents if one was to occur. A security incident may include, but are not limited to, email viruses, malware, worms,
denial of service attacks, unauthorized access, and any other type of unauthorized, or unlawful activity involving Office 365 Interviewed Incident Response Manager and an Office 365 Program Manager and determined that the incident response plan defines who manages the incident
computer networks or data processing equipment. communications team. They are responsible for notifying all parties. The reporting timelines were defined by the customer.

Microsoft's Security Incident Response process for Office 365 is broken down into the following phases: Obtained and inspected evidence from a selection of incidents to ascertain that security incidents are assessed and documented within an incident tracking system and are
resolved.
- Identification: System and security alerts may be harvested, correlated, and analyzed. Events are investigated by Office 365
operations and security organizations. If an event indicates a security issue, the incident is assigned a severity classification and Obtained and inspected evidence from a selection of incidents to ascertain that adverse security incidents are escalated and reviewed by the appropriate team and that
appropriately escalated. This escalation will include product, security, and engineering specialists. required action is taken.

- Containment: The escalation team evaluates the scope and impact of an incident. The immediate priority of the escalation team is
to ensure the incident is contained and data is safe. The escalation team forms the response, performs appropriate testing, and
implements changes. In the case where in-depth investigation is required, content is collected from the subject systems using best-
of-breed forensic software and industry best practices.

- Eradication: After the situation is contained, the escalation team moves toward eradicating any damage caused by the security
breach, and identifies the root cause for why the security issue occurred. If a vulnerability is determined, the escalation team reports
the issue to product engineering.

- Recovery: During recovery, software or configuration updates are applied to the system and services are returned to a full working
capacity.

- Lessons Learned: Each security incident is analyzed to ensure the appropriate mitigations are applied to protect against any future
reoccurrence.

A.16.1.5 Incident response Microsoft responds to Office 365 information security incidents in accordance with the documented procedures. Microsoft develops, Examined the standard operating procedures (SOPs) for Office 365 breach response, Office 365 security incident response SOPs, and incident response plans and determined
documents, and disseminates to all relevant personnel or roles procedures to facilitate the implementation of the incident response that Office 365 has implemented incident response procedures, which consist of technical mechanisms, organization infrastructures, and other procedures to detect, respond,
policy and associated incident response controls. Microsoft has developed robust processes for Office 365 to facilitate a coordinated and deter security incidents. Incidents are assessed for their severity and escalated to the Office 365 investigation and response team for response and mitigation.
response to incidents if one was to occur. A security incident may include, but are not limited to, email viruses, malware, worms,
denial of service attacks, unauthorized access, and any other type of unauthorized, or unlawful activity involving Office 365 Interviewed Incident Response Manager and an Office 365 Program Manager and determined that the incident response plan defines who manages the incident
computer networks or data processing equipment. communications team. They are responsible for notifying all parties. The reporting timelines were defined by the customer.

Microsoft's Security Incident Response process for Office 365 is broken down into the following phases: Obtained and inspected evidence from a selection of incidents to ascertain that security incidents are assessed and documented within an incident tracking system and are
resolved.
- Identification: System and security alerts may be harvested, correlated, and analyzed. Events are investigated by Office 365
operations and security organizations. If an event indicates a security issue, the incident is assigned a severity classification and Obtained and inspected evidence from a selection of incidents to ascertain that adverse security incidents are escalated and reviewed by the appropriate team and that
appropriately escalated. This escalation will include product, security, and engineering specialists. required action is taken.

- Containment: The escalation team evaluates the scope and impact of an incident. The immediate priority of the escalation team is Examined Office 365 team penetration test reports which are identified as containing Red Team post-mortem reports and a sample of incident handling records and
to ensure the incident is contained and data is safe. The escalation team forms the response, performs appropriate testing, and determined that the on-call engineer is responsible for containing and resolving incidents and works with the Office 365 team to resolve and eradicate incidents. Records of
implements changes. In the case where in-depth investigation is required, content is collected from the subject systems using best- incident investigation and eradication (post-mortems) are maintained. Office 365 engineers use the Office Service Pulse portal to help alert, detect, analyze, and prepare them
of-breed forensic software and industry best practices. for incidents.

- Eradication: After the situation is contained, the escalation team moves toward eradicating any damage caused by the security
breach, and identifies the root cause for why the security issue occurred. If a vulnerability is determined, the escalation team reports
the issue to product engineering.

- Recovery: During recovery, software or configuration updates are applied to the system and services are returned to a full working
capacity.

- Lessons Learned: Each security incident is analyzed to ensure the appropriate mitigations are applied to protect against any future
reoccurrence.
A.16.1.6 Information security incident Microsoft uses knowledge gained from analyzing and resolving information security incidents to reduce the likelihood or impact of Examined the standard operating procedures (SOPs) for Office 365 breach response, Office 365 security incident response SOPs, and incident response plans and determined
learnings future incidents. Microsoft correlates incident information and individual incident responses to achieve an organization-wide that Office 365 has implemented incident response procedures, which consist of technical mechanisms, organization infrastructures, and other procedures to detect, respond,
perspective on incident awareness and response. The Office 365 service and platform teams, security team, and Office 365 Security and deter security incidents. Incidents are assessed for their severity and escalated to the Office 365 investigation and response team for response and mitigation.
Incident Response (SIR) team are responsible for managing the investigation and resolution of security incidents within Office 365.
The Office 365 security team and Office 365 SIR team work with other teams to ensure that security incidents are contained, Interviewed Incident Response Manager and an Office 365 Program Manager and determined that the incident response plan defines who manages the incident
eradicated, and that recovery is completed. The Product Marketing Group works with other teams to notify customers of security communications team. They are responsible for notifying all parties. The reporting timelines were defined by the customer.
incidents, where appropriate, and to initiate the privacy incident response framework process if there is a concern that a privacy
breach may have occurred. While the specific activities to be performed will depend on the security incident itself, there are several Obtained and inspected evidence from a selection of incidents to ascertain that security incidents are assessed and documented within an incident tracking system and are
critical activities that must be performed as part of the process of managing the security incident response. These activities can resolved.
include preparation, detection and analysis, containment, eradication, and recovery and are detailed in the Office 365 security
incident response standard operating procedures (SOPs). A log of the security incident response effort is a useful tool for quality Obtained and inspected evidence from a selection of incidents to ascertain that adverse security incidents are escalated and reviewed by the appropriate team and that
assurance and continuous improvement. The Office 365 SIR team lead and investigator will include any significant details of the required action is taken.
security incident response resulting from their investigation and ensures that these are reflected appropriately record tools.
Examined Office 365 team penetration test reports which are identified as containing Red Team post-mortem reports and a sample of incident handling records and
determined that the on-call engineer is responsible for containing and resolving incidents and works with the Office 365 team to resolve and eradicate incidents. Records of
incident investigation and eradication (post-mortems) are maintained. Office 365 engineers use the Office Service Pulse portal to help alert, detect, analyze, and prepare them
for incidents.

A.16.1.7 Incident evidence Microsoft defines and applies procedures for the identification, collection, acquisition and preservation of information, which can Examined Office 365 team penetration test reports which are identified as containing Red Team post-mortem reports and a sample of incident handling records and
management serve as evidence. Microsoft implements an incident handling capability for security incidents that includes preparation, detection determined that the on-call engineer is responsible for containing and resolving incidents and works with the Office 365 team to resolve and eradicate incidents. Records of
and analysis, containment, eradication, and recovery. Microsoft takes every security incident very seriously. Upon becoming aware of incident investigation and eradication (post-mortems) are maintained. Office 365 engineers use the Office Service Pulse portal to help alert, detect, analyze, and prepare them
a security incident, Microsoft uses a defined security incident response process, including forensic investigation, to track exactly for incidents.
what happened, which data was accessed, and by whom. The Security Incident Response team lead and investigator include any
significant details resulting from the investigation to the record system. Examined data within audit storage to determine that collected audit events are sent up to the centralized auditing system, using an encrypted format that ensures the
integrity and confidentiality of any sensitive data, and provides protection of audit records from unauthorized access, modification, or deletion. Additionally, Office 365 audit
logs are pushed to storage every five to fifteen minutes, greatly limiting the impact that any modification would incur.

Examined collected audit events in the centralized Cosmos auditing system and determined that systems are configured, and automated mechanisms are working, as required
to ensure that audit log data remains available for at least 90 days.

Examined Cosmos data stores for multiple Office 365 teams in order to determine that Cosmos retains audit data for at least 90 days.

A.17.1.1 Information security Microsoft determines its requirements for information security and the continuity of information security management in adverse Examined test documentation and related evidence to determine that Office 365 has implemented information security continuity aligned with its overall BCM program.
continuity management situations, e.g., during a crisis or disaster. Microsoft develops a contingency plan for the information system that identifies essential
missions and business functions and associated contingency requirements. Microsoft incorporates resilient and redundant features Examined the information system documentation and determined that each Office 365 team coordinates with the BCM team to develop and document a contingency plan
for information security continuity management. The information security systems in Office 365 are designed to quickly recover that identifies the essential mission and business functions associated within their respective environments.
from unexpected events such as hardware or application failure, data corruption, or other incidents. Microsoft has a dedicated
Business Continuity Management (BCM) team that provides support to assist Office 365 teams in analyzing continuity and disaster Interviewed Senior Security Engineers and Program Managers confirmed that the contingency planning process is coordinated with incident response to ensure proper
recovery requirements, documenting procedures, and conducting testing of established procedures. reactions to continuity impacting events.

A.17.1.2 Information security Microsoft establishes, documents, implements and maintains processes, procedures and controls to ensure the required level of Examined test documentation and related evidence to determine that Office 365 has implemented information security continuity aligned with its overall Business Continuity
continuity implementation continuity for information security during an adverse situation. Microsoft develops a contingency plan for the information system Management (BCM) program.
that provides recovery objectives, restoration priorities, and metrics. Plans are developed and maintained per Industry best practices
to be reflective of the current production environment. For more information, see Service Continuity Examined the information system documentation and determined that each Office 365 team coordinates with the BCM team to develop and document a contingency plan
(https://technet.microsoft.com/en-us/library/office-365-service-continuity.aspx). Microsoft maintains a framework that is consistent that identifies the essential mission and business functions associated within their respective environments.
with industry best practices that drives the continuity program at levels. The framework includes:
Interviewed Senior Security Engineers and Program Managers and confirmed that the contingency planning process is coordinated with incident response to ensure proper
- Assignment of key resource responsibilities reactions to continuity impacting events.
- Notification, escalation and declaration processes
- Recovery Time Objectives and Recovery Point Objectives
- Continuity plans with documented procedures
- Training program for preparing appropriate parties to execute the Continuity Plan
- A testing, maintenance, and revision process

A.17.1.3 Verification, and evaluation Microsoft regularly reviews established and implemented information security continuity controls in order to ensure that they are Examined historical copies of the Office 365 baseline configurations using a combination of artifacts and determined that configuration settings and history are maintained
of information security valid and effective during adverse situations. Microsoft regularly tests contingency plans for the Office 365 information system using under configuration control and must be reviewed at least annually or when significant changes are required.
continuity exercises to determine the effectiveness of the plan and the organizational readiness to execute the plan. Recovery plans are
validated on a regular basis per industry best practices to ensure that solutions are viable at time of event. Office 365 teams Examined the Office 365 security plan and determined that Office 365 teams test their contingency plans on an annual basis to ensure that controls are in place and
coordinate and perform regular failover exercises. After a failover exercise is completed for contingency planning, any findings are functioning properly.
documented as part of the post-mortem. This post-mortem contingency plan document is then updated to include the lessons
learned and any necessary procedural changes and enhancements to the plan. Interviewed business continuity process owners across multiple Office 365 teams to ascertain that failover tests for Office 365 information security systems occur on a regular
basis.

Obtained and inspected evidence for a selection of failover tests, and determined that the tests were completed as designed, and that any issues identified were addressed in
a timely manner.

Confirmed that the Office 365 systems are configured to use multiple sites in an active/active configuration. If a failure occurs in one site, the other site will automatically
become the primary site.
A.17.2.1 Information processing Microsoft implements information processing facilities with redundancy sufficient to meet availability requirements. Microsoft Examined each Office 365 team's contingency plans, and determined that alternate sites exist for every component of Office 365. Alternate sites are configured as both
facilities availability develops a contingency plan for the Office 365 information system that addresses maintaining essential missions and business storage and processing sites and designed to work using an active/active hot site methodology.
functions despite an information system disruption, compromise, or failure. Microsoft has redesigned the Office 365 software,
service, and controls to expect, plan for, and address failures at the hardware, network, and datacenter levels. By building in the Examined each Office 365 team's dependency analysis and determined each Office 365 team has established recovery time objectives. Through an assessment of the
intelligence to handle failures at the application layer (within our own software) instead of at the datacenter layer (relying on third- information system, it has been determined that these recovery time objectives are plausible due to the fact that the entire Office 365 information system operates in an
party hardware), Microsoft is able to deliver significantly high availability and reliability for Office 365. While in practice the active/active state. The components making up Office 365 replicate to the multiple datacenters and can be switched over at will.
datacenters are operating somewhere between Tier 3 and Tier 4 as defined in Telecommunications Industry Association standard
no. 942, the applications are delivering against the financially-backed service level agreement of 99.9%. Interviewed data backup and restoration process owners and determined that processes are established for data backups and restorations.

Office 365 is built with reliability as a pillar. The core reliability design principles include: Obtained and inspected evidence for a selection of backups and replicated data and determined that data backups and replication occur according to defined procedures and
alternative data instances are available for restoration, failover, and activation.
- Redundancy built into every layer—physical redundancy (via multiple disk/cards, servers, geographical sites, and datacenters); data
redundancy (constant replication across datacenters); and functional redundancy (the ability for customers to work offline when Interviewed business continuity process owners across multiple Office 365 teams and determined that failover tests occur on a regular basis for Office 365 information security
there is no network connectivity). systems.

- Resiliency, via active load balancing and dynamic prioritization of tasks based on current loads; constant recovery testing across Obtained and inspected evidence for a selection of failover tests, and determined that the test was functioning as designed, and that any issues identified are addressed in a
failure domains; and both automated failover and manual switchover to healthy resources. timely manner.

- Distributed functionality of component services, to help limit the scope and impact of a failure in one area and to simplify all
aspects of maintenance and deployment, diagnostics, repair and recovery.

- Continuous monitoring, with extensive recovery and diagnostic tools to drive automated and manual recovery of the service.

- Simplification to drive predictability, including the use of standardized components and processes, wherever possible; loose
coupling among the software components for less complex deployment and maintenance; and a change management process that
goes through progressive stages from scope to validation before being deployed worldwide.

- Human backup, with 24/7 on-call support to provide rapid response and information collection towards problem resolution.

A.18.1.1 Applicable legislation and Microsoft explicitly identifies, documents, and keeps up to date relevant legislative statutory, regulatory, contractual requirements, Examined the Office 365 system security plan, Office 365 control framework, Office 365 risk management Standard Operating Procedures (SOPs), and determined that
contractual requirements and Microsoft's approach to meet these requirements for each information system and the organization. Microsoft develops, Microsoft explicitly identifies, documents, and keeps up-to-date all relevant legislative statutory, regulatory, contractual requirements, and the organization’s approach to
documents, and disseminates to relevant personnel or roles a security assessment and authorization policy that addresses purpose, meet these requirements for each information system and the organization. The control framework is designed to provide a common compliance baseline for all Office 365
scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. As a service teams to follow; the SOPs create a mapping between the NIST assessment procedures and the framework policy identifiers in order to provide an engineering specific starting
provider, Microsoft focuses on how using our services can help our customers manage or meet their own compliance obligations. point for Office 365 teams to identify exactly what must be done in order to achieve compliance.
Microsoft is continuing to mature and enhance it's risk management features to address a wider array of regulatory requirements
across a broad set of industry verticals. Microsoft uses a hybrid controls framework approach for Office 365 to address the myriad of Examined implementation of the Office 365 control framework across Office 365 teams and determined that Microsoft uses a hybrid control framework which includes NIST
regulatory requirements that govern the services and data that Office 365 manages for our customers. In this manner, Microsoft standard 800-53 for baseline control procedures and added additional controls as required for keeping up-to-date with relevant legislative statutory, regulatory, contractual
identifies and uses commonality to build an integrated set of specific control objectives, and drives those control objectives into a requirements.
consolidated framework, enhancing efficiency, and improving compliance management. In this way Microsoft enhances the risk
management posture of it's services, as well as addresses any requirements relevant to external compliance obligations by Office Office 365 framework covered the following control areas:
365 or the underlying infrastructure. In some instances, non-common controls may be added conditionally where business need
justifies the additional cost and complexity. 1. Access Control
2. Accountability, Audit, and Risk
3. Authority and Purpose
4. Configuration Management
5. Contingency Planning
6. Continuity
7. Data Minimization and Retention
8. Data Portability
9. Data Quality and Integrity
10. Geographic Boundaries
11. Identification and Authentication
12. Incident Response
13. Maintenance
14. Media Protection
15. Personnel Security
16. Physical Access
17. Program Management
18. Risk Assessment
19. Security
A.18.1.2 Intellectual property rights Microsoft implements appropriate procedures to ensure compliance with legislative, regulatory, and contractual requirements Examined the Office 365 Information Security Policy, the associated configuration management standard operating procedures, and the Office 365 configuration
management related to intellectual property rights and the use of proprietary software products. Microsoft uses software and associated management plan and determined that licensing, for both Microsoft and third-party software is managed by the Office 365 teams with help and guidelines provided by
documentation in accordance with contract agreements and copyright laws. Risk associated with intellectual property rights Microsoft's Corporate, External, and Legal Affairs (CELA) team.
violations are factored into the technical and procedural controls that govern Microsoft's service offerings. However, the vast
majority of software used to deliver services is Microsoft's Office 365 suite. Examined CELA documentation and determined that it provides clear guidelines around how to ensure compliance with legislative, regulatory, and contractual requirements
related to intellectual property rights and the use of proprietary software products.
A.18.1.3 Records protection Microsoft protects records from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with Reviewed the Office 365 data handling standard and determined that Microsoft documents how all data (information within the system and information output from the
legislative, regulatory, contractual and business requirements. Microsoft enforces mandatory access control policies over subjects system) should be handled and retained.
and objects where the policy specifies that a subject that has been granted access to information is constrained from passing the
information to unauthorized subjects or objects. Microsoft-owned Office 365 assets are retained as appropriate based on the Interviewed Office 365 security personnel and confirmed that all data handled by Office 365 is subject to the Office 365 data handling standard and that there are no
retention requirements set by Microsoft's Corporate Records Management team and an asset’s classification, or based on exceptions to this policy.
contractual requirements.
Examined data within audit storage to determine that collected audit events are sent to the centralized auditing system, using an encrypted format that ensures the integrity
and confidentiality of any sensitive data, as well as provides protection to audit records from unauthorized access, modification, or deletion. Additionally, Office 365 audit logs
are pushed to storage every five to fifteen minutes, greatly limiting the impact that any modification would incur.

Reviewed audit log access within Office 365 systems and determined that only authorized system administrators have the ability to view or alter local logs.

Reviewed collected audit events sent to the centralized auditing storage system and real-time review of audit log access within Office 365 systems and determined that
system logs limit the ability to view or alter logs to only authorized system administrators.

Examined collected audit events in the centralized Cosmos auditing system and determined that systems are configured and automated mechanisms are working as required
to ensure that audit log data remains available for at least 90 days.

Examined Cosmos data stores for multiple Office 365 teams and determined that Cosmos retains audit data for at least 90 days.

Interviewed Office 365 engineers, key personnel and administrators of Office 365 systems about auditing and logging functions and determined that collected audit events
are sent to the centralized Cosmos auditing system and stored there for at least 90 days.

A.18.1.4 Privacy and protection of Microsoft ensures the protection and privacy of personally identifiable information as required in relevant legislation and regulation Interviewed Office 365 team leads and Office 365 Trust team leads and confirmed that Office 365 does not process PII under a data processing contract for any purpose
personally identifiable where applicable. Microsoft determines and documents the legal authority that permits the collection, use, maintenance, and independent of the instructions of the customer.
information sharing of personally identifiable information (PII), either generally or in support of a specific program or information system need.
Office 365 owned assets are retained as appropriate based on retention requirements set by Microsoft's Corporate Records Examined controls to appropriately restrict PII per defined and agreed upon purposes. Validated that Office 365 does not process PII under a data processing contract for any
Management team and an asset’s classification, or based on contractual requirements. The classification of assets is included in the purpose independent of the instructions of the customer. Controls examined and validated included:
Office 365 asset inventory. Microsoft uses a comprehensive framework to comply with FISMA, SSAE 16, HIPAA, ISO 27011, and other
regulations as necessary. As part of this framework, Microsoft maintains ongoing continuous monitoring programs to assure Office - Access controls to strictly restrict access to customer data
365 compliance in post-production deployments.
- Access controls that eliminated "standing" access to Office 365 service environment

- Access controls that enable only just-in-time and role-based access to customer data, and expire within few hours

- Operational controls that log any access attempt to the Office 365 production environment or customer data

- Secure development lifecycle to ensure that Office 365 features are developed in compliance with security, and privacy requirement as established by Microsoft's security
policies and Information Security Management System for Office 365

For more information, see the detailed test plans for ISO 27001 for the above controls.

A.18.1.5 Cryptographic controls Microsoft uses cryptographic controls in compliance with relevant agreements, legislation and regulations. Microsoft implements Examined the Office 365 secrets management playbook and determined that Office 365 has developed procedural documentation and custom-made tools to address the
regulations mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, executive orders, cryptographic key generation, distribution, storage, access, and destruction of secrets (private keys, passwords protecting keys, and x.509 certificate information).
directives, policies, regulations, standards, and guidance for such authentication. Office 365 uses the cryptographic capabilities that
are built into the Windows operating system for certificates, and authentication (e.g., Kerberos). These cryptographic modules have Examined the process by which Office 365 endpoint certificates are created and managed and determined that the appropriate key management tools are utilized to
been certified by NIST as being FIPS 140-2 Level 2-validated. Any time cryptographic capabilities are used to protect the generate, get approved, and store x.509 certificates for use in public-facing endpoints.
confidentiality, integrity, or availability of data within Office 365, the modules and ciphers are FIPS 140-2-validated. For more
information about FIPS 140 validation, see FIPS 140 Validation (http://technet.microsoft.com/en-us/library/cc750357.aspx). Interviewed Senior Program Managers and determined that key management tools are being used to establish and manage cryptographic keys and certificates. Tested the
Microsoft provides digital certificates on public-facing, external Web sites. These certificates allow users to authenticate the key management tools with the assistance of Senior Program Managers and confirmed that key management mechanisms are operating as intended through the use of the
legitimacy of Office 365 sites before establishing an encrypted connection and transferring data. key management portal. Any time that certificates must be generated, they are established through the key management tool.

Interviewed members of the Office 365 Compliance team who confirmed that TLS connections are used.

Examined screenshot of enabled use of FIPS algorithm, a screenshot of enabled encryption, a screenshot of server certificate encryption strength, and the content of a
TechNet article on how cryptographic modules are used in Microsoft products. Determined that that FIPS-validated are were implemented within the Office 365 environment.

Interviewed Office 365 architects and determined that certificates are generated internally by a secure certification generation tool.

Examined the certificate deployment configuration script, screenshots of certificate path, screenshot of key certificate details, screenshot verifying use of AES 256 and TLS 1.2
and determined that deployment scripts make calls to secrets management and that current settings are configured as required.

Examined screenshots of certificate key usage, screenshots of general certificate information, screenshots of certificate root trust, screenshots of certificate SANS, screenshot
of certificates management system and determined that it is used to request certificates from the Microsoft Certificate Authority which is configured as required.

A.18.2.1 Independent review Microsoft's approach to managing information security and its implementation (e.g., control objectives, controls, policies, processes Examined output of various independent Office 365 audits performed by third-party independent examiners, Microsoft internal audits, and interviewed Microsoft corporate
and procedures for information security) is reviewed independently at planned intervals or when significant changes occur. risk management teams, and determined that Microsoft's approach to information security management and implementation (e.g., control objectives, controls, policies,
Microsoft develops a security assessment plan that describes the scope of the assessment including the assessment environment, processes and procedures for information security) is reviewed independently at planned intervals, multiple times throughout year and when significant changes occur.
assessment team, and assessment roles and responsibilities. Microsoft takes a risk-based approach to managing it's cloud services.
As part of the periodic independent assessments of Office 365, controls are tested continuously and are tested multiple times a year.
Microsoft provides evidence of these tests through independent ISO and SOC audits that are conducted annually. This evidence can
be downloaded from the Compliance Reports area of Service Assurance.
A.18.2.2 Compliance The Office 365 management team regularly reviews the compliance of information processing and procedures within their area of Interviewed Office 365 Trust team members and determined that plan of action and milestone progress tracking is conducted, and monthly meetings are held with executives
responsibility and with the appropriate security policies, standards, and any other security requirements. Office 365 regularly reviews to show progress.
and updates current audit and accountability procedures. The Microsoft Security Policy contains rules and requirements that must
be met in the delivery and operation of Office 365. More detailed requirements are established within Office 365 security procedures Examined monthly service review documentation such as meeting agenda, meeting minutes, and dashboards and determined that Office 365 teams create key performance
and Office 365 team-owned standard operating procedures (SOPs). These standards and procedures act as adjuncts to the Microsoft indicators (KPIs) that reflect the relevant security metrics for the service, and that Office 365 teams monitor and report on those KPIs monthly by publishing the measurable
Security Policy and provide implementation-level details to carry out specific operational tasks. As such, Office 365 teams regularly data to dashboards for consumption by relevant stakeholders, as well as by reviewing security data with management in a monthly security review.
review their compliance with the appropriate security policies, standards, and any other security standards. Appropriate actions are
taken if any noncompliance is found as a result of the review.

A.18.2.3 Technical compliance Microsoft regularly reviews Office 365 information systems for compliance with Microsoft's information security policies and Examined the Office 365 security plan, the Office 365 information security policy and Office 365 framework controls and associated specific standard operating procedures
standards. Office 365 regularly assesses the security controls in the information system and the production environment to (SOPs) relevant to security assessment and compliance and determined that security controls are assessed annually or whenever a significant system, risk posture or
determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome vulnerability change occurs.
with respect to meeting established security requirements. A subset of controls is assessed periodically to determine the extent to
which the controls are implemented and operating as intended. Examined an Office 365 assessment report, an Office 365 report on controls relevant to security and availability, a report on a description of the suitability of the design and
operating effectiveness of controls, an Office 365 security assessment report, and the Office 365 security assessment plan, and determined that security controls are assessed
in accordance with the required annual frequency.

Interviewed Office 365 trust team members and determined that plan of actions and milestone progress tracking is conducted and monthly meetings are held with executives
to show progress.

Examined monthly service review documentation such as meeting agendas, meeting minutes and dashboards and determined that Office 365 teams created key performance
indicators (KPIs) that reflect the relevant security metrics for the service and that Office 365 teams monitor and report those KPIs monthly by publishing the measurable data
to dashboards for consumption by relevant stakeholders, as well as by reviewing security data with management in a monthly security review.

Examined output of various independent Office 365 audits performed by third-party independent auditors, Microsoft internal audit, Microsoft corporate risk management
team and determined that Microsoft's approach to managing Office 365 information security and its implementation (e.g., control objectives, controls, policies, processes and
procedures for information security) is reviewed independently at planned intervals, multiple times throughout year and when significant changes occur.

C.4.1 Intended outcomes of Microsoft determines external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended Examined Office 365 information security policies and standard operating procedures (SOPs) and determined that Microsoft's information security program is built around the
information security outcome(s) of its Office 365 Information Security Management System. Microsoft's risk and remediation team categorizes and purpose of protecting the confidentiality, integrity, availability, and reliability of Office 365 information systems and data.
management system manages strategic and tactical risks to the service. This team reports to senior management on their findings at least annually. The
Office 365 Risk and Remediation team works with Office 365 stakeholders to develop management or remediation strategies for Interviewed Office 365 Security and Trust team leads and determined that Office 365 has developed a control framework to achieve the intended outcome of its Information
identified organizational risks. Security Management System.

Examined the implementation of the Office 365 control framework across Office 365 teams and determined that Microsoft uses a hybrid control framework which uses NIST
800-53 for baseline control procedures and adds additional controls as required to keep up to date with relevant legislative statutory, regulatory and contractual
requirements.

Office 365 framework covers the following control areas:

1. Access Control
2. Accountability, Audit, and Risk
3. Authority and Purpose
4. Configuration Management
5. Contingency Planning
6. Continuity
7. Data Minimization and Retention
8. Data Portability
9. Data Quality and Integrity
10. Geographic Boundaries
11. Identification and Authentication
12. Incident Response
13. Maintenance
14. Media Protection
15. Personnel Security
16. Physical Access
17. Program Management
18. Risk Assessment
19. Security
C.4.2.a Relevant parties Various Microsoft and Office 365 teams continuously engage with interested parties such as regulators, industry forums (including Examined various meeting minutes, agenda documents, presentations, and other supporting documents and determined that various Microsoft and Office 365 teams
information security), customers, partners and other stakeholders. These engagements help Microsoft to identify requirements from continuously engage with interested parties such as regulators, industry forums (including information security), customers, partners and other stakeholders, and that these
these interested parties. Microsoft identifies and documents relevant legislative statutory, regulatory, and contractual requirements engagements help Microsoft to identify requirements from these interested parties.
as well as Microsoft's approach to meeting those requirements. Certifications and regulations such as FedRAMP, ISO 27001, or
HIPAA are mapped to subsets of internal controls, which are reviewed annually for accuracy. Microsoft develops, documents, and Examined Office 365 information security policies and standard operating procedures (SOPs) and determined that Microsoft's information security program is built around the
disseminates to relevant personnel or roles a security assessment and authorization policy that addresses purpose, scope, roles, purpose of protecting the confidentiality, integrity, availability, and reliability of Office 365 information systems and data.
responsibilities, management commitment, coordination among organizational entities, and compliance. As a service provider
Microsoft focuses on how using Office 365 can help their customers manage or meet their own compliance obligations. Office 365 is Interviewed Office 365 Security and Trust team leads and determined that Office 365 has developed a control framework to achieve intended outcome of its Information
continuing to mature and enhance its risk management features to address a wider array of regulatory requirements across a broad Security Management System.
set of industry verticals. Microsoft uses a hybrid controls framework approach to address the myriad of regulatory requirements that
govern the services and data managed by Office 365. In this manner, Microsoft identifies and uses commonality to build an Examined implementation of the Office 365 control framework across Office 365 teams and determined that Office 365 uses a hybrid control framework which uses NIST 800-
integrated set of specific control objectives, and drives those control objectives into a consolidated framework, enhancing efficiency, 53 as baseline control procedures and added additional controls as required to keep up to date with relevant legislative statutory, regulatory and contractual requirements.
and improving compliance management. In this way Microsoft enhances the risk management posture of it's cloud services, as well
as addresses any requirements relevant to external compliance obligations by Office 365 or the underlying infrastructure. In some
instances, non-common controls may be added conditionally where business need justifies the additional cost and complexity.

C.4.2.b Information security Microsoft determines the requirements of interested parties relevant to the Information Security Management System. Microsoft Examined various meeting minutes, agenda documents, presentations and other supporting documents and determined that various Microsoft and Office 365 teams
requirements identifies and documents relevant legislative statutory, regulatory, and contractual requirements as well as Microsoft's approach to continuously engage with interested parties such as regulators, industry forums (including information security), customers, partners and other stakeholders and that these
meeting those requirements. Certifications and regulations such as FedRAMP, ISO 27001, or HIPAA are mapped to subsets of engagements help Microsoft to identify requirements from these interested parties.
internal controls, which are reviewed annually for accuracy.
Examined Office 365 information security policies and standard operating procedures (SOPs) and determined that Microsoft's information security program is built around the
purpose of protecting confidentiality, integrity, availability, and reliability of Office 365 information systems and data.

Interviewed Office 365 Security and Trust team leads and determined that Office 365 has developed a control framework to achieve the intended outcome of its Information
Security Management System.

Examined the implementation of the Office 365 control framework across Office 365 teams and determined that Microsoft uses a hybrid control framework which includes
NIST 800-53 for baseline control procedures and adds additional controls as required to keep up to date with relevant legislative statutory, regulatory, contractual
requirements.

Office 365 framework covers following control areas:

1. Access Control
2. Accountability, Audit, and Risk
3. Authority and Purpose
4. Configuration Management
5. Contingency Planning
6. Continuity
7. Data Minimization and Retention
8. Data Portability
9. Data Quality and Integrity
10. Geographic Boundaries
11. Identification and Authentication
12. Incident Response
13. Maintenance
14. Media Protection
15. Personnel Security
C.4.3.a Information security Microsoft determines the boundaries and applicability of the Office 365 Information Security Management System (ISMS) to Examined the Office 365 security plan and determined that this document serves as the system security plan and defines the boundary, operational context, operational
management system scope establish its scope. When determining this scope, Microsoft considers the external and internal issues referred to in the ISMS. environment, security categorization, interconnections, overlays, security requirements, and applicable security controls, and is consistent with the enterprise architecture.
Microsoft's Office 365 Information Security Policy provides an overview of the security requirements for Office 365 and the systems
and applications within. Additionally, the Office 365 control framework contains a description of the security controls that are in Examined Microsoft and Office 365 information security policies and standard operating procedures and determined that Microsoft's information security program is built
place to meet those requirements. The Office 365 security plan is created in accordance with industry standards, which contain around the purpose of protecting confidentiality, integrity, availability, and reliability of Office 365 information systems and data.
guidance on security planning. This includes accurately defining the Office 365 accreditation boundary and describing the
operational environment, the security controls that are applicable to the system, and the system interconnections.

C.4.3.b Information security Microsoft determines the boundaries and applicability of the Office 365 Information Security Management System (ISMS) to Examined the Office 365 security plan and determined that this document serves as the system security plan and defines the boundary, operational context, operational
requirements relating to establish its scope. When determining this scope, Microsoft considers the requirements referred to in the ISMS. Microsoft's Office environment, security categorization, interconnections, overlays, security requirements, and applicable security controls, and is consistent with the enterprise architecture.
ISMS scope 365 Information Security Policy provides an overview of the security requirements for Office 365 and the systems and applications
within. Additionally, the Office 365 security plan contains a description of the security controls that are in place to meet those Examined Microsoft and Office 365 information security policies and standard operating procedures and determined that Microsoft determines the boundaries and
requirements. The Office 365 Information Security Policy is created in accordance with industry standards, and it contains guidance applicability of the ISMS to establish its scope. When determining this scope, Microsoft considers the requirements referred to in the ISMS.
on security planning. This includes accurately defining the Office 365 accreditation boundary and describing the operational
environment, the security controls that are applicable to the system, and the system interconnections. The Office 365 Information
Security Policy documents the security categorization of the system based on the typical information being stored, processed or
transmitted in Office 365.
C.4.3.c ISMS boundaries and Microsoft determines the boundaries and applicability of the Office 365 Information Security Management System (ISMS) to Examined the Office 365 security plan and determined that this document serves as the system security plan and defines the boundary, operational context, operational
interfaces establish its scope. When determining this scope, Microsoft considers interfaces and dependencies between activities performed by environment, security categorization, interconnections, overlays, security requirements, and applicable security controls, and was consistent with the enterprise architecture.
Office 365 teams and those that are performed by other teams. Office 365 requires that any systems on-boarded to Office 365 be in
compliance with Microsoft's privacy requirements before inclusion within Microsoft's security boundary. This is enforced through the Examined Microsoft and Office 365 information security policies and standard operating procedures and determined that Microsoft determines the boundaries and
Office 365 onboarding process, which managed by the Office 365 Compliance team. applicability of the Office 365 Information Security Management System (ISMS) to establish its scope. When determining this scope, Microsoft considered the requirements
referred to in ISMS.
Microsoft identifies and includes security mechanisms, service levels and management requirements of network services in network
services agreements, whether these services are provided in-house or outsourced. Microsoft authorizes connections from the Office Examined the MMVA and determined that suppliers must comply with the physical and information security policies set out in the SOW or otherwise provided to the supplier
365 information system to other information systems through the use of Interconnection Security Agreements (ISAs). Office 365 by Microsoft. Determined that, per the MMVA, the supplier must also use security procedures to prevent the disclosure of Microsoft Confidential Information to unauthorized
requires third parties (external information system services) that are engaged with Office 365 to sign a Microsoft Master Vendor third parties. Suppliers must have controls in place to protect the system access, system and application development and maintenance, change management, asset
Agreement (MMVA). The MMVA requires the third party to comply with applicable security policies and implement security classification and control, incident response, physical and environmental security, disaster recovery, and employee training. Determined that vendors and contractors must
procedures to prevent disclosure of Microsoft Confidential Information. Office 365 includes provisions in the MMVA and any sign the MMVA prior to beginning work at Microsoft. Security requirements are detailed in the MMVA which must be signed prior to beginning the engagement. Also
associated Statement of Work (SOW) with each vendor addressing the need to employ appropriate security controls. Vendors that interviewed Office 365 Trust team personnel and determined that vendors/contractors are subject to the MMVA and to non-disclosure agreements.
handle sensitive data must be in compliance with Office 365 vendor privacy practices and data protection requirements.
Examined the Office 365 system security plan and determined that vendors and contractors are subject to the same screening requirements as Microsoft personnel. Microsoft
requires that approved screening vendors submit screening outcomes for third-party personnel directly to Microsoft, where they are tracked in a Human Resources
Information System. Also examined the MMVA and determined that it defines personnel security requirements for vendors and contractors.

Interviewed Office 365 Program Managers and determined that ISAs are used to identify system interconnections with Office 365 suppliers and that data flow diagrams have
detailed information flows. ISAs are reviewed annually.

Examined several Office 365 ISAs and associated control matrices and determined that Microsoft authorizes identified connections from the Office 365 information system to
other information systems through the use of ISAs. Examined several Office 365 ISAs and associated control matrices and determined that the ISAs document the interface
characteristics, security requirements and nature of the information communicated respectively.

C.4.4 Information security Microsoft establishes, implements, maintains and continually improves an Office 365 Information Security Management System Examined Office 365 information security policies and standard operating procedures (SOPs) and determined that Microsoft's information security program is built around the
management system (ISMS) in accordance with the requirements of international standards. Microsoft defines and documents Office security 365 policies. purpose of protecting the confidentiality, integrity, availability, and reliability of Office 365 information systems and data.
These documents address the purpose, scope, roles, responsibilities, compliance requirements and required coordination among
the various Office 365 teams providing some level of support for the security of services. These policies contain the rules and Interviewed Office 365 Security and Trust team leads and determined that Microsoft has developed a control framework to achieve the intended outcome of its Office 365
requirements that must be met in the delivery and operation of Office 365. The Microsoft Security Policy applies across the company Information Security Management System.
to information and processes used in the conduct of Microsoft's business. Microsoft and Office 365 security policies undergo a
formal review and update process at a regularly scheduled interval not to exceed one year. In the event a significant change is Examined implementation of Office 365 control framework across Office 365 teams and determined that Microsoft uses a hybrid control framework based on NIST 800-53 for
required in the security requirements, they may be reviewed and updated outside of the regular schedule. baseline control procedures and adds additional controls as required to keep up-to-date with relevant legislative statutory, regulatory, and contractual requirements.

Office 365 framework covers the following control areas:

1. Access Control
2. Accountability, Audit, and Risk
3. Authority and Purpose
4. Configuration Management
5. Contingency Planning
6. Continuity
7. Data Minimization and Retention
8. Data Portability
9. Data Quality and Integrity
10. Geographic Boundaries
11. Identification and Authentication
12. Incident Response
13. Maintenance
14. Media Protection
15. Personnel Security
16. Physical Access
17. Program Management
18. Risk Assessment
19. Security
20. Security Assessment
C.5.1.a Leadership commitment to Microsoft management demonstrates leadership and commitment with respect to the Office 365 Information Security Management Reviewed and validated that the following policies exist and confirmed that the documents demonstrate leadership and commitment with respect to the Office 365 ISMS by
information security policy System (ISMS) by ensuring that information security policies and objectives are established and are compatible with the strategic ensuring that the information security policy and the information security objectives are established and are compatible with the strategic direction of Microsoft. Examined
and objectives direction of Microsoft. Microsoft establishes, implements, maintains, and continually improves its ISMS, in accordance with the Office 365 information security policies and standard operating procedures (SOPs), and determined that Microsoft's information security program is built around the purpose
requirements of international standards. Microsoft develops, documents, and disseminates a security policy that addresses purpose, of protecting the confidentiality, integrity, availability, and reliability of Office 365 information systems and data.
scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. Microsoft and
Office 365 security policies exist in order to provide Office 365 staff and contractor staff with a current set of clear and concise Interviewed Office 365 Security and Trust team leads, and determined that Office 365 has developed a control framework to achieve intended outcome of its ISMS.
information security policies. These policies provide direction for the appropriate protection of Office 365. Further an Office 365
Information Security Policy has been created as a component of an overall ISMS for Office 365. The Office 365 Information Security In addition, reviewed samples of the associated policies and confirmed that these documents provide additional granularity and policy clarification (engineering guidance)
Policy has been reviewed, approved, and is endorsed by Office 365 management. Each management-endorsed version of the and articulate details for what is expected from each product team. The policies identify roles for involved entities to which the policies will be made available and have
Microsoft and Office 365 Information Security Policy and subsequent updates are distributed to relevant stakeholders. responsibilities (outputs) defined.

- Microsoft Information Security Policy


- Office 365 Information Security Policy
- Office 365 Awareness and Training Policy
- Office 365 Audit and Logging Policy
- Office 365 Security Assessment and Authorization Policy
C.5.1.b Leadership commitment to Microsoft management demonstrates leadership and commitment with respect to the Office 365 Information Security Management Reviewed and validated that the information security policies exist and confirmed that the documents demonstrate leadership and commitment with respect to the ISMS by
integration of processes System (ISMS) by ensuring the integration of the ISMS requirements into the organization’s processes. Microsoft develops, ensuring the integration of the ISMS requirements into the organization’s processes. Examined Office 365 information security policies, and SOPs, and determined that
documents, and disseminates an information security policy that addresses purpose, scope, roles, responsibilities, management Microsoft's information security program is built around the purpose of protecting the confidentiality, integrity, availability, and reliability of Office 365 information systems
commitment, coordination among organizational entities, and compliance. The Office 365 Information Security Policy exists in order and data.
to provide Office 365 staff and contractor staff with a current set of clear and concise information security policies. These policies
provide direction for the appropriate protection of Office 365. The Office 365 Information Security Policy has been created as a In addition, a review of samples of the associated policies confirmed that these documents provide additional granularity and policy clarification (engineering guidance) and
component of an overall ISMS for Office 365. articulate details for what is expected from each Office 365 team. The policies identify roles for involved entities to which the policies will be made available and have
responsibilities (outputs) defined.
Furthermore, to integrate the ISMS requirements into Microsoft's processes, Microsoft documents standard operating procedures
(SOPs) and makes them available to users who need them. The Office 365 Information Security Policy contains rules and - Microsoft Information Security Policy
requirements that must be met in the delivery and operation of Office 365. More detailed requirements are established within Office - Office 365 Information Security Policy
365 security procedures and Office 365 team-specific SOPs. These standards and procedures act as adjuncts to the security policy - Office 365 Awareness and Training Policy
and provide implementation-level details to carry out specific operational tasks. - Office 365 Audit and Logging Policy
- Office 365 Security Assessment and Authorization Policy

Examined online repositories containing the user documentation for the Office 365 information system. The repository was demonstrated to contain administrative
documentation pertaining to the proper functioning and operations of the information system. These administrative guides and SOPs contain security information,
monitoring and alerts, as well as architecture details.

Microsoft also provides:

- The Office 365 Trust Center (https://products.office.com/en-us/business/office-365-trust-center-cloud-computing-security)

- The Office 365 Security & Compliance Center - Service Assurance (http://aka.ms/serviceassurance)

- The Microsoft Cloud Service Trust Portal (http://aka.ms/stphelp)

Examined the above sites provided to end-users with security details regarding the Office 365 service. Reviewed the plethora of tools and user documents that exist to assist
the end-user in interacting and maintaining the security of Office 365 and its components.

Interviewed Office 365 Security and Trust team leads and determined that Office 365 has developed a control framework to achieve the intended outcome of its ISMS.
C.5.1.c Leadership commitment to Microsoft management demonstrates leadership and commitment with respect to the Office 365 Information Security Management Examined the capital programming and budgeting documentation, including the security compliance budget, and validated the provision for security line items in corporate
resource management System (ISMS) by ensuring that the resources needed for the ISMS are available. Office 365 executive management is responsible for budgeting endeavors.
ensuring proper security resourcing and support. Resourcing allocations are reviewed by management annually.
Examined SDL documentation, and validated that Office 365 developmental and operational activities are resourced appropriately to support information security objectives.
Microsoft management ensures that Office 365 teams have resources and prioritization to support implementing Microsoft's
Security Development Lifecycle (SDL) to ensure that development and operational activities are appropriately resourced for Reviewed the Office 365 security plan and the SDL summary, which provides a detailed outline of the processes followed by engineering and development projects.
implementing information security objectives. Determined that the security risk management process is closely integrated with system development lifecycle projects. The SDL is a software development model that
includes specific security considerations for software, services, and devices. The SDL is designed to process code through rigorous security measures to ensure that it can
function in a manner that complies with Microsoft's security standards. A security requirements analysis must be completed for Office 365 engineering and system
development projects. This analysis document acts as a framework and includes the identification of possible risks to the finished development projects as well as mitigation
strategies that can be implemented and tested during the development phases. Critical security review and approval checkpoints are included during the system development
lifecycle.

Interviewed a sample of organizational personnel with information security and system development lifecycle responsibilities and determined that security is a primary focus
of the SDL process. Updates to the information system need to proceed through the change management process. Changes made to a component's code are subject to the
SDL process. Security measures, such as static and dynamic code analysis, are included within this process to ensure that updated code meets the level of security required by
Office 365. Sign-offs are required from Release Managers for each step of the process.

Examined a PowerPoint briefing describing SDL processes and determined that measures are in place to regulate the development and maturity of Office 365 components.

Obtained and inspected evidence for a selection of SDL projects to ascertain that a security review is performed prior to release for each project.

C.5.1.d Leadership commitment to Microsoft management demonstrates leadership and commitment with respect to the Office 365 Information Security Management Examined monthly service review documentation such as meeting agenda, meeting minutes, and dashboards to determine that Office 365 management conducts monthly
communications System (ISMS) by communicating the importance of effective information security management and of conforming to the ISMS service reviews which are focused on the security, availability, and reliability of Office 365.
requirements.
Reviewed annual security and risk management training to determine that via annual security and risk management training, Microsoft senior management continuously
Microsoft management conducts monthly service reviews that are focused on the security, availability, and reliability of Office 365. communicates the criticality of protecting the confidentiality, integrity, availability, and reliability of Office 365 systems and data.
Furthermore, via annual security and risk management training, Microsoft senior management continuously communicates the
criticality of protecting the confidentiality, integrity, availability, and reliability of Office 365 systems and data. Office 365 security Obtained and inspected evidence including memorandums and planning meeting records, to ascertain that commitments and requirements for security, availability,
management ensures that during business planning and capacity management planning sessions, security remains an integral part confidentiality, and processing integrity are considered and approved by senior management and that these commitments and requirements are communicated to relevant
of planning activities and decisions. personnel as part of the major system release planning process.

C.5.1.e Leadership commitment for Microsoft management demonstrates leadership and commitment with respect to the Office 365 Information Security Management Examined monthly service review documentation such as meeting agendas, meeting minutes, and dashboards and determined that Office 365 teams has created KPIs that
support and review System (ISMS) by ensuring that the ISMS achieves its intended outcome(s). Office 365 teams have created key performance reflect the relevant security metrics for the service and that Office 365 teams monitor and report on those KPIs monthly by publishing the measurable data to dashboards for
indicators (KPIs) that reflect the relevant security metrics for the service. The Office 365 teams monitor and report on those KPIs consumption by relevant stakeholders, as well as by reviewing security data with management in a monthly security review.
monthly by publishing the measurable data to dashboards for consumption by relevant stakeholders, as well as by reviewing the
security data with management in a monthly security review.
C.5.1.f Leadership commitment for Microsoft management demonstrate leadership and commitment with respect to the Office 365 Information Security Management Examined SDL documentation, and validated that Office 365 developmental and operational activities are resourced appropriately to support information security objectives.
contribution to ISMS System (ISMS) by directing and supporting persons to contribute to the effectiveness of the ISMS.
effectiveness Examined monthly service review documentation such as meeting agenda, meeting minutes, and dashboards and determined that Office 365 teams have created KPIs that
Microsoft management ensures that Office 365 teams have resources and prioritization to support the implementation of reflect the relevant security metrics for the service and that Office 365 teams monitor and report on those KPIs monthly by publishing the measurable data to dashboards for
Microsoft's Security Development Lifecycle (SDL) to ensure that the development and operational activities are appropriately consumption by relevant stakeholders, as well as by reviewing security data with management in a monthly security review.
resourced for implementing information security objectives.
Examined trending of KPIs around security over the year and determined that Office 365 management reviews and prioritizes resources to be allocated during these monthly
Office 365 teams have created key performance indicators (KPIs) that reflect the relevant security metrics for the service. Office 365 service reviews.
teams monitor and report on those KPIs monthly by publishing the measurable data to dashboards for consumption by relevant
stakeholders, as well as by reviewing the security data with management in a monthly security review. Microsoft management Obtained and inspected evidence including memorandums and planning meeting records, and ascertained that commitments and requirements for security, availability,
reviews and prioritizes resources to be allocated during these reviews. confidentiality, and processing integrity are considered and approved by Senior Management and that these commitments and requirements were communicated to the
relevant personnel as part of the major system release planning process.
Microsoft's security management team for Office 365 ensures that during business planning and capacity management planning
sessions, security remains an integral part of planning activities and decisions.

C.5.1.g Leadership commitment to Microsoft management demonstrates leadership and commitment with respect to the Office 365 Information Security Management Examined trending of KPIs around security over the year as well as decisions documented within meeting minutes, and determined that Office 365 management monitors,
continual improvement System (ISMS) by promoting continual improvement. Office 365 teams have created key performance indicators (KPIs) that reflect demands, and supports continual improvement in the security KPIs.
the relevant security metrics for the service. The Office 365 teams monitor and report on those KPIs monthly by publishing the
measurable data to dashboards for consumption by relevant stakeholders, as well as by reviewing the security data with Examined monthly service review documentation such as meeting agenda, meeting minutes, and dashboards and determined that Office 365 teams have created KPIs that
management in a monthly security review. Office 365 management monitors, demands, and supports continual improvement of the reflect the relevant security metrics for the service and that Office 365 teams monitor and report on those KPIs monthly by publishing the measurable data to dashboards for
KPIs. consumption by relevant stakeholders, as well as by reviewing security data with management in a monthly security review.
C.5.1.h Leadership commitment to Microsoft management demonstrates leadership and commitment with respect to the Office 365 Information Security Management Examined the Office 365 Information Security Policy, aligned security standard operating procedures, meeting minutes, decision logs, and audit reports, and determined that
other relevant management System (ISMS) by supporting other relevant management roles to demonstrate their leadership as it applies to their areas of Microsoft management demonstrates leadership and commitment with respect to the Office 365 ISMS by supporting other relevant management roles to demonstrate their
roles responsibility. leadership as it applies to their areas of responsibility.

Microsoft management supports the following roles for information security: Interviewed management leads across Office 365 teams that have a supporting role in information security and determined that following teams are supported by Microsoft
management:
- Access Security
- Change Management - Access Security: personnel that maintain Active Directory services, authentication rules, and user access
- Backup and Replication - Change Management: development, testing, and project management teams tasked with developing and maintaining the Office 365 applications and support services
- Security and Availability Monitoring - Backup and Replication: personnel for configuring and monitoring the replication and backup of specified internal and customer data
- Business Continuity Management - Security and Availability Monitoring: personnel that monitor the incidents that affect the security and availability of Office 365 and support services
- Overall Office 365 Security - Business Continuity Management: a single resource to assist Office 365 teams in analyzing continuity and disaster recovery requirements, documenting procedures, and
- Governance, Risk, and Compliance (Trust) conducting testing of established procedures
- Overall Office 365 Security: manages cross-platform security functions, such as security incident response, security monitoring, and vulnerability scanning
- Governance, Risk, and Compliance (Trust): identifies, documents, and advises teams in implementing controls to maintain Microsoft's availability and security commitments
to its customers.

C.5.2.a Information security policy's Microsoft management establishes an information security policy that is appropriate to the purpose of the organization. Microsoft Examined Office 365 information security policies and standard operating procedures, and determined that Microsoft's information security policies and program are built
appropriateness to purpose develops, documents, and disseminates information security policies that addresses purpose, scope, roles, responsibilities, around the purpose of protecting the confidentiality, integrity, availability, and reliability of Office 365 information systems and data.
of organization management commitment, coordination among organizational entities, and compliance. These policies provide direction for the
appropriate protection of Office 365 and are aligned with Microsoft's key strategies of protecting the confidentiality, integrity, Reviewed and validated that the information security policies exist and determined that Microsoft management established an information security policy that includes
availability, and reliability of Office 365 information systems and data. information security objectives and provides the framework for setting information security objectives.
C.5.2.b Information security policy Microsoft management establishes an information security policy that includes information security objectives and provides the Reviewed and validated that the information security policies exist and determined that Office 365 management established an information security policy that includes
framework framework for setting information security objectives. Microsoft develops, documents, and disseminates an information security information security objectives and provides a framework for setting information security objectives.
policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities,
and compliance. The Office 365 Information Security Policy exists in order to provide Office 365 staff and contractor staff with a Examined Office 365 information security policies and standard operating procedures, and determined that Microsoft's information security program is built around the
current set of clear and concise Information security policies. These policies provide direction for the appropriate protection of purpose of protecting the confidentiality, integrity, availability, and reliability of Office 365 information systems and data.
Office 365. The Office 365 Information Security Policy has been created as a component of an overall Information Security
Management System (ISMS) for Office 365. In addition, reviewed samples of the associated policies and confirmed that these documents provide additional granularity and policy clarification (engineering guidance)
and articulate details for what is expected from each Office 365 team. The policies identify roles for involved entities to which the policies will be made available and have
Furthermore, to integrate the ISMS requirements into Microsoft's processes, Microsoft documents operating procedures and makes responsibilities (outputs) defined.
them available to users who need them. The Office 365 Information Security Policy contains the rules and requirements that must be
met in the delivery and operation of Office 365. More detailed requirements are established within Office 365 security procedures - Microsoft Information Security Policy
and Office 365 team-specific standard operating procedures (SOPs). These standards and procedures act as adjuncts to the security - Office 365 Information Security Policy
policy and provide implementation level details to carry out specific operational tasks. - Office 365 Awareness and Training Policy
- Office 365 Audit and Logging Policy
- Office 365 Security Assessment and Authorization Policy

Examined online repositories containing user documentation for the Office 365 information system. The repository was demonstrated to contain administrative and user
documentation pertaining to the proper functioning and operations of the information system. These administrative guides and SOPs contain security information,
monitoring and alerts, as well as architecture details.

Microsoft also provided:

- The Office 365 Trust Center (https://products.office.com/en-us/business/office-365-trust-center-cloud-computing-security)

- The Office 365 Security & Compliance Center - Service Assurance (http://aka.ms/serviceassurance)

The Microsoft Cloud Service Trust Portal (http://aka.ms/stphelp)

The above sites are used to provide end-users with security details regarding the Office 365 service. Reviewed the plethora of tools and user documents that exist to assist the
end-user in interacting and maintaining the security of Office 365 and its components.
C.5.2.c Information security policy - Microsoft management establishes an information security policy that includes a commitment to satisfy applicable requirements Reviewed and validated that the information security policies exist and determined that Office 365 management establishes an information security policy that includes a
commitment to satisfy related to information security. Microsoft develops, documents, and disseminates an information security policy that addresses commitment to satisfy applicable requirements related to information security. Examined Office 365 information security policies and SOPs, and determined that Microsoft's
applicable requirements purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. information security program is built around the purpose of protecting the confidentiality, integrity, availability, and reliability of Office 365 information systems and data.

Microsoft's management commitment is demonstrated by Microsoft's ability to: In addition, a review of samples of the associated policies confirmed that these documents provide additional granularity and policy clarification (engineering guidance) and
articulate details for what is expected from each Office 365 team. The policies identified roles for involved entities to which the policies are made available and have
- Prioritize the protection of the confidentiality, integrity, availability, and reliability of Office 365 information systems, and data as responsibilities (outputs) defined.
main strategic objective
- Microsoft Information Security Policy
- Design, develop, support and continually improve the Office 365 Information Security Management System (ISMS) in support of - Office 365 Information Security Policy
the above mentioned strategic objective - Office 365 Awareness and Training Policy
- Office 365 Audit and Logging Policy
- Communicate ISMS requirements to each Office 365 team, through various policies and standard operating procedures (SOPs) - Office 365 Security Assessment and Authorization Policy

- Enforce these information security requirements through the implementation, testing, and continual improvement of the Office Examined online repositories containing the user documentation for the Office 365 information system. The repository was demonstrated to contain administrative
365 control framework documentation pertaining to the proper functioning and operations of the information system. These administrative guides and SOPs contained security information,
monitoring and alerts, as well as architecture details.
- Continuously review, monitor, and support information security key performance indicators (KPIs)
Interviewed Office 365 Security and Trust team leads and determined that Office 365 has developed a control framework to achieve the intended outcome of its ISMS.

Examined the Office 365 Information Security Policy, aligned security SOPs, meeting minutes, decision logs, and audit reports, and determined that Office 365 management
enforces information security requirements through the implementation, testing, and continual improvement of the Office 365 control framework.

Examined monthly service review documentation such as meeting agenda, meeting minutes, and dashboards to determine that Office 365 teams have created KPIs that reflect
the relevant security metrics for the service and that Office 365 teams monitor and report on those KPIs monthly by publishing the measurable data to dashboards for
consumption by relevant stakeholders, as well as by reviewing security data with management in a monthly security review.

C.5.2.d Information security policy Microsoft management establishes an information security policy that includes a commitment to satisfy applicable requirements Reviewed and validated that the information security policies exist and determined that Office 365 management establishes an information security policy that includes a
commitment to continual related to information security. Microsoft develops, documents, and disseminates an information security policy that addresses commitment to satisfy applicable requirements related to information security. Examined Office 365 information security policies and SOPs, and determined that Microsoft's
improvement purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. information security program is built around the purpose of protecting the confidentiality, integrity, availability, and reliability of Office 365 information systems and data.

Microsoft's management commitment is demonstrated by Microsoft's ability to: In addition, a review of samples of the associated policies confirmed that these documents provide additional granularity and policy clarification (engineering guidance) and
articulate details for what is expected from each Office 365 team. The policies identified roles for involved entities to which the policies are made available and have
- Prioritize the protection of the confidentiality, integrity, availability, and reliability of Office 365 information systems, and data as responsibilities (outputs) defined.
main strategic objective
- Microsoft Information Security Policy
- Design, develop, support and continually improve the Office 365 Information Security Management System (ISMS) in support of - Office 365 Information Security Policy
the above mentioned strategic objective - Office 365 Awareness and Training Policy
- Office 365 Audit and Logging Policy
- Communicate ISMS requirements to each Office 365 team, through various policies and standard operating procedures (SOPs) - Office 365 Security Assessment and Authorization Policy

- Enforce these information security requirements through the implementation, testing, and continual improvement of the Office Examined online repositories containing the user documentation for the Office 365 information system. The repository was demonstrated to contain administrative
365 control framework documentation pertaining to the proper functioning and operations of the information system. These administrative guides and SOPs contained security information,
monitoring and alerts, as well as architecture details.
- Continuously review, monitor, and support information security key performance indicators (KPIs)
Interviewed Office 365 Security and Trust team leads and determined that Office 365 has developed a control framework to achieve the intended outcome of its ISMS.

Examined the Office 365 Information Security Policy, aligned security SOPs, meeting minutes, decision logs, and audit reports, and determined that Office 365 management
enforces information security requirements through the implementation, testing, and continual improvement of the Office 365 control framework.

Examined monthly service review documentation such as meeting agenda, meeting minutes, and dashboards to determine that Office 365 teams have created KPIs that reflect
the relevant security metrics for the service and that Office 365 teams monitor and report on those KPIs monthly by publishing the measurable data to dashboards for
consumption by relevant stakeholders, as well as by reviewing security data with management in a monthly security review.

C.5.2.e Information security policy Microsoft management establishes an information security policy that includes information security objectives and provides the Reviewed and validated that the information security policies exist and determined that Microsoft management established an information security policy that includes
documented information framework for setting information security objectives. Microsoft develops, documents, and disseminates an information security information security objectives and provides the framework for setting information security objectives. Examined Office 365 information security policies and SOPs, and
policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, determined that Microsoft's information security program is built around the purpose of protecting the confidentiality, integrity, availability, and reliability of Office 365
and compliance. The Office 365 Information Security Policy exists in order to provide Office 365 staff and contractor staff with a information systems and data.
current set of clear and concise information security policies. These policies provide direction for the appropriate protection of
Office 365. The Office 365 Information Security Policy has been created as a component of an overall Information Security Reviewed samples of the associated policies and confirmed that these documents provide additional granularity and policy clarification (engineering guidance) and articulate
Management System (ISMS) for Office 365. details for what is expected from each Office 365 team. The policies identified roles for involved entities to which the policies will be made available and have responsibilities
(outputs) defined.
Furthermore, to integrate the ISMS requirements into Microsoft's processes, Microsoft documents operating procedures and makes
them available to users who need them. The Office 365 Information Security Policy contains the rules and requirements that must be - Microsoft Information Security Policy
met in the delivery and operation of Office 365. More detailed requirements are established within Office 365 security procedures - Office 365 Information Security Policy
and Office 365 team-specific standard operating procedures (SOPs). These standards and procedures act as adjuncts to the security - Office 365 Awareness and Training Policy
policy and provide implementation level details to carry out specific operational tasks. - Office 365 Audit and Logging Policy
- Office 365 Security Assessment and Authorization Policy
C.5.2.f Information security policy Microsoft management establishes and communicates an information security policy that includes information security objectives Reviewed and validated that the information security policies exist and determined that Office 365 management established and communicated an information security policy
communication within Office and provides the framework for setting information security objectives. Microsoft develops, documents, and disseminates an that includes information security objectives and provides the framework for setting information security objectives. Examined Office 365 information security policies and
365 information security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among standard operating procedures, and determined that Microsoft's information security program is built around the purpose of protecting the confidentiality, integrity,
organizational entities, and compliance. The Office 365 Information Security Policy exists in order to provide Office 365 staff and availability, and reliability of Office 365 information systems and data.
contractor staff with a current set of clear and concise information security policies. These policies provide direction for the
appropriate protection of Office 365. The Office 365 Information Security Policy has been created as a component of an overall Examined online repositories containing the user documentation for the Office 365 information system. The repository was demonstrated to contain administrative
Information Security Management System (ISMS) for Office 365. documentation pertaining to the proper and secure functioning and operations of the information system. These administrative guides and SOPs contain security information,
monitoring and alerts, as well as architecture details.
Furthermore, to integrate the ISMS requirements into Microsoft's processes, Microsoft documents operating procedures and makes
them available to users who need them. The Office 365 Information Security Policy contains rules and requirements that must be Examined the user documentation that describes the operational and security functions of the Office 365 information system and determined that documentation is
met in the delivery and operation of Office 365. More detailed requirements are established within Office 365 security procedures maintained electronically and is publicly available.
and Office 365 team-specific standard operating procedures (SOPs). These standards and procedures act as adjuncts to the security
policy and provide implementation level details to carry out specific operational tasks. Examined the Help function available within the Office 365 environment and determined that documentation is readily available to end-users of the Office 365 information
system.

Microsoft also provided:

- The Office 365 Trust Center (https://products.office.com/en-us/business/office-365-trust-center-cloud-computing-security)

- The Office 365 Security & Compliance Center - Service Assurance (http://aka.ms/serviceassurance)

The Microsoft Cloud Service Trust Portal (http://aka.ms/stphelp)

The above sites are used to provide end-users with security details regarding the Office 365 service. Reviewed the plethora of tools and user documents that exist to assist the
end-user in interacting and maintaining the security of Office 365 and its components.

C.5.2.g Information security policy Microsoft's information security policy is available to interested parties, as appropriate. Microsoft develops, documents, and Examined information security policies and interviewed an Office 365 Trust team lead as well as a Senior Program Manager to determine that the Microsoft information
shall be available to disseminates an information security policy that addresses purpose, scope, roles, responsibilities, management commitment, security policy is available to interested parties, as appropriate.
interested parties, as coordination among organizational entities, and compliance. The Microsoft security policy defines Office 365 policies and exists in
appropriate. order to provide Office 365 staff and contractor staff with a current set of clear and concise information security policies. These Examined the user documentation that describes the operational and security functions of the Office 365 information system and determined that documentation is
policies provide direction for the appropriate protection of Office 365. maintained electronically and is publicly available.

Office 365 makes Microsoft security policy available to interested parties through the Microsoft Cloud Service Trust Portal Examined the Help function available within the Office 365 environment and determined that documentation is readily available to end-users of the Office 365 information
(http://aka.ms/stphelp) and the Office 365 Security & Compliance Center (http://aka.ms/serviceassurance). system.

Microsoft also provided:

- The Office 365 Trust Center (https://products.office.com/en-us/business/office-365-trust-center-cloud-computing-security)

- The Office 365 Security & Compliance Center - Service Assurance (http://aka.ms/serviceassurance)

The Microsoft Cloud Service Trust Portal (http://aka.ms/stphelp)

The above sites are used to provide end-users with security details regarding the Office 365 service. Reviewed the plethora of tools and user documents that exist to assist the
end-user in interacting and maintaining the security of Office 365 and its components.

C.5.3.a Office 365 top management Microsoft management assigns the responsibility and authority for ensuring that the Information Security Management System Examined the Office 365 Information Security Policy, aligned security standard operating procedures, meeting minutes, decision logs, and audit reports, and determined that
supporting information conforms to the requirements of this International Standard. Microsoft develops, documents, and disseminates an information Microsoft assigns the responsibility and authority for ensuring that the ISMS conforms to the requirements of international standards by supporting other relevant
security management system security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational management roles to demonstrate their leadership as it applies to their areas of responsibility.
conformation entities, and compliance.
Interviewed management leads across Office 365 teams and identified that Microsoft has a Governance, Risk, and Compliance team supporting information security activities.
Microsoft management supports the following roles in support of Information Security Management System (ISMS) conformation to
ISO 27001 and 27018 standards. Interviewed Governance, Risk, and Compliance team members and reviewed their job responsibilities, and verified that they were involved in implementing security controls
to maintain Microsoft's availability and security commitments to its customers.
The Governance, Risk, and Compliance team identifies, documents, and advises Office 365 teams in implementing controls to
maintain Microsoft's availability and security commitments to its customers. The Office 365 Trust team is responsible to ensure that
the Office 365 ISMS continually conforms to the requirements of ISO 27001 and ISO 27018.

C.5.3.b Top management reporting Microsoft management assigns the responsibility and authority for reporting on the performance of the Office 365 Information Examined monthly service review documentation such as meeting agenda, meeting minutes, and dashboards to determine that Microsoft management assigns the
on the performance of the Security Management System (ISMS) to senior management. Office 365 teams have created key performance indicators (KPIs) that responsibility and authority for reporting on the performance of the Information Security Management System to top management. Determined that Office 365 teams have
information security reflect the relevant security metrics for the service. Office 365 teams monitor and report on those KPIs monthly by publishing the created KPIs that reflect the relevant security metrics for the service. Office 365 teams monitor and report on those KPIs monthly by publishing the measurable data to
management system measurable data to dashboards for consumption by relevant stakeholders, as well as reviewing the security data with management dashboards for consumption by relevant stakeholders, as well as by reviewing security data with management in a monthly security review.
in a monthly security review.
C.6.1.1.a Actions to determine the When planning for the Office 365 Information Security Management System (ISMS), Microsoft considers the issues referred to in the Examined Office 365 risk management SOPs and multiple risk assessments conducted by Microsoft to determine that when planning for the ISMS, Microsoft considers the
risks and opportunities ISMS and the requirements referred to in the ISMS and determines the risks and opportunities that need to be addressed to ensure issues referred to in the ISMS and the requirements referred to in the ISMS and determines the risks and opportunities that need to be addressed to ensure that the ISMS can
the ISMS can achieve its intended outcome(s). Led by the Office 365 Risk and Remediation management team, Microsoft follows an achieve its intended outcome(s).
established approach to risk management and conducts an annual global risk assessment each fiscal year at minimum. The purpose
of risk assessments is to identify and prioritize each division's specific strategic and operational risks based on impact, likelihood, Examined Office 365 risk assessment documents, risk register, risk remediation reports (plan of actions and milestones), presentations, and multiple meeting minutes, and
and management control and to ensure that the ISMS can achieve its intended outcome(s). Risk assessments also focus on determined that Office 365 follows an established approach to risk management and conducts an annual global risk assessment each fiscal year at minimum. Risk assessment
identifying and executing proactive actions to prevent, or reduce, undesired effects and achieving continual improvement. documents demonstrate that the purpose of risk assessment is to ensure that the ISMS can achieve its intended outcome(s) and to identify and execute proactive actions to
prevent, or reduce, undesired effects and achieving continual improvement.
C.6.1.1.b Actions to prevent, or When planning for the Office 365 Information Security Management System (ISMS), Microsoft considers the issues referred to in the Examined Office 365 risk management standard operating procedures and multiple risk assessments conducted by Microsoft to determine that when planning for the ISMS,
reduce, undesired effects ISMS and the requirements referred to in ISMS and determines the risks and opportunities that need to be addressed to ensure the Microsoft considers the issues referred to in the ISMS and the requirements referred to in the ISMS and determines the risks and opportunities that need to be addressed to
ISMS can achieve its intended outcome(s). Led by the Office 365 Risk and Remediation management team, Microsoft follows an ensure the ISMS can achieve its intended outcome(s).
established approach to risk management and conducts an annual global risk assessment each fiscal year at minimum. The purpose
of the risk assessments is to identify and prioritize each division's specific strategic and operational risks based on impact, likelihood, Examined Office 365 risk assessment documents, risk register, risk remediation reports (plan of actions and milestones), presentations, and multiple meeting minutes, and
and management control and to ensure that that ISMS can achieve its intended outcome(s). Risk assessments also focus on determined that Microsoft follows an established approach to risk management and conducts an annual global risk assessment each fiscal year at minimum. Examined risk
identifying and executing proactive actions to prevent or reduce undesired effects and achieving continual improvement. assessment documents demonstrating that the purpose of the risk assessment is to ensure that the ISMS can achieve its intended outcome(s) and that of identifying and
executing proactive actions to prevent or reduce undesired effects and achieving continual improvement.

C.6.1.1.c Actions to achieve continual When planning for the Office 365 Information Security Management System (ISMS), Microsoft considers the issues referred to in the Examined Office 365 risk management standard operating procedures and multiple risk assessments conducted by Microsoft to determine that when planning for the ISMS,
improvement ISMS and the requirements referred to in ISMS and determines the risks and opportunities that need to be addressed to ensure the Microsoft considers the issues referred to in the ISMS and the requirements referred to in the ISMS and determines the risks and opportunities that need to be addressed to
ISMS can achieve its intended outcome(s). Led by the Office 365 Risk and Remediation management team, Microsoft follows an ensure the ISMS can achieve its intended outcome(s).
established approach to risk management and conducts an annual global risk assessment each fiscal year at minimum. The purpose
of the risk assessments is to identify and prioritize each division's specific strategic and operational risks based on impact, likelihood, Examined Office 365 risk assessment documents, risk register, risk remediation reports (plan of actions and milestones), presentations, and multiple meeting minutes, and
and management control and to ensure that that ISMS can achieve its intended outcome(s). Risk assessments also focus on determined that Microsoft follows an established approach to risk management and conducts an annual global risk assessment each fiscal year at minimum. Examined risk
identifying and executing proactive actions to prevent or reduce undesired effects and achieving continual improvement. assessment documents demonstrating that the purpose of the risk assessment is to ensure that the ISMS can achieve its intended outcome(s) and that of identifying and
executing proactive actions to prevent or reduce undesired effects and achieving continual improvement.

C.6.1.1.d Actions to address risks and Microsoft develops plans of action and milestones (POAMs) in accordance risk assessments performed. The POAMs are developed Examined the Office 365 security plan, the Office 365 information security policy, the Office 365 framework controls, associated SOPs related to risk assessment, and POAMs,
opportunities and maintained by the Office 365 Risk and Remediation team. They are recorded to ensure an auditable record of each POAM. and determined that Microsoft develops POAMs to address risks and opportunity identified through risk assessments. POAMs are developed and maintained by the Office
POAMs describe how the information system owner intends to address the vulnerabilities and risks (e.g., risk acceptance, risk 365 Risk and Remediation team. They are recorded in engineering tools such as Product Studio and the Office 365 Trust Metadata Record tool site that ensures an auditable
mitigation, risk avoidance, and risk transference). record of each POAM. POAMs describe how the information system owner intends to address the vulnerabilities and risks (e.g., risk acceptance, risk mitigation, risk avoidance,
and risk transference).
C.6.1.1.e.1 Actions for Integration, Plans of actions and milestones (POAMs) are developed and maintained by the Office 365 Risk and Remediation team. They are Examined the Office 365 security plan, the Office 365 information security policy, the Office 365 controls framework and associated SOPs related to risk assessment and
implementation recorded to ensure an auditable record of each POAM. POAMs describe how the information system owner intends to address the POAMs and determined that Microsoft integrates and implements the actions into its Information Security Management System (ISMS) processes. Also determined that Office
vulnerabilities and risks (e.g., risk acceptance, risk mitigation, risk avoidance, and risk transference). 365 develops POAMs in accordance with the risk assessments performed.

POAMs are recorded within an engineering tool so that risk remediation actions are integrated and implemented into Office 365 Examined the Office 365 security plan, the Office 365 information security policy, and the Office 365 controls framework and associated SOPs related to security assessment
team processes and gets executed. and authorization and determined that Microsoft develops POAMs in accordance with risk management requirements. POAMs are developed and maintained by Office 365
Risk and Remediation team. They are recorded in Product Studio and the Office 365 Trust Metadata Record tool site to ensure an auditable record of each POAM. POAMs
Office 365 teams along with the Office 365 Risk and Remediation team continually evaluate effectiveness of these actions during describe how the information system owner intends to address the vulnerabilities and risks (e.g., risk acceptance, risk mitigation, risk avoidance, and risk transference).
monthly service and POAM reviews.
Examined monthly service review documentation such as meeting agenda, meeting minutes, and dashboards to determine that Microsoft management assigned the
responsibility and authority for reporting on the performance of the ISMS to senior management. Determined that Office 365 teams have created key performance indicators
(KPIs) that reflect the relevant security metrics for the service and that Office 365 teams monitor and report on those KPIs monthly by publishing the measurable data to
dashboards for consumption by relevant stakeholders, as well as by reviewing security data with management in a monthly security review.

C.6.1.1.e.2 Effectiveness of actions Plans of actions and milestones (POAMs) are developed and maintained by the Office 365 Risk and Remediation team. They are Examined the Office 365 security plan, the Office 365 information security policy, the Office 365 controls framework and associated SOPs related to risk assessment as well as
recorded to ensure an auditable record of each POAM. POAMs describe how the information system owner intends to address the POAMs, and determined that Office 365 evaluates effectiveness of risk and remediation actions. Also determined that Office 365 develops POAMs in accordance risk
vulnerabilities and risks (e.g., risk acceptance, risk mitigation, risk avoidance, and risk transference). assessments performed.

POAMs are recorded within an engineering tool so that risk remediation actions are integrated and implemented into Office 365 Examined the Office 365 security plan, the Office 365 information security policy, and the Office 365 controls framework and associated SOPs related to security assessment
team processes and are executed. and authorization and determined that Microsoft develops POAMs in accordance with risk management requirements. POAMs are developed and maintained by the Office
365 Risk and Remediation team. They are recorded in Product Studio and the Office 365 Trust Metadata Record tool to ensure an auditable record of each POAM. POAMs
Office 365 teams along with the Office 365 Risk and Remediation team continually evaluate the effectiveness of these actions during describe how the information system owner intends to address the vulnerabilities and risks (e.g., risk acceptance, risk mitigation, risk avoidance, and risk transference).
monthly service and POAM reviews.
Examined monthly service review documentation such as meeting agenda, meeting minutes, and dashboards to determine that Microsoft management assigns the
responsibility and authority for reporting on the performance of the Information Security Management System to top management as well as determined that Office 365
teams have created key performance indicators (KPIs) that reflect the relevant security metrics for the service and that Office 365 teams monitor and report on those KPIs
monthly by publishing the measurable data to dashboards for consumption by relevant stakeholders, as well as by reviewing security data with management in a monthly
security review.
C.6.1.2.a.1 Information security risk The Office 365 Risk Management Program facilitates risk management (information security, compliance, and privacy) for Examined the Office 365 information security policy, Office 365 framework controls, and associated SOPs, and confirmed that risk assessment procedures clearly establish and
assessment process Microsoft’s Office 365 service teams. These risks occur primarily in the Office 365 business unit, but the approach and methodology maintain information security risk criteria that include the risk acceptance criteria and criteria for performing information security risk assessments.
can be applied to any business unit within Microsoft. Particular risk management activities may include other covered services, such
as acquired companies or selectively-scoped business units. Detailed activities that will take place as part of the risk review process Examined Office 365 risk assessment documents, risk register, risk remediation reports, plans of actions and milestones, presentations, and multiple meeting minutes, and
include: determined that Microsoft has defined and applied an information security risk assessment process that has establish and maintain information security risk criteria. Also
- Risk Identification: A threat and vulnerability assessment is conducted on all key control areas to identify internal and external determined that the established information security risk criteria includes the risk acceptance criteria.
threats and associated vulnerabilities in the Office 365 environment. Information is continuously gathered from numerous data
sources within Microsoft, including the Office of Enterprise Risk Management (OERM), Service Risk Management (SRM), the Office
365 Trust team, and representatives of other Office 365 services.

- Risk Assessment: The Office 365 Trust team engages in risk assessment within the Office 365 environment. Additionally, severe and
high risks are reviewed as needed, for ongoing risks or as new threats are identified. As part of this assessment, risks are evaluated
for likelihood and effect to determine the inherent risk impact level. Then, key controls within each of the control areas are assessed
for design and effectiveness to determine residual risk level.

- Risk Remediation Response: Once assessed, risks are assigned to the affected service team for remediation. The Office 365 Trust
team and other service teams then develop plans to address these risks. The risk severity assigned as part of the risk assessment
determines the appropriate level of review and approval of these plans. At a high level the following steps are performed as part of
the risk management:

- Respond to the risk (e.g., avoid, mitigate, accept or transfer). This step is based on risk severity assigned to the risk identified.

- Monitor the risk (e.g., continuous testing/monitoring, periodic reviews, audits, bug evaluations, etc.).

- Report on the risk (e.g., Dashboarding, metrics, etc.).

The risk management process can be iterative for risk assessment and/or risk treatment activities. An iterative approach to
conducting risk assessment increases the depth and detail of the assessment and provides a good balance by minimizing the time
and effort spent while still ensuring that high impact and high probability risks are appropriately assessed.

C.6.1.2.a.2 Information security risk The Office 365 Risk Management Program facilitates risk management (information security, compliance, and privacy) for Examined the Office 365 information security policy, Office 365 framework controls, and associated SOPs, and confirmed that risk assessment procedures clearly establish and
criteria Microsoft’s Office 365 service teams. These risks occur primarily in the Office 365 business unit, but the approach and methodology maintain information security risk criteria that include the risk acceptance criteria and criteria for performing information security risk assessments.
can be applied to any business unit within Microsoft. Particular risk management activities may include other covered services, such
as acquired companies or selectively-scoped business units. Detailed activities that will take place as part of the risk review process Examined Office 365 risk assessment documents, risk register, risk remediation reports, plans of actions and milestones, presentations, and multiple meeting minutes, and
include: determined that Microsoft has defined and applied an information security risk assessment process that has establish and maintain information security risk criteria. Also
- Risk Identification: A threat and vulnerability assessment is conducted on all key control areas to identify internal and external determined that the established information security risk criteria includes the risk acceptance criteria.
threats and associated vulnerabilities in the Office 365 environment. Information is continuously gathered from numerous data
sources within Microsoft, including the Office of Enterprise Risk Management (OERM), Service Risk Management (SRM), the Office
365 Trust team, and representatives of other Office 365 services.

- Risk Assessment: The Office 365 Trust team engages in risk assessment within the Office 365 environment. Additionally, severe and
high risks are reviewed as needed, for ongoing risks or as new threats are identified. As part of this assessment, risks are evaluated
for likelihood and effect to determine the inherent risk impact level. Then, key controls within each of the control areas are assessed
for design and effectiveness to determine residual risk level.

- Risk Remediation Response: Once assessed, risks are assigned to the affected service team for remediation. The Office 365 Trust
team and other service teams then develop plans to address these risks. The risk severity assigned as part of the risk assessment
determines the appropriate level of review and approval of these plans. At a high level the following steps are performed as part of
the risk management:

- Respond to the risk (e.g., avoid, mitigate, accept or transfer). This step is based on risk severity assigned to the risk identified.

- Monitor the risk (e.g., continuous testing/monitoring, periodic reviews, audits, bug evaluations, etc.).

- Report on the risk (e.g., Dashboarding, metrics, etc.).

The risk management process can be iterative for risk assessment and/or risk treatment activities. An iterative approach to
conducting risk assessment increases the depth and detail of the assessment and provides a good balance by minimizing the time
and effort spent while still ensuring that high impact and high probability risks are appropriately assessed.
C.6.1.2.b Information security risk Microsoft defines and applies an information security risk assessment process that ensures that repeated information security risk Examined the Office 365 information security policy, Office 365 framework controls, and associated standard operating procedures, and confirmed that risk assessment
assessments focus on assessments produce consistent, valid, and comparable results. procedures are clearly defined and are used to assess risks to Office 365.
consistent, valid and
comparable results The following factors help Microsoft ensure that repeated information security risk assessments produce consistent, valid, and Examined Office 365 risk assessment documents, risk register, risk remediation reports, plans of actions and milestones, presentations, and multiple meeting minutes, and
comparable results: determined that Microsoft defines and applies an information security risk assessment process that ensures that repeated information security risk assessments produce
consistent, valid, and comparable results.
- Direct support from Microsoft senior management
Interviewed various risk assessment stake holders such as Office 365 team leads, Risk and Remediation team leads, Office of Enterprise Risk Management (OERM) team leads,
- Alignment with Microsoft's strategic business objectives (security of Office 365 systems and data) and examined risk assessment and reporting documentation defined above to determine that the following factors help Microsoft to ensure that repeated information
security risk assessments produced consistent, valid, and comparable results:
- Reporting and visibility to Microsoft's board via close coordination with Microsoft's Office of Enterprise Risk Management (OERM)
- Direct support from Microsoft senior management as evidenced by senior management's monthly review of risk and remediation work
- Following a documented risk management lifecycle to assess any risks identified
- Alignment with Microsoft's strategic business objectives (security of Office 365 systems and data) as evidenced by budgetary support and senior management
communication

- Reporting and visibility to Microsoft's board via close coordination with OERM as evidenced by meeting minutes from Microsoft board and OERM meetings

- Following a documented risk management lifecycle to assess any risks identified as evidenced by risk assessment reports

C.6.1.2.c.1 Identification of the Microsoft applies the information security risk assessment process to identify risks associated with the loss of confidentiality, Examined the Office 365 information security policy, Office 365 framework controls and associated standard operating procedures, and confirmed that risk assessment
information security risks integrity, and availability for information within the scope of the Office 365 Information Security Management System (ISMS). As procedures are included as a part of the program documentation and that these procedures clearly articulate the process to identify information security risks.
part of establishing an ISMS for Office 365, a risk assessment methodology was developed to provide a structured approach to risk
management and to prioritize and direct Office 365 risk management activities. This methodology has been designed in compliance Examined Office 365 risk assessment documents, risk register, risk remediation reports, plan of actions and milestones, presentations, and multiple meeting minutes, and
with NIST SPs 800-30 and 800-37, based on the following four phases, to accomplish a successful risk management process: determined that Microsoft has applied the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity, and availability for
information within the scope of the Office 365 ISMS.
- Identify: Threat, vulnerability, and risk identification provides the list of risks which exists in the environment and provides a basis
for other risk management activities.

- Assess: The risk assessment considers the potential effect of an information security risk to the business and its likelihood of
occurrence, and determines the appropriate risk treatment plan to reduce risk to a desirable level.

- Report: Risk reports provide managers with the data they need to make effective business decisions and to comply with internal
policies and industry regulations.

- Monitor: Risk groups perform testing and monitoring activities to evaluate whether processes, initiatives, functions, or activities are
mitigating the risk as designed. The risk assessment phase begins with identifying risks, establishing a risk level by determining the
likelihood of occurrence and impact, and identifying the controls and safeguards that reduce the effect of the risk to an acceptable
level.

C.6.1.2.c.2 Identify the risk owners Microsoft applies the information security risk assessment process to identify risks associated with the loss of confidentiality, Examined the Office 365 information security policy, Office 365 framework controls and associated standard operating procedures, and confirmed that risk assessment
integrity, and availability for information within the scope of the Office 365 Information Security Management System (ISMS). As procedures are included as a part of the program documentation and that these procedures clearly articulate the process to identify information security risks.
part of establishing an ISMS for Office 365, a risk assessment methodology was developed to provide a structured approach to risk
management and to prioritize and direct Office 365 risk management activities. This methodology has been designed in compliance Examined Office 365 risk assessment documents, risk register, risk remediation reports, plan of actions and milestones, presentations, and multiple meeting minutes, and
with NIST SPs 800-30 and 800-37, based on the following four phases, to accomplish a successful risk management process: determined that Microsoft has applied the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity, and availability for
information within the scope of the Office 365 ISMS.
- Identify: Threat, vulnerability, and risk identification provides the list of risks which exists in the environment and provides a basis
for other risk management activities.

- Assess: The risk assessment considers the potential effect of an information security risk to the business and its likelihood of
occurrence, and determines the appropriate risk treatment plan to reduce risk to a desirable level.

- Report: Risk reports provide managers with the data they need to make effective business decisions and to comply with internal
policies and industry regulations.

- Monitor: Risk groups perform testing and monitoring activities to evaluate whether processes, initiatives, functions, or activities are
mitigating the risk as designed. The risk assessment phase begins with identifying risks, establishing a risk level by determining the
likelihood of occurrence and impact, and identifying the controls and safeguards that reduce the effect of the risk to an acceptable
level.
C.6.1.2.d.1 Office 365's assessment of Microsoft applies the information security risk assessment process to identify risks associated with the loss of confidentiality, Examined the Office 365 information security policy, Office 365 framework controls and associated standard operating procedures, and confirmed that risk assessment
the potential consequences integrity, and availability for information within the scope of the Office 365 Information Security Management System (ISMS). As procedures are included as a part of the program documentation and that these procedures clearly articulate the process to identify information security risks.
of information security risks part of establishing an ISMS for Office 365, a risk assessment methodology was developed to provide a structured approach to risk
management and to prioritize and direct Office 365 risk management activities. This methodology has been designed in compliance Examined Office 365 risk assessment documents, risk register, risk remediation reports, plan of actions and milestones, presentations, and multiple meeting minutes, and
with NIST SPs 800-30 and 800-37, based on the following four phases, to accomplish a successful risk management process: determined that Microsoft has applied the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity, and availability for
information within the scope of the Office 365 ISMS.
- Identify: Threat, vulnerability, and risk identification provides the list of risks which exists in the environment and provides a basis
for other risk management activities.

- Assess: The risk assessment considers the potential effect of an information security risk to the business and its likelihood of
occurrence, and determines the appropriate risk treatment plan to reduce risk to a desirable level.

- Report: Risk reports provide managers with the data they need to make effective business decisions and to comply with internal
policies and industry regulations.

- Monitor: Risk groups perform testing and monitoring activities to evaluate whether processes, initiatives, functions, or activities are
mitigating the risk as designed. The risk assessment phase begins with identifying risks, establishing a risk level by determining the
likelihood of occurrence and impact, and identifying the controls and safeguards that reduce the effect of the risk to an acceptable
level.

C.6.1.2.d.2 Assessment and the realistic Microsoft defines and applies an information security risk assessment process that identifies the information security risks and Examined the Office 365 information security policy, Office 365 framework controls and associated standard operating procedures, and confirmed that risk assessment
likelihood of the occurrence assesses the realistic likelihood of occurrence of each identified risk. As part of establishing an Information Security Management procedures are included as a part of the program documentation and that these procedures clearly articulate processes to assess the realistic likelihood of occurrence of the
of the risks identified System (ISMS) for Office 365, a risk assessment methodology was developed to provide a structured approach to risk management identified risks.
and to prioritize and direct risk management activities. This methodology has been designed in compliance with NIST SPs 800-30
and 800-37, based on the following four phases, to accomplish a successful risk management process: Examined Office 365 risk assessment documents, risk register, risk remediation reports, plans of actions and milestones, presentations, and multiple meeting minutes, and
determined that Microsoft has assessed the realistic likelihood of the occurrence of the identified risks.
- Identify: Threat, vulnerability, and risk identification provides the list of risks which exist in the environment and provides a basis for
other risk management activities.

- Assess: The risk assessment considers the potential effect of an information security risk to the business and its likelihood of
occurrence, and determines the appropriate risk treatment plan to reduce the risk to a desirable level.

- Report: Risk reports provide managers with the data they need to make effective business decisions and to comply with internal
policies and industry regulations.

- Monitor: Risk groups perform testing and monitoring activities to evaluate whether processes, initiatives, functions, or activities are
mitigating the risk as designed. The risk assessment phase begins with identifying risks, establishing a risk level by determining the
likelihood of occurrence and effect, and identifying the controls and safeguards that reduce the effect of the risk to an acceptable
level.

C.6.1.2.d.3 Determination of the levels Microsoft defines and applies an information security risk assessment process that identifies the information security risks and Examined the Office 365 information security policy, Office 365 framework controls and associated standard operating procedures, and confirmed that risk assessment
of risk assesses the realistic likelihood of occurrence of each identified risk. As part of establishing an Information Security Management procedures are included as a part of the program documentation and that these procedures clearly articulate processes to assess the realistic likelihood of occurrence of the
System (ISMS) for Office 365, a risk assessment methodology was developed to provide a structured approach to risk management identified risks.
and to prioritize and direct risk management activities. This methodology has been designed in compliance with NIST SPs 800-30
and 800-37, based on the following four phases, to accomplish a successful risk management process: Examined Office 365 risk assessment documents, risk register, risk remediation reports, plans of actions and milestones, presentations, and multiple meeting minutes, and
determined that Microsoft has assessed the realistic likelihood of the occurrence of the identified risks.
- Identify: Threat, vulnerability, and risk identification provides the list of risks which exist in the environment and provides a basis for
other risk management activities.

- Assess: The risk assessment considers the potential effect of an information security risk to the business and its likelihood of
occurrence, and determines the appropriate risk treatment plan to reduce the risk to a desirable level.

- Report: Risk reports provide managers with the data they need to make effective business decisions and to comply with internal
policies and industry regulations.

- Monitor: Risk groups perform testing and monitoring activities to evaluate whether processes, initiatives, functions, or activities are
mitigating the risk as designed. The risk assessment phase begins with identifying risks, establishing a risk level by determining the
likelihood of occurrence and effect, and identifying the controls and safeguards that reduce the effect of the risk to an acceptable
level.

C.6.1.2.e.1 Comparison of the results of Microsoft defines and applies an information security risk assessment process that identifies the information security risks: Examined the Office 365 information security policy, Office 365 framework controls and associated standard operating procedures (SOPs) and confirmed that risk assessment
risk analysis with the risk determine the levels of risk. As part of establishing an Information Security Management System (ISMS) for Office 365, a risk procedures were included as a part of the program documentation and that these procedures clearly articulate processes to evaluate the information security risks by
criteria established assessment methodology was developed to provide a structured approach to risk management and to prioritize and direct Office comparing the results of risk analysis with the risk criteria established.
365 Risk Management activities. This methodology has been designed in compliance with NIST SPs 800-30 and 800-37, based on
the following four phases, to accomplish a successful risk management process. 1. Identify – Threat, Vulnerability, and Risk Examined Office 365 risk assessment documents, risk register, risk remediation reports, plans of actions and milestones, presentations, and multiple meeting minutes, and
identification provides the list of risks which exist in the environment and provides a basis for other risk management activities. 2. determined that Office 365 has evaluated the information security risks by comparing the results of risk analysis with the risk criteria established.
Assess – The risk assessment considers the potential impact of an information security risk to the business and its likelihood of
occurrence; determines appropriate risk treatment plan to reduce risk to a desirable level. 3. Report – Risk reports provide
managers with the data they need to make effective business decisions and to comply with internal policies and industry
regulations. 4. Monitor – Risk groups perform testing and monitoring activities to evaluate whether processes, initiatives, functions,
and/or activities are mitigating the risk as designed. The Risk Assessment Assess phase begins with identifying risks, establishing a
risk level by determining the likelihood of occurrence and impact, and finally, identifying controls and safeguards that reduce the
impact of the risk to an acceptable level.
C.6.1.2.e.2 Prioritization of the analyzed Microsoft defines and applies an information security risk assessment process that identifies the information security risks and Examined the Office 365 information security policy, Office 365 framework controls and associated standard operating procedures, and confirmed that risk assessment
risks for risk treatment assesses the realistic likelihood of occurrence of each identified risk. As part of establishing an Information Security Management procedures are included as a part of the program documentation and that these procedures clearly articulate processes to assess the realistic likelihood of occurrence of the
System (ISMS) for Office 365, a risk assessment methodology was developed to provide a structured approach to risk management identified risks.
and to prioritize and direct risk management activities. This methodology has been designed in compliance with NIST SPs 800-30
and 800-37, based on the following four phases, to accomplish a successful risk management process: Examined Office 365 risk assessment documents, risk register, risk remediation reports, plans of actions and milestones, presentations, and multiple meeting minutes, and
determined that Microsoft has assessed the realistic likelihood of the occurrence of the identified risks.
- Identify: Threat, vulnerability, and risk identification provides the list of risks which exist in the environment and provides a basis for
other risk management activities.

- Assess: The risk assessment considers the potential effect of an information security risk to the business and its likelihood of
occurrence, and determines the appropriate risk treatment plan to reduce the risk to a desirable level.

- Report: Risk reports provide managers with the data they need to make effective business decisions and to comply with internal
policies and industry regulations.

- Monitor: Risk groups perform testing and monitoring activities to evaluate whether processes, initiatives, functions, or activities are
mitigating the risk as designed. The risk assessment phase begins with identifying risks, establishing a risk level by determining the
likelihood of occurrence and effect, and identifying the controls and safeguards that reduce the effect of the risk to an acceptable
level.

C.6.1.3.a Selection of appropriate Microsoft defines and applies an information security risk treatment process to select the appropriate information security risk Examined the Office 365 information security policy, Office 365 framework controls and associated standard operating procedures (SOPs), and confirmed that risk assessment
information security risk treatment options, taking into account the risk assessment results. Microsoft plans how to integrate and implement the actions into procedures are included as a part of the program documentation and that these procedures clearly articulate processes to define and apply an information security risk
treatment options its Office 365 Information Security Management System (ISMS) processes. Microsoft develops plans of action and milestones treatment process to select the appropriate information security risk treatment options, taking into account the risk assessment results.
(POAMs) in accordance risk assessments performed. POAMs are developed and maintained by the Office 365 Risk and Remediation
team. They are recorded to ensure an auditable record of each POAM. POAMs describe how the information system owner intends Examined Office 365 risk assessment documents, risk register, risk remediation reports, POAMs, presentations, and multiple meeting minutes, and determined that Microsoft
to address the vulnerabilities and risks (e.g., risk acceptance, risk mitigation, risk avoidance, and risk transference). has defined and applied an information security risk treatment process for Office 365 to select the appropriate information security risk treatment options, taking into account
of risk assessment results.

Examined the Office 365 system security plan, the Office 365 information security policy, and Office 365 framework controls and associated SOPs related to security
assessment and authorization and determined that Microsoft develops POAMs in accordance with risk management requirements. POAMs are developed and maintained by
the Office 365 Risk and Remediation team. They are recorded in Product Studio and the Office 365 Trust Metadata Record tool to ensure an auditable record of each POAM.
POAMs describe how the information system owner intends to address the vulnerabilities and risks (e.g., risk acceptance, risk mitigation, risk avoidance, and risk transference).

C.6.1.3.b Determination of controls Microsoft defines and applies an information security risk treatment process to determine the controls that are necessary to Examined the Office 365 information security policy, Office 365 framework controls and associated standard operating procedures (SOPs), and confirmed that risk assessment
that are necessary to implement the selected information security risk treatment option(s). Microsoft plans how to integrate and implement the actions procedures are included as a part of the program documentation and that these procedures clearly articulate and apply an information security risk treatment process to
implement the information into its Office 365 Information Security Management System (ISMS) processes. Microsoft develops plans of action and milestones determine the controls that are necessary to implement the selected information security risk treatment option(s).
security risk treatment (POAMs) in accordance with the risk assessments that are performed. POAMs are developed and maintained by the Office 365 Risk
option(s) chosen and Remediation team. They are recorded to ensure an auditable record of each POAM. POAMs describe how the information Examined Office 365 risk assessment documents, risk register, risk remediation reports, POAMs, presentations, and multiple meeting minutes, and determined that Microsoft
system owner intends to address the vulnerabilities and risks (e.g., risk acceptance, risk mitigation, risk avoidance, and risk has defined and applied an information security risk treatment process to determine the controls that are necessary to implement the selected information security risk
transference). treatment option(s).

Examined the Office 365 system security plan, the Office 365 information security policy, and the Office 365 controls framework and associated SOPs related to security
assessment and authorization, and determined that Microsoft develops POAMs in accordance with risk management requirements. POAMs are developed and maintained by
Office 365 Risk and Remediation team. They are recorded in Product Studio and the Office 365 Trust Metadata Record tool site to ensure an auditable record of each POAM.
POAMs describe how the information system owner intends to address the vulnerabilities and risks (e.g., risk acceptance, risk mitigation, risk avoidance, and risk transference).

C.6.1.3.c Office 365's definition and Microsoft defines and applies an information security risk treatment process to compare the controls determined as part of Examined the Office 365 information security policy, Office 365 framework controls and associated standard operating procedures (SOPs), and confirmed that risk assessment
application of an information implementing risk treatment plans to that of controls documented within ISO 27001 Annex A, and verifies that no necessary controls procedures are included as a part of the program documentation and that these procedures clearly articulate and apply an information security risk treatment process to
security risk treatment are omitted. Microsoft plans how to integrate and implement the actions into its Office 365 Information Security Management compare the controls determined as part of implementing risk treatment plans to that of controls documented within ISO 27001 Annex A and verifies that no necessary
process System (ISMS) processes. Microsoft develops plans of action and milestones (POAMs) in accordance with the risk assessments controls were omitted.
performed. POAMs are developed and maintained by the Office 365 Risk and Remediation team. They are recorded to ensure an
auditable record of each POAM. POAMs describe how the information system owner intends to address the vulnerabilities and risks Examined Office 365 risk assessment documents, risk register, risk remediation reports, POAMs, presentations, and multiple meeting minutes, and determined that Microsoft
(e.g., risk acceptance, risk mitigation, risk avoidance, and risk transference). has defined and applied an information security risk treatment process to compare the controls that are determined as part of implementing risk treatment plans to that of
controls documented within ISO 27001 Annex A and verified that no necessary controls were omitted.

Examined the Office 365 system security plan, the Office 365 information security policy, and the Office 365 controls framework and associated SOPs related to security
assessment and authorization and determined that Microsoft develops POAMs in accordance with risk management requirements. POAMs are developed and maintained by
the Office 365 Risk and Remediation team. They are recorded in Product Studio and in the Office 365 Trust Metadata Record tool site to ensure an auditable record of each
POAM. POAMs describe how the information system owner intends to address the vulnerabilities and risks (e.g., risk acceptance, risk mitigation, risk avoidance, and risk
transference).

C.6.1.3.d Office 365's production of a Microsoft defines and applies an information security risk treatment process to produce a statement of applicability that contains Examined the Office 365 Information Security Policy, the Office 365 System Security Plan, the Office 365 Statement of Applicability, Office 365 framework controls, and
Statement of Applicability the necessary controls and justification for inclusions, whether they are implemented or not, and the justification for exclusions of associated standard operating procedures (SOPs), and confirmed that risk assessment procedures are included as a part of the program documentation and that these
that contains the necessary controls from ISO 27001 Annex A. The Office 365 System Security Plan provides an overview of the security requirements for Office procedures clearly articulate and apply an information security risk treatment process to produce a statement of applicability that contains the necessary controls and
controlN160s 365 and the systems and applications within. Additionally, the Office 365 Information Security Policy contains a description of the justification for inclusions, whether they were implemented or not, and the justification for exclusions of controls from ISO 27001 Annex A.
security controls that are in place to meet those requirements. The Office 365 Information Security Policy is created in accordance
with industry standards, which contain guidance on security planning. This includes accurately defining the Office 365 accreditation Examined Office 365 risk assessment documents, risk register, risk remediation reports, plan of actions and milestones, presentations, and multiple meeting minutes, and
boundary, as well as describing the operational environment, the security controls that are applicable to the system, and the system determined that Microsoft has defined and applied an information security risk treatment process to produce a statement of applicability that contained the necessary
interconnections. controls and justification for inclusions, whether they were implemented or not, and the justification for exclusions of controls from ISO 27001 Annex A.
C.6.1.3.e Information security risk Microsoft defines and applies an information security risk treatment process to formulate an information security risk treatment Examined the Office 365 System Security Plan, the Office 365 Information Security Policy, the Office 365 framework controls, and associated standard operating procedures
treatment process to plan. Microsoft plans how to integrate and implement the actions into its Information Security Management System (ISMS) (SOPs) related to security assessment and authorization, and determined that Microsoft defines and applies an information security risk treatment process to formulate an
formulate an information processes. Microsoft develops plans of action and milestones (POAMs) in accordance risk assessments performed. POAMs are information security risk treatment plan.
security risk treatment plan developed and maintained by the Office 365 Risk and Remediation team. They are recorded to ensure an auditable record of each
POAM. POAMs describe how the information system owner intends to address the vulnerabilities and risks (e.g., risk acceptance, risk Examined Office 365 risk assessment documents, risk register, risk remediation reports, POAMs, presentations, and multiple meeting minutes, and determined that Microsoft
mitigation, risk avoidance, and risk transference). defines and applies an information security risk treatment process to formulate an information security risk treatment plan. POAMs are developed and maintained by the
Office 365 Risk and Remediation team. They are recorded in Product Studio and in the Office 365 Trust Metadata Record tool to ensure an auditable record of each POAM.
POAMs describe how the information system owner intends to address the vulnerabilities and risks (e.g., risk acceptance, risk mitigation, risk avoidance, and risk transference).

C.6.1.3.f Approval of the information Microsoft defines and applies an information security risk treatment process to obtain risk owners’ approval of the information Examined the Office 365 system security plan, the Office 365 information security policy, and the Office 365 controls framework and associated standard operating procedures
security risk treatment plan security risk treatment plan and acceptance of the residual information security risks. Microsoft plans how to integrate and (SOPs) related to security assessment and authorization and determined that Office 365 defined and applied an information security risk treatment process to obtain risk
and acceptance of the implement the actions into its Information Security Management System (ISMS) processes. Microsoft develops plans of action and owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks.
residual information security milestones (POAMs) in accordance risk assessments performed. POAMs are developed and maintained by the Office 365 Risk and
risks Remediation team. They are recorded to ensure an auditable record of each POAM. POAMs describe how the information system Examined Office 365 risk assessment documents, risk register, risk remediation reports, POAM (plan of actions and milestones), presentations, and multiple meeting minutes,
owner intends to address the vulnerabilities and risks (e.g., risk acceptance, risk mitigation, risk avoidance, and risk transference). and determined that Microsoft has defined and applied an information security risk treatment process to obtain risk owners’ approval of the information security risk
treatment plan and acceptance of the residual information security risks. POAMs are developed and maintained by the Office 365 Risk and Remediation team. They are
recorded in Product Studio and in the Office 365 Trust Metadata Record tool to ensure an auditable record of each POAM. POAMs describe how the information system
owner intends to address the vulnerabilities and risks (e.g., risk acceptance, risk mitigation, risk avoidance, and risk transference).

C.6.2.a Information security Microsoft establishes information security objectives at relevant functions and levels. The information security objectives are Examined Microsoft and Office 365 information security policies, the Office 365 System Security Plan, Office 365 information security SOPs, and the Office 365 control
objectives consistent with the consistent with Microsoft's information security policies. Microsoft and Office 365 security policies form the baseline for information framework, and determined that Microsoft's information security objectives for Office 365 are consistent with it's information security policy and management's strategic
information security policy security objectives across Office 365 teams. These security policies translate management's strategic priority to protect the priority to protect the confidentiality, integrity, availability, and reliability of Office 365 systems and data.
confidentiality, integrity, availability, and reliability of Office 365 systems and data into actionable information security objectives.
These objectives are then defined in a more specific and granular level through the Office 365 System Security Plan as well as Office Examined Office 365 audit test plans and results, risk assessment documents, risk register, risk remediation reports, plans of actions and milestones, presentations, and
365 team-specific standard operating procedures (SOPs). Finally, the Office 365 control framework gathers the information security multiple meeting minutes, and determined that Microsoft has implemented controls that have been documented through the Office 365 System Security Plan and the Office
requirements as defined by the Office 365 Information Security Management System, as well as the required global compliance 365 control framework, and that these controls are consistent with Microsoft's information security objectives.
requirements, and provides actionable controls for Office 365 teams so that information security objectives are consistent with the
information security policy and management direction.

C.6.2.b Measurable information Microsoft establishes information security objectives at relevant functions and levels and ensures that these objectives are Examined Microsoft and Office 365 information security policies, the Office 365 System Security Plan, Office 365 information security SOPs, and the Office 365 control
security objectives measurable. The information security objectives are consistent with Microsoft's information security policies. Microsoft and Office framework, and determined that Microsoft's information security objectives for Office 365 are measurable.
365 security policies form the baseline for information security objectives across Office 365 teams. These security policies translate
management's strategic priority to protect the confidentiality, integrity, availability, and reliability of Office 365 systems and data Examined Office 365 audit test plans and results, risk assessment documents, risk register, risk remediation reports, plans of actions and milestones, presentations, and
into actionable information security objectives. These objectives are then defined in a more specific and granular level through the multiple meeting minutes, and determined that Office 365 has implemented controls that have been documented through the Office 365 System Security Plan and the Office
Office 365 System Security Plan, as well as Office 365 team-specific standard operating procedures (SOPs). Finally, the Office 365 365 control framework, and that these controls are measurable.
control framework gathers the information security requirements that are defined by the Office 365 Information Security
Management System, as well as the required global compliance requirements, and provides measurable controls for Office 365
teams so that information security objectives are consistent with the information security policy and management direction.

C.6.2.c Applicable information Microsoft establishes information security objectives at relevant functions and levels and ensures that these objectives take into Examined Microsoft and Office 365 information security policies, the Office 365 System Security Plan, Office 365 information security SOPs, and the Office 365 control
security requirements, and account the applicable information security requirements and results from risk assessments and risk treatment. The information framework, and determined that Microsoft ensures that information security objectives take into account applicable information security requirements, and the results from
results from risk assessment security objectives are consistent with Microsoft's information security policies. Microsoft and Office 365 security policies form the risk assessments and risk treatment.
and risk treatment baseline for information security objectives across Office 365 teams. These security policies translate management's strategic priority
to protect the confidentiality, integrity, availability, and reliability of Office 365 systems and data into actionable information security Examined Office 365 audit test plans and results, risk assessment documents, risk register, risk remediation reports, plans of actions and milestones, presentations, and
objectives. These objectives are then defined in a more specific and granular level through the Office 365 System Security Plan as multiple meeting minutes, and determined that Microsoft has implemented controls that have been documented through the Office 365 System Security Plan and the Office
well as Office 365 team-specific standard operating procedures (SOPs). Finally, the Office 365 control framework gathers the 365 control framework, and that these controls ensure that Office 365 information security objectives take into account applicable information security requirements, and
information security requirements that are defined by the Office 365 Information Security Management System, as well as the results from risk assessments and risk treatment.
required global compliance requirements, and provides measurable controls for Office 365 teams so that information security
objectives take into account applicable information security requirements, and the results from risk assessments and risk treatment.

C.6.2.d Communication of Microsoft establishes information security objectives at relevant functions and levels and ensures that these objectives are Examined Microsoft and Office 365 information security policies, the Office 365 System Security Plan, Office 365 information security SOPs, and the Office 365 control
information security communicated. The information security objectives are consistent with Microsoft's information security policies. Microsoft and Office framework, and determined that Office 365 ensures that information security objectives are communicated.
objectives 365 security policies form the baseline for information security objectives across Office 365 teams. These security policies translate
management's strategic priority to protect the confidentiality, integrity, availability, and reliability of Office 365 systems and data Examined Office 365 audit test plans and results, risk assessment documents, risk register, risk remediation reports, plans of actions and milestones, presentations, and
into actionable information security objectives. These objectives are then defined in a more specific and granular level through the multiple meeting minutes, and determined that Office 365 has implemented controls that have been documented through the Office 365 System Security Plan and the Office
Office 365 System Security Plan as well as Office 365 team-specific standard operating procedures (SOPs). Finally, the Office 365 365 control framework and that communication of these documents ensures that information security objectives are communicated.
control framework gathers the information security requirements that are defined by the Office 365 Information Security
Management System, as well as required global compliance requirements, and provides measurable controls for Office 365 teams so Examined internal SharePoint site containing documents about Office 365 security and risk management, and awareness training documentation, and determined that
that information security objectives are consistent with the information security policy and management direction. The information security objectives are communicated to Office 365 teams.
aforementioned documents are available to Office 365 teams on a SharePoint site. Also, information security objectives are
communicated to Office 365 teams through the Office 365 Information Security Policy, the Office 365 System Security Plan, the
Office 365 control framework, and annual Office 365 security, risk management, and awareness training.
C.6.2.e Updates to e information Microsoft establishes information security objectives at relevant functions and levels and ensures that these objectives are updated Examined Microsoft and Office 365 information security policies, the Office 365 System Security Plan, Office 365 information security SOPs, and the Office 365 control
security objectives as appropriate. The information security objectives are consistent with Microsoft's information security policies. Microsoft and Office framework, and determined that Microsoft ensures that information security objectives are updated as appropriate based on audits, risk assessments, and new security and
365 security policies form the baseline for information security objectives across Office 365 teams. These security policies translate compliance requirements that are assessed.
management's strategic priority to protect the confidentiality, integrity, availability, and reliability of Office 365 systems and data
into actionable information security objectives. These objectives are then defined in a more specific and granular level through the Examined Office 365 audit test plans and results, risk assessment documents, risk register, risk remediation reports, plans of actions and milestones, presentations, and
Office 365 System Security Plan as well as Office 365 team-specific standard operating procedures (SOPs). Finally, the Office 365 multiple meeting minutes, and determined that Office 365 has implemented controls that ensure that information security objectives are updated as appropriate based on
control framework gathers the information security requirements that are defined by the Office 365 Information Security audits, risk assessments, and new security and compliance requirements that are assessed.
Management System, as well as required global compliance requirements, and provides measurable controls for Office 365 teams so
that information security objectives are consistent with the information security policy and management direction. Furthermore,
these information security objectives are updated as appropriate based on audits, risk assessments, and new security and
compliance requirements that are assessed.

C.6.2.f Planning for achieving its Microsoft retains documented information on information security objectives. When planning how to achieve its information Examined Microsoft and Office 365 information security policies, the Office 365 System Security Plan, Office 365 information security SOPs, and the Office 365 control
information security security objectives for Office 365, Microsoft determines what will be done. Microsoft and Office 365 security policies form the framework and validated that when planning how to achieve its Office 365 information security objectives, Microsoft determines what will be done.
objectives baseline for information security objectives across Office 365 teams. These security policies translate management's strategic priority
to protect the confidentiality, integrity, availability, and reliability of Office 365 systems and data into actionable information security Examined Office 365 audit test plans and results, risk assessment documents, risk register, risk remediation reports, POAMs, presentations, and multiple meeting minutes, and
objectives. These objectives are then defined in a more specific and granular level through the Office 365 System Security Plan as determined that Office 365 has implemented controls that ensure that when planning how to achieve its Office 365 information security objectives, Microsoft determines what
well as Office 365 team-specific standard operating procedures (SOPs). Furthermore, the Office 365 control framework gathers will be done.
information security requirements that are defined by the Office 365 Information Security Management System, as well as required
global compliance requirements, and provides measurable controls for Office 365 teams so that they clearly understand what needs
to be done. Finally, for each plan of actions and milestones (POAM), Microsoft defines what will be done, what resources will be
required, who will be responsible, when it will be completed, and how the results will be evaluated.

C.6.2.g Resource management to Microsoft retains documented information on information security objectives. When planning how to achieve its Office 365 Examined Microsoft and Office 365 information security policies, the Office 365 System Security Plan, Office 365 information security SOPs, and the Office 365 control
achieve its information information security objectives, Microsoft determines what resources will be required. Microsoft and Office 365 security policies framework and validated that when planning how to achieve its Office 365 information security objectives, Microsoft determines what resources will be required.
security objectives form the baseline for information security objectives across Office 365 teams. These security policies translate management's
strategic priority to protect the confidentiality, integrity, availability, and reliability of Office 365 systems and data into actionable Examined Office 365 audit test plans and results, risk assessment documents, risk register, risk remediation reports, POAMs, presentations, and multiple meeting minutes, and
information security objectives. These objectives are then defined in a more specific and granular level through the Office 365 determined that Microsoft has implemented controls that ensure that when planning how to achieve its Office 365 information security objectives, Microsoft determines what
System Security Plan as well as Office 365 team-specific standard operating procedures (SOPs). Furthermore, the Office 365 control resources are required.
framework gathers information security requirements that are defined by the Office 365 Information Security Management System,
as well as required global compliance requirements, and provides measurable controls for Office 365 teams so that they clearly
understand what needs to be done. Finally, for each plan of actions and milestones (POAM), Microsoft defines what will be done,
what resources will be required, who will be responsible, when it will be completed, and how the results will be evaluated.

C.6.2.h Responsibilities for Microsoft retains documented information on information security objectives. When planning how to achieve its Office 365 Examined Microsoft and Office 365 information security policies, the Office 365 System Security Plan, Office 365 information security SOPs, and the Office 365 control
information security information security objectives, Microsoft determines who will be responsible. Microsoft and Office 365 security policies form the framework and validated that when planning how to achieve its Office 365 information security objectives, Microsoft determines who is responsible.
objectives baseline for information security objectives across Office 365 teams. These security policies translate management's strategic priority
to protect the confidentiality, integrity, availability, and reliability of Office 365 systems and data into actionable information security Examined Office 365 audit test plans and results, risk assessment documents, risk register, risk remediation reports, POAMs, presentations, and multiple meeting minutes, and
objectives. These objectives are then defined in a more specific and granular level through the Office 365 System Security Plan as determined that Microsoft has implemented controls that ensure that when planning how to achieve its Office 365 information security objectives, Microsoft determines who
well as Office 365 team-specific standard operating procedures (SOPs). Furthermore, the Office 365 control framework gathers is responsible.
information security requirements that are defined by the Office 365 Information Security Management System, as well as required
global compliance requirements, and provides measurable controls for Office 365 teams so that they clearly understand what needs
to be done. Finally, for each plan of actions and milestones (POAM), Microsoft defines what will be done, what resources will be
required, who will be responsible, when it will be completed, and how the results will be evaluated.

C.6.2.i Completion timelines for Microsoft retains documented information on information security objectives. When planning how to achieve its Office 365 Examined Microsoft and Office 365 information security policies, the Office 365 System Security Plan, Office 365 information security SOPs, and the Office 365 control
information security information security objectives, Microsoft determines when it will be completed. Microsoft and Office 365 security policies form the framework and validated that when planning how to achieve its Office 365 information security objectives, Microsoft determines when it will be completed.
objectives baseline for information security objectives across Office 365 teams. These security policies translate management's strategic priority
to protect the confidentiality, integrity, availability, and reliability of Office 365 systems and data into actionable information security Examined Office 365 audit test plans and results, risk assessment documents, risk register, risk remediation reports, plans of actions and milestones, presentations, and
objectives. These objectives are then defined in a more specific and granular level through the Office 365 System Security Plan as multiple meeting minutes, and determined that Microsoft has implemented controls that ensure that when planning how to achieve its Office 365 information security
well as Office 365 team-specific standard operating procedures (SOPs). Furthermore, the Office 365 control framework gathers objectives, Microsoft determines when it should be completed.
information security requirements that are defined by the Office 365 Information Security Management System, as well as required
global compliance requirements, and provides measurable controls for Office 365 teams so that they clearly understand what needs
to be done. Finally, for each plan of actions and milestones (POAM), Microsoft defines what will be done, what resources will be
required, who will be responsible, when it will be completed, and how the results will be evaluated.

C.6.2.j Evaluation of results for Microsoft retains documented information on information security objectives. When planning how to achieve its Office 365 Examined Microsoft and Office 365 information security policies, the Office 365 System Security Plan, Office 365 information security SOPs, and the Office 365 control
information security information security objectives, Microsoft determines how the results are evaluated. Microsoft and Office 365 security policies form framework and validated that when planning how to achieve its Office 365 information security objectives, Microsoft determines how the results are evaluated.
objectives the baseline for information security objectives across Office 365 teams. These security policies translate management's strategic
priority to protect the confidentiality, integrity, availability, and reliability of Office 365 systems and data into actionable information Examined Office 365 audit test plans and results, risk assessment documents, risk register, risk remediation reports, plans of actions and milestones, presentations, and
security objectives. These objectives are then defined in a more specific and granular level through the Office 365 System Security multiple meeting minutes, and determined that Microsoft has implemented controls that ensure that when planning how to achieve its Office 365 information security
Plan as well as Office 365 team-specific standard operating procedures (SOPs). Furthermore, the Office 365 control framework objectives, Microsoft determines how the results are evaluated.
gathers information security requirements that are defined by the Office 365 Information Security Management System, as well as
required global compliance requirements, and provides measurable controls for Office 365 teams so that they clearly understand
what needs to be done. Finally, for each plan of actions and milestones (POAM), Microsoft defines what will be done, what
resources will be required, who will be responsible, when it will be completed, and how the results will be evaluated.
C.7.1 Resources needed for the Microsoft determines and provides the resources needed for the establishment, implementation, maintenance and continual Examined the Office 365 information security policy, aligned security standard operating procedures, meeting minutes, decision logs, and audit reports, and determined that
establishment, improvement of the Office 365 Information Security Management System (ISMS). The Office 365 Security and Trust teams are Microsoft determines and provides the resources needed for the establishment, implementation, maintenance and continual improvement of the Office 365 ISMS and that
implementation, responsible for ensuring proper security resourcing and support. Resourcing allocations are reviewed by management annually. resourcing allocations are reviewed by management annually.
maintenance and continual
improvement of the Microsoft management includes the following roles that support information security: Interviewed management leads across Office 365 teams with supporting roles of information security and determined that following teams are supported by Microsoft
information security management:
management system - Access Security
- Change Management - Access Security (includes personnel that maintain Active Directory and identity services, authentication rules, and user access)
- Backup and Replication
- Security and Availability Monitoring - Change Management (includes development, testing, and project management teams tasked with developing and maintaining Office 365 applications and supporting
- Business Continuity Management services)
- Overall Office 365 Security
- Governance, Risk, and Compliance - Backup and Replication (includes personnel for configuring and monitoring the replication and backup of specified internal and customer data)

- Security and Availability Monitoring (includes personnel that monitor the incidents that affect the security and availability of Office 365 and supporting services)

- Business Continuity Management (provides a single resource to assist Office 365 teams in analyzing continuity and disaster recovery requirements, documenting procedures,
and conducting testing of established procedures)

- Overall Office 365 Security (manages cross-platform security functions, such as security incident response, security monitoring, and vulnerability scanning)

- Governance, Risk, and Compliance (identifies, documents, and advises teams in implementing controls to maintain Microsoft's availability and security commitments to its
customers)

C.7.2.a Competence of personnel Microsoft determines the necessary competence of person(s) doing work under its control that affects its information security Examined selection of job descriptions (including information security job descriptions), sample accountabilities (including information security accountabilities), and human
doing work under Office performance. Microsoft (including Office 365) hiring managers define job requirements prior to recruiting, interviewing, and hiring. resource procedures and determined that Microsoft determines the necessary competence of person(s) doing work under its control that affects its information security
365s control that affects its Job requirements include the primary responsibilities (including information security responsibilities) and tasks involved in the job, performance.
information security background characteristics needed to perform the job, and required personal characteristics. Once the requirements are
performance determined, managers create a job description, which is a profile of the job that is used to identify potential candidates. When viable
candidates are identified, the interview process begins to evaluate candidates and to make appropriate hiring decisions.

Microsoft employees create individual accountabilities (including information security accountabilities) that align with those of their
managers, organizations, and Microsoft, and are supported by customer-centric actions and metrics so that everyone is working
toward the same overarching vision. Accountabilities are established when an employee is hired and then updated throughout the
year according to business circumstances.

Managers work with their employees to analyze progress against accountabilities and to adjust accountabilities, if needed, several
times throughout the year. Managers evaluate individual contributions to teams, the business, or customer impact, taking into
consideration contributions aimed at creating a high-performing team and the demonstration of competencies relevant to the role
and to the information security performance.

C.7.2.b Competencies on the basis Microsoft ensures that these persons are competent on the basis of appropriate education, training, or experience. Office 365 Examined the Office 365 security plan, the Office 365 Information security policy, and the Office 365 security training policy, and determined that Office 365 provides security
of appropriate education, provides employees of the organization and, where relevant, contractors, appropriate awareness education and training and regular awareness training to information system users (including managers, senior executives, and contractors) as part of the initial training for new users.
training, or experience updates to organizational policies and procedures, as relevant for their job function. Microsoft provides role-based security training
to personnel with assigned security roles and responsibilities. Appropriate Office 365 staff take part in a Microsoft Online Services- Examined training records to determine that Microsoft accomplishes necessary competence by requiring staff to take a NEO security awareness training course and Standards
sponsored security training program, and are recipients of periodic security awareness updates when applicable. Security education of Business Conduct training within the first 30 days of their employment or transfer into the organization. This training course is facilitated by Microsoft's Information
is an on-going process and is conducted regularly in order to minimize risks. The Microsoft Online Services contractor staff is Technology (MSIT) department and Microsoft Corporate Security, and encompasses standard business security measures, information security, and user actions to maintain
required to take any training determined to be appropriate to the services being provided and the role they perform. Staff is security and to respond to suspected security incidents.
required to enroll in a New Employee Orientation (NEO) security awareness training course and Standards of Business Conduct
training within the first 30 days of their employment or transfer into the organization. The Office 365 Risk Management team has Examined training records to determine that the Office 365 Risk Management team has implemented the security training control by requiring new employees and
implemented the security training control by requiring employees and contractors to take the security and awareness training on an contractors to take the security and awareness training annually. Non-operational personnel, which refers to anyone that is involved in development and quality assurance,
annual basis. Non-operational personnel, which refers to anyone that is involved in development and quality assurance, are also are also required to take the mandatory training offered by Microsoft Online Services Security, as well as the training associated with the operational procedures relating to
required to take the mandatory training offered by Microsoft Online Services Security, as well as training associated with the Asset Handling, Incident Response, and Change Control.
operational procedures related to Asset Handling, Incident Response, and Change Control. In addition, training related to the
system being accessed, along with associated procedures, may be required. Security training is also required when there is a Examined the Office 365 security plan, the Office 365 Information Security Policy, Office 365 framework controls, and the Office 365 security training policy and determined
significant change to the system environment. that security training is required when there is a significant change to the system environment.

Examined a report of training records and screenshots identifying course content as well as completion records, and determined that annual security awareness training is
conducted annually, and that Microsoft determines the necessary competence of person(s) doing work under its control that affect its information security performance.

Examined a report of training records and screenshots identifying course content and course transcripts, and determined that annual security awareness training and role-
based security-related training is conducted and required for Office 365 teams annually.
C.7.2.c Actions to acquire the Microsoft determines the necessary competence of person(s) doing work under its control that affect its information security Examined a selection of sample accountabilities (including information security accountabilities), new hire fulfillment, organizational charts, and human resources procedures,
necessary competence, and performance. Microsoft (including Office 365) hiring managers define job requirements prior to recruiting, interviewing, and hiring. and determined that Microsoft where applicable, takes actions to acquire the necessary competence, and to evaluate the effectiveness of the actions taken.
evaluate the effectiveness of Job requirements include the primary responsibilities (including information security responsibilities) and tasks involved in the job,
the actions taken background characteristics needed to perform the job, and the required personal characteristics. Once the requirements are
determined, managers create a job description, which is a profile of the job that is used to identify potential candidates. When viable
candidates are identified, the interview process begins to evaluate candidates and to make appropriate hiring decisions.

Microsoft employees create individual accountabilities (including information security accountabilities) that align with those of their
managers, organizations, and Microsoft, and are supported by customer-centric actions and measures so that everyone is working
toward the same overarching vision. Accountabilities are established when an employee is hired and then updated throughout the
year according to business circumstances.

Managers work with their employees to analyze progress against accountabilities and to adjust accountabilities, if needed, several
times throughout the year. Managers evaluate individual contributions to teams, the business, or customer impact, taking into
consideration contributions aimed at creating a high-performing team and the demonstration of competencies relevant to the role
and to information security performance.

C.7.2.d Documented information as Microsoft retains appropriate documented information as evidence of competence. Microsoft provides employees of the Examined the Office 365 security plan, the Office 365 Information Security Policy, Office 365 framework controls, and the Office 365 Security Training Policy, and determined
evidence of competence organization and, where relevant, contractors, appropriate awareness education and training and regular updates to organizational that the Office 365 Risk Management uses the Learning Central system to retain employee training records for security awareness and specific information system security
policies and procedures, as relevant for their job function. Microsoft retains employee training records for security awareness and training for at least 3 years.
specific information system security training for at least 3 years.
Examined historical training records and determined that employee training records for security awareness and specific information system security training are retained for at
least 3-years.
C.7.3.a Information security policy Persons doing work under Office 365 control shall be aware of the information security policy. Microsoft provides role-based Examined the Office 365 security plan, the Office 365 Information Security Policy, and the Office 365 Security Training Policy, and determined that Microsoft provides role-
awareness security training to personnel with assigned security roles and responsibilities. Appropriate staff members take part in a Microsoft based and security awareness training to information system users (including managers, senior executives, and contractors) as part of initial training for new users and
Online Services-sponsored security training program, and are recipients of periodic security awareness updates when applicable. therefore persons doing work under Office 365 are aware of the information security policy.
Security education is an on-going process and is conducted regularly in order to minimize risks. Microsoft Online Services contractor
staff is required to take any training determined to be appropriate to the services being provided and the role they perform. Staff is Examined training records to determine that Microsoft accomplished necessary the competence by requiring staff to take a NEO security awareness training course and
required to enroll in a New Employee Orientation (NEO) security awareness training course, and Standards of Business Conduct Standards of Business Conduct training within the first 30 days of their employment or transfer into the organization. This training course is facilitated by Microsoft's
training, within the first 30 days of their employment or transfer into the organization. The Office 365 Risk Management team has Information Technology (MSIT) department and Microsoft Corporate Security, and encompasses standard business security measures, information security, and user actions
implemented the security training control by requiring employees and contractors to take the security and awareness training on an to maintain security and to respond to suspected security incidents.
annual basis. Non-operational personnel, which refers to anyone that is involved in development and quality assurance, are also
required to take the mandatory training offered by Microsoft Online Services Security, as well as training associated with the Examined training records to determine that the Office 365 Risk Management team has implemented the security training control by requiring new employees and
operational procedures related to Asset Handling, Incident Response, and Change Control. In addition, training related to the contractors to take the security and awareness training annually. Non-operational personnel, which refers to anyone that is involved in development and quality assurance,
system being accessed, along with the associated procedures, may be required. Security training is also required when there is a are also required to take the mandatory training offered by Microsoft Online Services Security, as well as training associated with the operational procedures relating to Asset
significant change to the system environment. Handling, Incident Response, and Change Control.

Examined a report of training records and screenshots that identify course content as well as completion records, and determined that annual security awareness training is
conducted annually and that Microsoft determines the necessary competence of person(s) doing work under its control that affect its information security performance.

Examined a report of training records and screenshot that identify course content and course transcripts, and determined that annual security awareness training and role-
based security-related training is conducted and required for Office 365 teams annually.

Examined the Office 365 security plan, the Office 365 Information Security Policy, Office 365 framework controls, and the Office 365 Security Training Policy, and determined
that security training is required when there is a significant change to the system environment.

C.7.3.b Office 365 personnel Persons doing work under Microsoft's control are aware of their contribution to the effectiveness of the Office 365 Information Examined the Office 365 security plan, the Office 365 Information Security Policy, and the Office 365 Security Training Policy, and determined that Microsoft provides role-
awareness around Security Management System (ISMS), including the benefits of improved information security performance. Microsoft provides role- based and security awareness training to information system users (including managers, senior executives, and contractors) as part of the initial training for new users and
contribution to the based security training to personnel with assigned security roles and responsibilities. Appropriate personnel take part in a Microsoft therefore persons doing work under Microsoft's control are aware of their contribution to the effectiveness of the ISMS, including the benefits of improved information
effectiveness of the Online Services-sponsored security training program, and are recipients of periodic security awareness updates when applicable. security performance.
information security Security education is an on-going process and is conducted regularly in order to minimize risks. All Microsoft Online Services
management system contractor staff are required to take any training determined to be appropriate to the services being provided and the role they Examined a report of training records and screenshots identifying course content as well as completion records, and determined that annual security awareness training is
perform. All staff are required to enroll in a New Employee Orientation (NEO) security awareness training course and Standards of conducted annually and that Microsoft determines the necessary competence of person(s) doing work under its control that can affect its information security performance.
Business Conduct training within the first 30 days of their employment or transfer into the organization. The Office 365 Risk
Management team has implemented the security training control by requiring employees and contractors to take the security and Examined training records to determine that Office 365 accomplished necessary competence by requiring staff to take a NEO security awareness training course and
awareness training on an annual basis. Non-operational personnel, which refers to anyone that is involved in development and Standards of Business Conduct training within the first 30 days of their employment or transfer into the organization. This training course is facilitated by Microsoft's
quality assurance, are also required to take the mandatory training offered by Microsoft Online Services Security, as well as training Information Technology (MSIT) department and Microsoft Corporate Security, and encompasses standard business security measures, information security, and user actions
associated with the operational procedures related to Asset Handling, Incident Response, and Change Control. In addition, training to maintain security and to response to suspected security incidents.
related to the system being accessed, along with associated procedures, may be required. Security training is also required when
there is a significant change to the system environment. Examined training records to determine that the Office 365 Risk Management team has implemented security training controls by requiring new employees and contractors
to take the security and awareness training annually. Non-operational personnel, which refers to anyone that is involved in development and quality assurance, are also
required to take the mandatory training offered by Microsoft Online Services Security, as well as training associated with the operational procedures related to Asset Handling,
Incident Response, and Change Control.

Examined a report of training records and screenshots that identify course content and course transcripts and determined that annual security awareness training and role-
based security related training is conducted and required for Office 365 teams annually.

Examined the Office 365 security plan, the Office 365 Information Security Policy, Office 365 framework controls, and the Office 365 Security Training Policy and determined
that security training is required when there is a significant change to the system environment.
C.7.3.c Personnel awareness of the Persons doing work under Microsoft's control are aware of the implications of not conforming with the Office 365 Information Interviewed Office 365 Trust team Lead and a Senior Program Manager and determined that through various security awareness training programs. persons doing work under
implications of non- Security Management System (ISMS) requirements. Microsoft uses a formal sanctions process for personnel failing to comply with Microsoft's control are aware of the implications of not conforming with the ISMS requirements.
conformance established information security policies and procedures. Any Microsoft Online Services staff suspected of committing breaches of
security or violating the Microsoft Security Policy equivalent to a Microsoft Code of Conduct violation are subject to an investigation Examined the Office 365 system security plan and determined that the Microsoft Human Resources team is responsible for ensuring that the sanctions process is conducted
and appropriate disciplinary action up to and including termination. Contractor staff suspected of committing breaches of security properly. Potential security breaches involving employees or third-party personnel are immediately reported to Microsoft Human Resources, to the Corporate, External, and
or violation of the Microsoft Security Policy are subject to formal investigation and action appropriate to the associated contract, Legal Affairs (CELA) team, and to the employee's manager.
which may include termination of such contract. Once a determination has been made that a staff member of Microsoft has violated
policy, Microsoft Human Resources is informed, and is responsible for coordinating the disciplinary response. Interviewed Office 365 Trust team Lead and a Senior Program Manager and determined that sanctions are automatically reported to Microsoft Human Resources, the CELA
team, and the employee's manager. The incident undergoes a formal investigation before sanctions and actions against the employee are determined.

C.7.4.a Internal and external Microsoft determines the need for internal and external communications relevant to the Office 365 Information Security Examined a selection of communications, which included presentations, meeting minutes, blogs, and roadmaps from the following sources:
communications relevant to Management System (ISMS) including what to communicate.
the information security - Office 365 Trust Team Office Hours
management system Office 365 internal communications include: - Office 365 Monthly Service Reviews
- Office 365 Security and Availability Incident Communications
- Office 365 Trust Office Hours: where Office 365 Security, Trust, and Compliance, External and Legal Affairs teams review proposed - Office 365 Service Infrastructure and Support Systems Change Management Communications
Office 365 features and feature changes, and provide feedback on the information security, compliance, and privacy requirements.
Validated that Microsoft determines the need for internal and external communications relevant to the ISMS, as well as what to communicate.
- Office 365 Monthly Service Reviews: where Office 365 senior management reviews trends of key security performance indicators
and provides feedback on how these align with Microsoft's strategic objective of protecting Office 365 systems and data.

Office 365 external communications include:

- Office 365 Security and Availability Incident Communications: how Microsoft notifies Office 365 customers of security and
availability incidents as per Microsoft's agreement with customers. See the incident response controls for additional details.

- Office 365 Service Infrastructure and Support Systems Change Management Communications: how Microsoft makes it possible for
customers to view upcoming service infrastructure and support changes.

C.7.4.b Determination for the need Microsoft determines the need for internal and external communications relevant to the Office 365 Information Security Examined a selection of communications, which included presentations, meeting minutes, blogs, and roadmaps from the following sources:
for internal and external Management System (ISMS) including when to communicate.
communications (when to - Office 365 Trust Team Office Hours
communication) Office 365 internal communications include: - Office 365 Monthly Service Reviews
- Office 365 Security and Availability Incident Communications
- Office 365 Trust Office Hours: where Office 365 Security, Trust, and Compliance, External and Legal Affairs teams review proposed - Office 365 Service Infrastructure and Support Systems Change Management Communications
Office 365 features and feature changes, and provide feedback on the information security, compliance, and privacy requirements.
Validated that Microsoft determines the need for internal and external communications relevant to the ISMS, as well as when to communicate.
- Office 365 Monthly Service Reviews: where Office 365 senior management reviews trends of key security performance indicators
and provides feedback on how these align with Microsoft's strategic objective of protecting Office 365 systems and data.

Office 365 external communications include:

- Office 365 Security and Availability Incident Communications: how Microsoft notifies Office 365 customers of security and
availability incidents as per Microsoft's agreement with customers. See the incident response controls for additional details.

- Office 365 Service Infrastructure and Support Systems Change Management Communications: how Microsoft makes it possible for
customers to view upcoming service infrastructure and support changes.

C.7.4.c Information security Microsoft determines the need for internal and external communications relevant to the Office 365 Information Security Examined a selection of communications, which included presentations, meeting minutes, blogs, and roadmaps from the following sources:
communications (whom to Management System (ISMS) including with whom to communicate.
communicate) - Office 365 Trust Team Office Hours
Office 365 internal communications include: - Office 365 Monthly Service Reviews
- Office 365 Security and Availability Incident Communications
- Office 365 Trust Office Hours: where Office 365 Security, Trust, and Compliance, External and Legal Affairs teams review proposed - Office 365 Service Infrastructure and Support Systems Change Management Communications
Office 365 features and feature changes, and provide feedback on the information security, compliance, and privacy requirements.
Validated that Microsoft determines the need for internal and external communications relevant to the ISMS, as well as with whom to communicate.
- Office 365 Monthly Service Reviews: where Office 365 senior management reviews trends of key security performance indicators
and provides feedback on how these align with Microsoft's strategic objective of protecting Office 365 systems and data.

Office 365 external communications include:

- Office 365 Security and Availability Incident Communications: how Microsoft notifies Office 365 customers of security and
availability incidents as per Microsoft's agreement with customers. See the incident response controls for additional details.

- Office 365 Service Infrastructure and Support Systems Change Management Communications: how Microsoft makes it possible for
customers to view upcoming service infrastructure and support changes.
C.7.4.d Determination for the need Microsoft determines the need for internal and external communications relevant to the Office 365 Information Security Examined a selection of communications, which included presentations, meeting minutes, blogs, and roadmaps from the following sources:
for internal and external Management System (ISMS) including who shall communicate.
communications (who shall - Office 365 Trust Team Office Hours
communicate) Office 365 internal communications include: - Office 365 Monthly Service Reviews
- Office 365 Security and Availability Incident Communications
- Office 365 Trust Office Hours: where Office 365 Security, Trust, and Compliance, External and Legal Affairs teams review proposed - Office 365 Service Infrastructure and Support Systems Change Management Communications
Office 365 features and feature changes, and provide feedback on the information security, compliance, and privacy requirements.
Validated that Microsoft determines the need for internal and external communications relevant to the ISMS, as well as who shall communicate.
- Office 365 Monthly Service Reviews: where Office 365 senior management reviews trends of key security performance indicators
and provides feedback on how these align with Microsoft's strategic objective of protecting Office 365 systems and data.

Office 365 external communications include:

- Office 365 Security and Availability Incident Communications: how Microsoft notifies Office 365 customers of security and
availability incidents as per Microsoft's agreement with customers. See the incident response controls for additional details.

- Office 365 Service Infrastructure and Support Systems Change Management Communications: how Microsoft makes it possible for
customers to view upcoming service infrastructure and support changes.

C.7.4.e Internal and external Microsoft determines the need for internal and external communications relevant to the Office 365 Information Security Examined a selection of communications, which included presentations, meeting minutes, blogs, and roadmaps from the following sources:
information security Management System (ISMS) including the process through which communication occur.
communications process - Office 365 Trust Team Office Hours
Office 365 internal communications include: - Office 365 Monthly Service Reviews
- Office 365 Security and Availability Incident Communications
- Office 365 Trust Office Hours: where Office 365 Security, Trust, and Compliance, External and Legal Affairs teams review proposed - Office 365 Service Infrastructure and Support Systems Change Management Communications
Office 365 features and feature changes, and provide feedback on the information security, compliance, and privacy requirements.
Validated that Microsoft determines the need for internal and external communications relevant to the ISMS, as well as the process through which communication will occur.
- Office 365 Monthly Service Reviews: where Office 365 senior management reviews trends of key security performance indicators
and provides feedback on how these align with Microsoft's strategic objective of protecting Office 365 systems and data.

Office 365 external communications include:

- Office 365 Security and Availability Incident Communications: how Microsoft notifies Office 365 customers of security and
availability incidents as per Microsoft's agreement with customers. See the incident response controls for additional details.

- Office 365 Service Infrastructure and Support Systems Change Management Communications: how Microsoft makes it possible for
customers to view upcoming service infrastructure and support changes.

C.7.5.1.a Information security The Office 365 Information Security Management System (ISMS) includes documented information required by this international Examined Microsoft and Office 365 information security policies, the Office 365 System Security Plan, Office 365 information security SOPs, and the Office 365 control
management system shall standard. Microsoft and Office 365 security policies form the baseline for information security objectives across Office 365 teams. framework, and determined that the Office 365 ISMS includes documented information required by this international standard.
include documented These security policies translate management's strategic priority to protect the confidentiality, integrity, availability, and reliability of
information required by this Office 365 systems and data into actionable information security objectives. These objectives are then defined in a more specific
International Standard and granular level through the Office 365 System Security Plan as well as Office 365 team-specific standard operating procedures
(SOPs). Furthermore, the Office 365 control framework gathers information security requirements that are defined by the Office 365
ISMS, as well as required global compliance requirements, and provides measurable controls for Office 365 teams.

C.7.5.1.b Documentation evidencing The Office 365 Information Security Management System (ISMS) includes documented information determined by Microsoft as Examined Microsoft and Office 365 information security policies, the Office 365 System Security Plan, Office 365 information security SOPs, and the Office 365 control
the effectiveness of the being necessary for the effectiveness of the ISMS. Microsoft and Office 365 security policies form the baseline for information framework, and determined that the Office 365 ISMS includes documented information determined by Microsoft as being necessary for the effectiveness of the ISMS.
information security security objectives across Office 365 teams. These security policies translate management's strategic priority to protect the
management system confidentiality, integrity, availability, and reliability of Office 365 systems and data into actionable information security objectives.
These objectives are then defined in a more specific and granular level through the Office 365 System Security Plan as well as Office
365 team-specific standard operating procedures (SOPs). Furthermore, the Office 365 control framework gathers information
security requirements that are defined by the Office 365 ISMS, as well as required global compliance requirements, and provides
measurable controls for Office 365 teams.

C.7.5.2.a Office 365 documentation When creating and updating documented information, Microsoft ensures that appropriate identification and descriptions (e.g., title, Examined Microsoft and Office 365 information security policies, the Office 365 System Security Plan, Office 365 information security SOPs, and the Office 365 control
for appropriate identification date, author, or reference number) are included. Microsoft and Office 365 security policies form the baseline for information security framework, and determined that the Office 365 ISMS includes documented information that properly describes the details and effectiveness of the ISMS, and that each of
and description objectives across Office 365 teams. These security policies translate management's strategic priority to protect the confidentiality, these documents includes a title, data, author, or reference number.
integrity, availability, and reliability of Office 365 systems and data into actionable information security objectives. These objectives
are then defined in a more specific and granular level through the Office 365 System Security Plan as well as Office 365 team-
specific standard operating procedures (SOPs). Furthermore, the Office 365 control framework gathers information security
requirements that are defined by the Office 365 ISMS, as well as required global compliance requirements, and provides measurable
controls for Office 365 teams.
C.7.5.2.b Documentation in When creating and updating documented information, Microsoft ensures that appropriate identification and descriptions (e.g., title, Examined Microsoft and Office 365 information security policies, the Office 365 System Security Plan, Office 365 information security SOPs, and the Office 365 control
appropriate format and date, author, or reference number) are included. Microsoft and Office 365 security policies form the baseline for information security framework, and determined that the Office 365 ISMS includes documented information that properly describes the details and effectiveness of the ISMS, and that each of
media objectives across Office 365 teams. These security policies translate management's strategic priority to protect the confidentiality, these documents has a title, data, author, or reference number.
integrity, availability, and reliability of Office 365 systems and data into actionable information security objectives. These objectives
are then defined in a more specific and granular level through the Office 365 System Security Plan as well as Office 365 team-
specific standard operating procedures (SOPs). Furthermore, the Office 365 control framework gathers information security
requirements that are defined by the Office 365 ISMS, as well as required global compliance requirements, and provides measurable
controls for Office 365 teams.

C.7.5.2.c Documentation under When creating and updating documented information, Microsoft ensures that appropriate reviews occur and that documents are Examined Microsoft and Office 365 information security policies, the Office 365 System Security Plan, Office 365 information security SOPs, and the Office 365 control
appropriate review and approved for suitability and adequacy. Microsoft and Office 365 security policies form the baseline for information security framework, and determined that the Office 365 ISMS includes documented information determined by the Office 365 as being necessary for the effectiveness of the ISMS, and
approval objectives across Office 365 teams. These security policies translate management's strategic priority to protect the confidentiality, that each of these documents are reviewed and approved for suitability and adequacy.
integrity, availability, and reliability of Office 365 systems and data into actionable information security objectives. These objectives
are then defined in a more specific and granular level through the Office 365 System Security Plan as well as Office 365 team-
specific standard operating procedures (SOPs). Furthermore, the Office 365 control framework gathers information security
requirements that are defined by the Office 365 Information Security Management System (ISMS), as well as required global
compliance requirements, and provides measurable controls for Office 365 teams.

C.7.5.3.Part1. Appropriate control of Documented information required by the Office 365 Information Security Management System (ISMS) and by this international Examined Microsoft and Office 365 information security policies, the Office 365 System Security Plan, Office 365 information security SOPs, the Office 365 control framework,
a documentation standard is controlled to ensure that it is available and suitable for use, where and when it is needed. These documents are available Trust team documents available on an internal SharePoint site, and the Office 365 TMR tool site, and determined that documented information required by the ISMS and by
to Office 365 teams via an internal SharePoint site as well as through the Office 365 Trust Metadata Record (TMR) tool site. this international standard is controlled to ensure that it is available and suitable for use, where and when it is needed.
Microsoft and Office 365 security policies form the baseline for information security objectives across Office 365 teams. These
security policies translate management's strategic priority to protect the confidentiality, integrity, availability, and reliability of Office
365 systems and data into actionable information security objectives. These objectives are then defined in a more specific and
granular level through the Office 365 System Security Plan as well as Office 365 team-specific standard operating procedures (SOPs).
Furthermore, the Office 365 control framework gathers information security requirements that are defined by the Office 365 ISMS,
as well as required global compliance requirements, and provides measurable controls for Office 365 teams.

C.7.5.3.Part1. Adequate protection of Documented information required by the Office 365 Information Security Management System (ISMS) and by this international Examined access controls and integrity protections of the internal SharePoint site and the Office 365 TMR tool site by means of reviewing logs of access attempts with and
b documentation standard is controlled to ensure that it is adequately protected from loss of confidentiality, improper use, or loss of integrity. These without the appropriate user credentials, and determined that documented information required by the ISMS and by this international standard is controlled to ensure that it
documents are available to Office 365 teams via an internal SharePoint site as well as through the Office 365 Trust Metadata Record is adequately protected from loss of confidentiality, improper use, or loss of integrity.
(TMR) tool site. Documents stored within the internal SharePoint site are protected using SharePoint’s built-in confidentiality and
data integrity protection mechanisms. Documents stored on Office 365 TMR tool site are protected by access controls implemented
on this site to restrict access to only appropriate Office 365 team members and to protect the integrity of the data. Microsoft and
Office 365 security policies form the baseline for information security objectives across Office 365 teams. These security policies
translate management's strategic priority to protect the confidentiality, integrity, availability, and reliability of Office 365 systems and
data into actionable information security objectives. These objectives are then defined in a more specific and granular level through
the Office 365 System Security Plan as well as Office 365 team-specific standard operating procedures (SOPs). Furthermore, the
Office 365 control framework gathers information security requirements that are defined by the Office 365 ISMS, as well as required
global compliance requirements, and provides measurable controls for Office 365 teams.

C.7.5.3.Part2. Document distribution, For the control of documented information, Microsoft addresses the following activities, as applicable: distribution, access, retrieval Examined Microsoft and Office 365 information security policies, the Office 365 System Security Plan, Office 365 information security SOPs, and the Office 365 control
c access, retrieval and use and use. Documented information is available to Office 365 teams via an internal SharePoint site as well as through the Office 365 framework, and Trust team documents available on the internal SharePoint site as well as on the Office 365 TMR tool site and determined that for the control of documented
Trust Metadata Record (TMR) tool site. Microsoft and Office 365 security policies form the baseline for information security information, Microsoft addresses distribution, access, retrieval, and usage.
objectives across Office 365 teams. These security policies translate management's strategic priority to protect the confidentiality,
integrity, availability, and reliability of Office 365 systems and data into actionable information security objectives. These objectives
are then defined in a more specific and granular level through the Office 365 System Security Plan as well as Office 365 team-
specific standard operating procedures (SOPs). Furthermore, the Office 365 control framework gathers information security
requirements that are defined by the Office 365 Information Security Management System (ISMS), as well as required global
compliance requirements, and provides measurable controls for Office 365 teams.

C.7.5.3.Part2. Document storage and For the control of documented information, Microsoft addresses the following activities, as applicable: storage and preservation, Examined Microsoft and Office 365 information security policies, the Office 365 System Security Plan, Office 365 information security SOPs, the Office 365 control framework,
d preservation including the preservation of legibility. Documented information is available to Office 365 teams via an internal SharePoint site as and Trust team documents available on the internal SharePoint site as well as on the Office 365 TMR tool site, and determined that for the control of documented
well as through the Office 365 Trust Metadata Record (TMR) tool site. Documents stored on the Office 365 TMR tool site are information, Microsoft addresses the following activities, as applicable: storage and preservation, including the preservation of legibility.
protected by access controls that restrict access to the appropriate Office 365 team members and protect the integrity of data.
Microsoft and Office 365 security policies form the baseline for information security objectives across Office 365 teams. These Examined access controls and integrity protections of the internal SharePoint site and the Office 365 TMR tool site by means of reviewing logs of access attempts with and
security policies translate management's strategic priority to protect the confidentiality, integrity, availability, and reliability of Office without the appropriate user credentials, and determined that documented information required by the ISMS and by this international standard is controlled to ensure that it
365 systems and data into actionable information security objectives. These objectives are then defined in a more specific and is adequately protected from loss of confidentiality, improper use, or loss of integrity.
granular level through the Office 365 System Security Plan as well as Office 365 team-specific standard operating procedures (SOPs).
Furthermore, the Office 365 control framework gathers information security requirements that are defined by the Office 365
Information Security Management System (ISMS), as well as required global compliance requirements, and provides measurable
controls for Office 365 teams.
C.7.5.3.Part2. Document control of For the control of documented information, Microsoft addresses the following activities, as applicable: control of changes (e.g., Examined Microsoft and Office 365 information security policies, the Office 365 System Security Plan, Office 365 information security SOPs, the Office 365 control framework,
e changes version control). Documented information is available to Office 365 teams via an internal SharePoint site as well as through the and Trust team documents available on the internal SharePoint site as well as on the Office 365 TMR tool site and determined that for the control of documented information,
Office 365 Trust Metadata Record (TMR) tool site. Microsoft addresses control of changes (e.g., version control) across all of these Microsoft addresses the control of changes (e.g., version control) across all of these documents by ensuring that the documents contain version change metadata, such as
documents by ensuring that the documents contain version change metadata such as who made change, and summary of the who made the change, and a summary of changes.
change. Documents stored on the Office 365 TMR tool site is protected by access controls that restrict access to the appropriate
Office 365 team members and protect the integrity of data. Microsoft and Office 365 security policies form the baseline for Examined access controls and integrity protections of the internal SharePoint site and the Office 365 TMR tool site by means of reviewing logs of access attempts with and
information security objectives across Office 365 teams. These security policies translate management's strategic priority to protect without the appropriate user credentials, and determined that documented information required by the ISMS and by this international standard is controlled to ensure that it
the confidentiality, integrity, availability, and reliability of Office 365 systems and data into actionable information security objectives. is adequately protected from loss of confidentiality, improper use, or loss of integrity.
These objectives are then defined in a more specific and granular level through the Office 365 System Security Plan as well as Office
365 team-specific standard operating procedures (SOPs). Furthermore, the Office 365 control framework gathers information
security requirements that are defined by the Office 365 Information Security Management System, as well as required global
compliance requirements, and provides measurable controls for Office 365 teams.

C.7.5.3.Part2. Document retention and For the control of documented information, Microsoft addresses the following activities, as applicable: retention and disposition. Examined access controls and integrity protections of the internal SharePoint site and the Office 365 TMR tool site by means of reviewing logs of access attempts with and
f disposition Office 365 owned assets, including security documents, are retained as appropriate based on retention requirements set by the without the appropriate user credentials, and determined that for the control of documented information, Microsoft addresses retention and disposition of these documents
Office 365 Information Security Policy. as set by the Office 365 Information Security Policy.
C.8.1.Part1 Plans to achieve information Microsoft plans, implements and controls the processes needed to meet information security requirements, and to implement the Examined the Office 365 system security plan, the Office 365 Information Security Policy, the Office 365 controls framework and associated standard operating procedures
security objectives actions determined in the Office 365 Information Security Management System (ISMS). Microsoft also implements plans to achieve (SOPs) related to security assessment, and POAMs, and determined that Office 365 plans, implements and integrates control over the process and actions needed to achieve
determined in ISMS the determined information security objectives. Microsoft plans how to integrate and implement the actions into its ISMS the information security objectives detailed within the ISMS. POAMs are developed and maintained by the Office 365 Risk and Remediation team. They are recorded in
processes. Microsoft develops plans of action and milestones (POAMs) in accordance risk assessments that are performed. POAMs Product Studio and the Office 365 Trust Metadata Record (TMR) tool site to ensure an auditable record of each POAM. POAMs describe how the information system owner
are developed and maintained by the Office 365 Risk and Remediation team. They are recorded to ensure an auditable record of intends to address the vulnerabilities and risks (e.g., risk acceptance, risk mitigation, risk avoidance, and risk transference).
each POAM. POAMs describe how the information system owner intends to address the vulnerabilities and risks (e.g., risk
acceptance, risk mitigation, risk avoidance, and risk transference). Examined monthly service review documentation, such as meeting agendas, meeting minutes, and dashboards and determined that the appropriate individuals are assigned
the responsibility and authority for reporting on the performance of the ISMS to top management. In addition, determined that Office 365 teams have created key
POAMs are recorded in an engineering tool so that risk remediation actions are integrated and implemented into Office 365 team performance Indicators (KPIs) that reflect the relevant security metrics for the service and that Office 365 teams monitor and report those KPIs monthly by publishing the
processes and are executed. measurable data to dashboards for consumption by relevant stakeholders, as well as by reviewing security data with management in a monthly service review.

Office 365 teams, along with the Office 365 Risk and Remediation team, continually evaluate the effectiveness of these actions via
POAMs and monthly service reviews.

C.8.1.Part2 Documented information for Microsoft keeps documented information to the extent necessary to have confidence that processes have been carried out as Examined the Office 365 system security plan, the Office 365 information security policy, the Office 365 controls framework and associated standard operating procedures
processes have been carried planned. Microsoft plans how to integrate and implement the actions into its Office 365 Information Security Management System (SOPs) related to risk assessment, and POAMs, and determined that Microsoft keeps documented information to the extent necessary to have confidence that processes have
out as part of information (ISMS). Microsoft develops plans of action and milestones (POAMs) in accordance risk assessments performed. POAMs are been carried out as planned.
security plan developed and maintained by the Office 365 Risk and Remediation team. They are recorded to ensure an auditable record of each
POAM. POAMs describe how the information system owner intends to address the vulnerabilities and risks (e.g., risk acceptance, risk Examined the Office 365 security plan, the Office 365 Information Security Policy, and the Office 365 controls framework and associated SOPs related to security assessment,
mitigation, risk avoidance, and risk transference). and POAMs, and determined that Microsoft implemented plans to achieve the information security objectives detailed in the ISMS. POAMs are developed and maintained by
the Office 365 Risk and Remediation team. They are recorded in Product Studio and in the Office 365 Trust Metadata Record tool site tool to ensure an auditable record of
POAMs are recorded in an engineering tool so that risk remediation actions are integrated and implemented into Office 365 team each POAM. POAMs describe how the information system owner intends to address the vulnerabilities and risks (e.g., risk acceptance, risk mitigation, risk avoidance, and risk
processes and are executed. transference).

Office 365 teams along with the Office 365 Risk and Remediation team continually evaluate the effectiveness of these actions via Examined monthly service review documentation, such as meeting agendas, meeting minutes, and dashboards, and determined that Microsoft management assigns the
POAMs and monthly service reviews. responsibility and authority for reporting on the performance of the ISMS to senior management. In addition, determined that Office 365 teams have created key
performance Indicators (KPIs) that reflect the relevant security metrics for the service and that Office 365 teams monitor and report on those KPIs monthly by publishing the
measurable data to dashboards for consumption by relevant stakeholders, as well as by reviewing security data with management in a monthly service review.

C.8.1.Part3 Office 365's actions to Microsoft has change management programs in place to evaluate proposed changes to security and privacy requirements before a Examined the Office 365 system security plan and determined that all Office 365 software developers are required to follow the Office 365 configuration management process
mitigate any adverse effects change is implemented. These programs provide technical enforcement of documented change management processes. Among and the Microsoft Security Development Lifecycle (SDL) during information system design, development, implementation, and operation.
other features, they prevent changes to source code that are not tied to an approved change request.
Examined tools supporting Office 365 configuration management and the SDL as well as a selection of changes documented within these tools, and determined that Office
365 developers use software tools to document, manage, and control the integrity of changes to the development environment. These tools provide technical enforcement of
the documented change management processes and the SDL. Among other features, they prevent changes to source code that are not tied to an approved change request.
Developers of Office 365 implement only approved changes to the system. Office 365 teams follow the change management processes when implementing changes. Changes
are approved and tracked through system software tools.

C.8.1.Part4 Outsourced processes Microsoft ensures that outsourced processes are determined and controlled. Microsoft requires third parties (external information Examined the MMVA and determined that suppliers complied with the physical and information security policies set out in the SOW or otherwise provided to the supplier by
system services) that are engaged with Office 365 to sign a Microsoft Master Vendor Agreement (MMVA). The MMVA requires the Microsoft. Determined that, per the MMVA, the supplier also must use security procedures to prevent the disclosure of Microsoft Confidential Information to unauthorized
third party to comply with applicable Office 365 security policies and to implement security procedures to prevent the disclosure of third parties. All suppliers must have controls in place to protect the system access, system and application development and maintenance, change management, asset
Microsoft Confidential Information. Office 365 includes provisions in the MMVA and any associated Statement of Work (SOW) with classification and control, incident response, physical and environmental security, disaster recovery, and employee training. Finally, determined that vendors and contractors
each vendor addressing the need to use the appropriate security controls. Vendors that handle sensitive data must be in compliance must sign the MMVA prior to beginning work at Microsoft. Security requirements are detailed in the MMVA that must be signed prior to beginning the engagement. Also
with Microsoft's vendor privacy practices and data protection requirements. interviewed Office 365 Trust team personnel and determined that vendors and contractors are subject to the MMVA and to non-disclosure agreements.
C.8.2 Information security risk Microsoft implements an information security risk treatment plan. Microsoft retains documented information of the results of the Examined the Office 365 information security policy, Office 365 framework controls and associated standard operating procedures, and confirmed that risk assessment
assessments at planned information security risk assessments. The Office 365 Risk Management Program facilitates trust-based risk management procedures clearly establish guidelines for implementing an information security risk treatment plan and for retaining documented information of the results of the
intervals (information security, compliance and privacy) for Office 365 teams. These trust risks occur primarily in the Office 365 business unit, information security risk assessments.
but the approach and methodology can be applied to any business unit within Microsoft. Particular risk management activities may
include other covered services, such as acquired companies or selectively-scoped business units. Examined Office 365 risk assessment documents, risk register, risk remediation reports, plan of actions and milestones, presentations, and multiple meeting minutes, and
determined that Microsoft implements information security risk assessments and retains documented information of the results of the information security risk assessments.
Detailed activities that will take place as part of the risk review process include:

- Risk Identification: A threat and vulnerability assessment is conducted on all key control areas to identify internal and external
threats and associated vulnerabilities in the Office 365 environment. Information is continuously gathered from numerous data
sources within Microsoft, including Microsoft's Office of Enterprise Risk Management (OERM), Service Risk Management (SRM), the
Office 365 Trust team, and representatives of other Office 365 services.

- Risk Assessment: The Office 365 Trust team engages in a risk assessment of the Office 365 environment. As part of this assessment,
risks are evaluated for likelihood and effect to determine the inherent risk impact level. Then, key controls within each of the control
areas are assessed for design and effectiveness to determine residual risk level. Additionally, severe and high risks are reviewed as
needed, for ongoing risks, or as new threats are identified.

- Risk Remediation Response: Once assessed, risks are assigned to the affected service team for remediation. The Office 365 Trust
team and other service teams then develop plans to address these risks. The risk severity assigned as part of the risk assessment
determines the appropriate level of review and approval of these plans. At a high level the following steps are performed as part of
the risk management:

- Respond to the risk (e.g., avoid, mitigate, accept or transfer). This step is based on risk severity assigned to the risk identified.

- Monitor the risk (e.g., continuous testing/monitoring, periodic reviews, audits, bug evaluations, etc.).

- Report on the risk (e.g., Dashboarding, metrics, etc.).

The risk management process can be iterative for risk assessment and risk treatment activities. An iterative approach to conducting
risk assessment increases the depth and detail of the assessment and provides a good balance by minimizing the time and effort
C.8.3 Information security risk Microsoft implements an information security risk treatment plan. Microsoft retains documented information of the results of the Examined the Office 365 information security policy, Office 365 framework controls and associated standard operating procedures, and confirmed that risk assessment
treatment plan. information security risk treatment. The Office 365 Risk Management Program facilitates trust-based risk management (information procedures clearly establish guidelines for retaining documented information of the results of the information security risk treatments.
security, compliance and privacy) for Office 365 teams. These trust risks occur primarily in the Office 365 business unit, but the
approach and methodology can be applied to any business unit within Microsoft. Particular risk management activities may include Examined Office 365 risk assessment documents, risk register, risk remediation reports, plan of actions and milestones, presentations, and multiple meeting minutes, and
other covered services, such as acquired companies or selectively-scoped business units. determined that Microsoft retains documented information of the results of the information security risk treatments.

Detailed activities that will take place as part of the risk review process include:

- Risk Identification: A threat and vulnerability assessment is conducted on all key control areas to identify internal and external
threats and associated vulnerabilities in the Office 365 environment. Information is continuously gathered from numerous data
sources within Microsoft, including Microsoft's Office of Enterprise Risk Management (OERM), Service Risk Management (SRM), the
Office 365 Trust team, and representatives of other Office 365 services.

- Risk Assessment: The Office 365 Trust team engages in a risk assessment of the Office 365 environment. As part of this assessment,
risks are evaluated for likelihood and effect to determine the inherent risk impact level. Then, key controls within each of the control
areas are assessed for design and effectiveness to determine residual risk level. Additionally, severe and high risks are reviewed as
needed, for ongoing risks, or as new threats are identified.

- Risk Remediation Response: Once assessed, risks are assigned to the affected service team for remediation. The Office 365 Trust
team and other service teams then develop plans to address these risks. The risk severity assigned as part of the risk assessment
determines the appropriate level of review and approval of these plans. At a high level the following steps are performed as part of
the risk management:

- Respond to the risk (e.g., avoid, mitigate, accept or transfer). This step is based on risk severity assigned to the risk identified.

- Monitor the risk (e.g., continuous testing/monitoring, periodic reviews, audits, bug evaluations, etc.).

- Report on the risk (e.g., Dashboarding, metrics, etc.).

The risk management process can be iterative for risk assessment or risk treatment activities. An iterative approach to conducting
risk assessment increases the depth and detail of the assessment and provides a good balance by minimizing the time and effort
C.9.1.a Effectiveness of the Microsoft evaluates the information security performance and the effectiveness of the Office 365 Information Security Management Examined the Office 365 system security plan, the Office 365 information security policy, and the Office 365 controls framework and associated standard operating procedures
information security System (ISMS). Microsoft determines what needs to be monitored and measured, including information security processes and related to security assessment and authorization, and determined that Microsoft has determined what needs to be monitored and measured, including information security
management system. controls. Microsoft has a continuous monitoring program for Office 365 to evaluate the information security and privacy processes and controls.
performance and to evaluate the effectiveness of the ISMS. Microsoft continually monitors changes to the information system to
determine potential security impacts and as necessary those changes made prior to change implementation. Furthermore, Office Examined Office 365 audit reports, scope documents, continuous monitoring reports, which detail the scope of controls to be tested and measured to determine that
365 is under frequent and periodic audits from third-party independent auditors to perform FedRAMP, ISO, SOC and other audits. Microsoft has determined what needs to be monitored and measured, including information security processes and controls.
Microsoft along with these third-party independent auditors has determined what needs to be monitored and measured, including
information security processes and controls.

C.9.1.b Methods for monitoring, Microsoft evaluates the information security performance and the effectiveness of the Office 365 Information Security Management Examined the Office 365 system security plan, the Office 365 information security policy, and the Office 365 controls framework and associated standard operating procedures
measurement, analysis and System (ISMS). Microsoft determines the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure related to security assessment and authorization and determined that Microsoft has determined the methods for monitoring, measurement, analysis and evaluation, as
evaluation valid results. Microsoft has a continuous monitoring program for Office 365 to evaluate information security and privacy applicable, to ensure valid results.
performance and to evaluate the effectiveness of the ISMS. Microsoft continually monitors changes to the information system to
determine potential security impacts and as necessary those changes made prior to change implementation. Furthermore, Office Examined Office 365 audit reports, scope documents, continuous monitoring reports, which detail the process of controls to be tested and measured to determine that
365 is under frequent and periodic audits from third-party independent auditors to perform FedRAMP, ISO, SOC, and other audits. Microsoft has determined the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results.
Microsoft along with these third-party independent auditors has determined the methods for monitoring, measurement, analysis
and evaluation, as applicable, to ensure valid results.
C.9.1.c Determination of monitoring Microsoft evaluates the information security performance and the effectiveness of the Office 365 Information Security Management Examined the Office 365 system security plan, the Office 365 Information Security Policy, and the Office 365 controls framework and associated standard operating
and measuring period System (ISMS). Microsoft determines when monitoring and measuring shall be performed. Microsoft has a continuous monitoring procedures related to security assessment and authorization and determined that Microsoft has determined when monitoring and measuring shall be performed.
program for Office 365 to evaluate the information security and privacy performance and to evaluate the effectiveness of the ISMS.
Microsoft continually monitors changes to the information system to determine potential security impacts and as necessary those Examined Office 365 audit reports, scope documents, continuous monitoring reports, which detail the process of controls to be tested and measured to determine that
changes made prior to change implementation. Furthermore, Office 365 is under frequent and periodic audits from third-party Microsoft has determined when monitoring and measuring shall be performed. Based on the examination it was noted that Continuous Monitoring tests are performed on a
independent auditors to perform FedRAMP, ISO, SOC, and other audits. Microsoft along with these third-party independent monthly basis and that FedRAMP, ISO, and SOC audits are performed on an annual basis. It was also noted that since FedRAMP, ISO, and SOC audits are staggered across a
auditors has determined when monitoring and measuring shall be performed. 12-month period, effectively, Office 365 controls are audited on an almost quarterly basis.

C.9.1.d Responsibilities for Microsoft evaluates the information security performance and the effectiveness of the Office 365 Information Security Management Examined the Office 365 system security plan, the Office 365 Information Security Policy, and the Office 365 controls framework and associated standard operating
monitoring and measuring System (ISMS). Microsoft determines who will monitor and measure. Microsoft has a continuous monitoring program to evaluate procedures related to security assessment and authorization and determined that Microsoft determines who will perform monitoring and measuring.
the information security and privacy performance and to evaluate the effectiveness of the ISMS. Microsoft continually monitors
changes to the information system to determine potential security impacts and as necessary those changes made prior to change Examined Office 365 audit reports, scope documents, and continuous monitoring reports, which detail the ownership of tests performed to determine that Microsoft
implementation. Continuous monitoring is conducted by the Office 365 Trust team in collaboration with Office 365 teams. determines who will perform monitoring and measuring. Based on the examination it was noted that continuous monitoring tests are performed by the Office 365 Trust team
Furthermore, Office 365 is under frequent and periodic audits from third-party independent auditors to perform FedRAMP, ISO, in collaboration with other Office 365 teams and that audits are performed by third-party independent auditors.
SOC, and other audits. Microsoft along with these third-party independent auditors determines who will perform monitoring and
measuring.

C.9.1.e Analysis of results from Microsoft evaluates the information security performance and the effectiveness of the Office 365 Information Security Management Examined the Office 365 system security plan, the Office 365 Information Security Policy, and the Office 365 controls framework and associated standard operating
monitoring and System (ISMS). Microsoft determines when the results from monitoring and measurement are analyzed and evaluated. Continuous procedures related to security assessment and authorization and determined that Microsoft determines when the results from monitoring and measurement are analyzed and
measurements monitoring results are analyzed and evaluated on a monthly basis. FedRAMP, ISO, and SOC audit results are analyzed and evaluated evaluated.
immediately upon audit. FedRAMP, ISO, and SOC audits are performed on an annual basis. However, since FedRAMP, ISO, and SOC
audits are staggered across a 12-month period, effectively Office 365 controls are audited, analyzed, and evaluated by third-party Examined Office 365 audit reports, scope documents, continuous monitoring reports, which detail the process of controls to be tested and measured to determine that
independent auditors almost quarterly. Microsoft determines when the results from monitoring and measurement are analyzed and evaluated. Based on the examination it was noted that continuous monitoring
tests are analyzed and evaluated on a monthly basis and that FedRAMP, ISO, and SOC audits are analyzed and evaluated on an annual basis. It was also noted that since
FedRAMP, ISO, and SOC audits are staggered across a 12-month period, effectively Office 365 controls are analyzed and measured almost quarterly.

C.9.1.f Responsibilities to analyze Microsoft evaluates the information security performance and the effectiveness of the Office 365 Information Security Management Examined the Office 365 system security plan, the Office 365 Information Security Policy, and the Office 365 controls framework and associated standard operating
and evaluate results System (ISMS). Microsoft determines who will analyze and evaluate these results. Continuous monitoring results are analyzed and procedures related to security assessment and authorization and determined that Microsoft determines when the results from monitoring and measurement are analyzed and
evaluated on monthly basis by the Office 365 Trust team and participating Office 365 teams. FedRAMP, ISO, and SOC audit results evaluated.
are analyzed and evaluated immediately upon audit. Furthermore, these results are then analyzed and evaluated by the Office 365
Risk and Remediation team who summarize these results for Office 365 management reviews. Examined the audit reports, scope documents, continuous monitoring reports, which detailed the process of controls to be tested and measured to determine that Microsoft
determines when the results from monitoring and measurement are analyzed and evaluated. Based on the examination it was noted that continuous monitoring tests are
analyzed and evaluated on a monthly basis and that FedRAMP, ISO, and SOC audits are analyzed and evaluated on an annual basis. It was also noted that since FedRAMP,
ISO, and SOC audits are staggered across a 12-month period, effectively Office 365 controls are analyzed and measured almost quarterly.

C.9.2.a.Part1 Internal audits Microsoft conducts various audits at planned intervals to provide information on whether the Office 365 Information Security Examined Office 365 audit reports, risk assessments, meeting minutes, presentations, and various communications (e-mails, and training content) and determined that
Management System (ISMS) conforms to Microsoft's own requirements for it. These requirements are aligned with Microsoft's Microsoft conducts various audits of Office 365 at planned intervals to provide information on whether the Office 365 ISMS conforms to Microsoft's own requirements for it.
strategic business objectives of securing the confidentiality, integrity, availability, and reliability of Office 365 systems and data.
Examined continuous monitoring reports, MSR communications and meeting minutes, quarterly and annual risk assessment presentations, and audits reports to determine
In support of this objective, Microsoft conducts following tests and audits: that:

- Microsoft has a monthly continuous monitoring program to evaluate the information security and privacy performance and to - Microsoft audits Office 365 information security controls monthly through a continuous monitoring program.
evaluate the effectiveness of the ISMS.
- Microsoft measures, evaluates, and reviews key security metrics during each MSR.
- Microsoft management reviews key security metrics during Monthly Service Reviews (MSRs) to allow for more granular monitoring
and continual improvement throughout the year. - Microsoft performs quarterly and annual risk assessments and presents them to Office 365 and Microsoft management.

- The Office 365 Risk and Remediation team, in collaboration with Microsoft's Office of Enterprise Risk Management, reviews top - Office 365 was audited by third-party independent auditors who performed FedRAMP, ISO, and SOC audits in last 12 months.
risks for Office 365 with Microsoft management on a quarterly basis. Furthermore, they conduct an in-depth risk assessment on an
annual basis.

- FedRAMP, ISO, and SOC audits are performed on an annual basis. However, since FedRAMP, ISO, and SOC audits are staggered
across a 12-month period, effectively Office 365 controls are audited, analyzed, and evaluated by third-party independent auditors
almost quarterly.
C.9.2.a.Part2 Internal audits to measure Microsoft conducts various audits of Office 365 at planned intervals to provide information on whether the Office 365 Information Examined Office 365 audit reports, risk assessments, meeting minutes, presentations, and various communications (e-mails, and training content), and determined that
conformation to ISO 271001 Security Management System (ISMS) conforms to the requirements of this international standard. These requirements are aligned Microsoft conducts various audits at planned intervals to provide information on whether the Office 365 ISMS conforms to the requirements of this international standard.
standard with Microsoft's strategic business objectives of securing the confidentiality, integrity, availability, and reliability of Office 365
systems and data. Examined continuous monitoring reports, MSR communications and meeting minutes, quarterly and annual risk assessment presentations, and audits reports, to determine
that:
Since Microsoft's control framework is mapped to ISO 27001 and ISO 27018 standards, any audits performed against the control
framework also provide information on whether the ISMS conforms to these standards. - Microsoft audits Office 365 information security controls primarily through a continuous monitoring program.

In support of this objective, Microsoft conducts the following tests and audits: - Microsoft measures, evaluates, and reviews key security metrics for Office 365 during each MSR.

- Microsoft has a monthly continuous monitoring program for Office 365 to evaluate the information security and privacy - Microsoft performs quarterly and annual risk assessments and presents them to Office 365 and Microsoft management.
performance and to evaluate the effectiveness of the ISMS.
- Office 365 was audited by third-party independent auditors who performed FedRAMP, ISO, and SOC audits in last 12 months.
- Microsoft Management reviews key security metrics during each Monthly Service Review (MSR) to allow for more granular
monitoring and continual improvement throughout the year.

- The Office 365 Risk and Remediation team, in collaboration with Microsoft's Office of Enterprise Risk Management, review the top
Office 365 risks with Office 365 and Microsoft management on a quarterly basis. Furthermore, the team conducts an in-depth risk
assessment on an annual basis.

- FedRAMP, ISO, and SOC audits are performed on an annual basis. However, since FedRAMP, ISO, and SOC audits are staggered
across a 12-month period, effectively Office 365 controls are audited, analyzed, and evaluated by third-party independent auditors
almost quarterly.

C.9.2.b Internal audits to measure Microsoft conducts internal audits of Office 365 at planned intervals to provide information on whether the Office 365 Information Examined Office 365 audit reports, risk assessments, meeting minutes, presentations, and various communications (e-mails, and training content) and determined that
effectiveness of information Security Management System (ISMS) is effectively implemented and maintained. These requirements are aligned with Microsoft's Microsoft conducts various audits of Office 365 at planned intervals to provide information on whether the ISMS is effectively implemented and maintained.
security management system strategic business objectives of securing the confidentiality, integrity, availability, and reliability of Office 365 systems and data.
implemented and Since Microsoft's control framework for Office 365 is mapped to ISO 27001 and ISO 27018 standards, any audits performed against Examined continuous monitoring reports, MSR communications and meeting minutes, quarterly and annual risk assessment presentations, and audits reports, to determine
maintained it also provide information on whether the ISMS conforms to these standards. that:

In support of this objective, Microsoft conducts the following tests and audits: - Microsoft audits information security controls for Office 365 primarily through a continuous monitoring program.

- Microsoft has a monthly continuous monitoring program to evaluate the information security and privacy performance and to - Microsoft measures, evaluates, and reviews key security metrics for Office 365 during each MSR.
evaluate the effectiveness of the ISMS.
- Microsoft performs quarterly and annual risk assessments and presents them to Office 365 and Microsoft management.
- Microsoft management reviews key security metrics during each Monthly Service Review (MSR) to allow for more granular
monitoring and continual improvement throughout the year. - Office 365 was audited by third-party independent auditors who performed FedRAMP, ISO, and SOC audits in last 12 months.

- The Office 365 Risk and Remediation team, in collaboration with Microsoft's Office of Enterprise Risk Management team, review
the top risks with Office 365 and Microsoft management on a quarterly basis. Furthermore, they conduct an in-depth risk
assessment on an annual basis.

- FedRAMP, ISO, and SOC audits are performed on an annual basis. However, since FedRAMP, ISO, and SOC audits are staggered
across a 12-month period, effectively Office 365 controls are audited, analyzed, and evaluated by third-party independent auditors
almost quarterly.

C.9.2.c Audit program Microsoft plans, establishes, implements and maintains an audit program(s) for Office 365, including the frequency, methods, Examined Office 365 audit reports, risk assessments, meeting minutes, presentations, and various communications (e-mails, and training content) and determined that
responsibilities, planning requirements and reporting. The audit program(s) take into consideration the importance of the processes Microsoft plans, establishes, implements and maintains audit programs, that include such details as the frequency, methods, responsibilities, planning requirements and
that are involved and the results of previous audits. These requirements are aligned with Microsoft's strategic business objectives of reporting. Also determined that audit programs take into consideration the importance of the involved processes and the results of previous audits.
securing the confidentiality, integrity, availability, and reliability of Office 365 systems and data.
Examined continuous monitoring reports, MSR communications and meeting minutes, quarterly and annual risk assessment presentations, and audits reports, to determine
Since Microsoft's control framework for Office 365 is mapped to ISO 27001 and ISO 27018 standards, any audits performed against that:
it also provide information on whether the ISMS conforms to these standards.
- Microsoft audits information security controls for Office 365 primarily through a continuous monitoring program.
In support of this objective, Microsoft conducts the following tests and audits:
- Microsoft measures, evaluates, and reviews key security metrics for Office 365 during each MSR.
- Microsoft has a monthly continuous monitoring program to evaluate the information security and privacy performance and to
evaluate the effectiveness of the ISMS. - Microsoft performs quarterly and annual risk assessments and presents them to Office 365 and Microsoft management.

- Microsoft management reviews key security metrics during each Monthly Service Review (MSR) to allow for more granular - Office 365 was audited by third-party independent auditors who performed FedRAMP, ISO, and SOC audits in last 12 months.
monitoring and continual improvement throughout the year.

- The Office 365 Risk and Remediation team, in collaboration with Microsoft's Office of Enterprise Risk Management team, review
the top risks with Office 365 and Microsoft management on a quarterly basis. Furthermore, they conduct an in-depth risk
assessment on an annual basis.

- FedRAMP, ISO, and SOC audits are performed on an annual basis. However, since FedRAMP, ISO, and SOC audits are staggered
across a 12-month period, effectively Office 365 controls are audited, analyzed, and evaluated by third-party independent auditors
almost quarterly.
C.9.2.d Audit criteria and scope Microsoft defines the audit criteria and scope for each audit. A Security Assessment Plan (SAP) for Office 365 is developed by an Examined Office 365 audit reports, risk assessments, the SAP, meeting minutes, presentations, and various communications (e-mails, and training content) and determined
accredited independent assessor. Microsoft's audit programs take into consideration the importance of the processes that are that Microsoft defines the audit criteria and scope for each audit.
involved and the results of previous audits.
Examined continuous monitoring reports, the SAP, MSR communications and meeting minutes, quarterly and annual risk assessment presentations, and audits reports, to
Since Microsoft's control framework for Office 365 is mapped to ISO 27001 and ISO 27018 standards, any audits performed against determine that:
it also provide information on whether the ISMS conforms to these standards.
- Microsoft audits information security controls for Office 365 primarily through a continuous monitoring program.
In support of this objective, Microsoft conducts the following tests and audits:
- Microsoft measures, evaluates, and reviews key security metrics for Office 365 during each MSR.
- Microsoft has a monthly continuous monitoring program to evaluate the information security and privacy performance and to
evaluate the effectiveness of the ISMS. - Microsoft performs quarterly and annual risk assessments and presents them to Office 365 and Microsoft management.

- Microsoft management reviews key security metrics during each Monthly Service Review (MSR) to allow for more granular - Office 365 was audited by third-party independent auditors who performed FedRAMP, ISO, and SOC audits in last 12 months.
monitoring and continual improvement throughout the year.

- The Office 365 Risk and Remediation team, in collaboration with Microsoft's Office of Enterprise Risk Management team, review
the top risks with Office 365 and Microsoft management on a quarterly basis. Furthermore, they conduct an in-depth risk
assessment on an annual basis.

- FedRAMP, ISO, and SOC audits are performed on an annual basis. However, since FedRAMP, ISO, and SOC audits are staggered
across a 12-month period, effectively Office 365 controls are audited, analyzed, and evaluated by third-party independent auditors
almost quarterly.

C.9.2.e Selection of auditors Microsoft conducts internal audits of Office 365 at planned intervals to provide information on whether the Office 365 Information Examined Office 365 audit reports, auditor biographies, meeting minutes, MSR communications, continuous monitoring reports, and Microsoft organizational and reporting
Security Management System (ISMS) is effectively implemented and maintained. These requirements are aligned with Microsoft's charts, to determine that Microsoft selects auditors and conducts audits that ensure objectivity and the impartiality of the audit process.
strategic business objectives of securing the confidentiality, integrity, availability, and reliability of Office 365 systems and data.
Microsoft select auditors and conducts audits that ensure the objectivity and impartiality of the audit process.

Since Microsoft's control framework for Office 365 is mapped to ISO 27001 and ISO 27018 standards, any audits performed against
it also provide information on whether the ISMS conforms to these standards.

In support of this objective, Microsoft conducts the following tests and audits:

- Microsoft has a monthly continuous monitoring program to evaluate information security and privacy performance and to
evaluate the effectiveness of the ISMS. The Continuous Monitoring team is independent of the Office 365 teams that are the subject
of the audits.

- Microsoft management reviews key security metrics for Office 365 during each Monthly Service Review (MSR) to allow for more
granular monitoring and continual improvement throughout the year. These key security metrics are measured by the Office 365
Security and Trust teams, which are independent from the Office 365 teams whose performance is the subject of review at MSRs.

- The Office 365 Risk and Remediation team, in collaboration with Microsoft's Office of Enterprise Risk Management (OERM), review
the top risks with Office 365 and Microsoft management on a quarterly basis. Furthermore, they conduct an in-depth risk
assessment on an annual basis. The Office 365 Risk and Remediation team has a degree of independence from other Office 365
teams. Furthermore, the OERM team is totally independent of all Office 365 teams, reporting directly to Microsoft's Chief Financial
Officer and indirectly to Microsoft's Board of Directors.

- FedRAMP, ISO, and SOC audits are performed on an annual basis. However, since FedRAMP, ISO, and SOC audits are staggered
across a 12-month period, effectively Office 365 controls are audited, analyzed, and evaluated by third-party independent auditors
almost quarterly.
C.9.2.f Office 365 reporting of Microsoft conducts internal audits of Office 365 at planned intervals to provide information on whether the Office 365 Information Examined Office 365 audit reports, meeting minutes, monthly service review communications, continuous monitoring reports, and Microsoft organizational and reporting
audits results to relevant Security Management System (ISMS) is effectively implemented and maintained. These requirements are aligned with Microsoft's charts to determine that Microsoft selects auditors and conducts audits and ensures that the results of the audits are reported to relevant management.
management strategic business objectives of securing the confidentiality, integrity, availability, and reliability of Office 365 systems and data.
Microsoft ensures that the results of audits are reported to the relevant management personnel.

Since Microsoft's control framework for Office 365 is mapped to ISO 27001 and ISO 27018 standards, any audits performed against
it also provide information on whether the ISMS conforms to these standards.

In support of this objective, Microsoft conducts the following tests and audits:

- Microsoft has a monthly continuous monitoring program to evaluate information security and privacy performance and to
evaluate the effectiveness of the ISMS. The Continuous Monitoring team is independent of other Office 365 teams which are the
subject of audits.

- Microsoft management reviews key security metrics during each Monthly Service Review (MSR) to allow for more granular
monitoring and continual improvement throughout the year. These key security metrics are measured by Office 365 Security and
Trust teams which are independent from the Office 365 teams whose performance is the subject of review at MSRs.

- The Office 365 Risk and Remediation team, in collaboration with Microsoft's Office of Enterprise Risk Management (OERM), review
top risks with Office 365 and Microsoft management on a quarterly basis. Furthermore, they conduct an in-depth risk assessment
on an annual basis. The Office 365 Risk and Remediation team has a degree of independence from other Office 365 teams.
Furthermore, the OERM team is totally independent of other Office 365 teams, with reporting directly to Microsoft's Chief Financial
Officer and indirectly to Microsoft's Board of Directors.

- FedRAMP, ISO, and SOC audits are performed on an annual basis. However, since FedRAMP, ISO, and SOC audits are staggered
across a 12-month period, effectively Office 365 controls are audited, analyzed, and evaluated by third-party independent auditors
almost quarterly.

C.9.2.g Documented information as Microsoft retains documented information as evidence of the audit programs and the audit results. Audit programs and audit Examined Office 365 audit programs, audit reports, monthly service review communications, continuous monitoring reports stored on an internal SharePoint site as well as on
evidence of the audit results are available on an internal SharePoint site as well as through the Office 365 Trust Metadata Record (TMR) tool site. the Office 365 TMR tool site to determine that Microsoft retains documented information as evidence of the audit programs and the audit results.
program

C.9.3.Part1 Management review Microsoft management reviews the Office 365 Information Security Management System (ISMS) at planned intervals to ensure its Examined Office 365 audit reports, risk assessments, meeting minutes, presentations, and various communications (e-mails, and training content), and determined that
continuing suitability, adequacy, and effectiveness. These requirements are aligned with Microsoft's strategic business objectives of Microsoft management reviews the Office 365 ISMS at planned intervals to ensure its continuing suitability, adequacy, and effectiveness.
securing the confidentiality, integrity, availability, and reliability of Office 365 systems and data.
Examined continuous monitoring reports, MSR communications and meeting minutes, quarterly and annual risk assessment presentations, and audits reports, to determine
In support of this objective, Microsoft management conducts the following reviews: that:

- Monthly continuous monitoring program findings to evaluate information security and privacy performance and to evaluate the - Microsoft reviews Office 365 information security controls primarily through a monthly continuous monitoring program.
effectiveness of the ISMS.
- Microsoft management measures, evaluates, and reviews key security metrics for Office 365 during each MSR.
- Key security metrics during each Monthly Service Review (MSR) to allow for more granular monitoring and continual improvement
throughout the year. - Office 365 and Microsoft management review quarterly and annual risk assessments.

- Top risks with management quarterly, as well as an in-depth review of risk assessment annually. - Office 365 management reviews audit reports as audited by third-party independent auditors who performed FedRAMP, ISO, and SOC audits in last 12 months.

- FedRAMP, ISO, and SOC audits are performed on an annual basis. However, since FedRAMP, ISO, and SOC audits are staggered
across a 12-month period, effectively Office 365 controls are audited, analyzed, and evaluated by third-party independent auditors
and reviewed by Microsoft management almost quarterly.

C.9.3.Part2.a Consideration of the status Microsoft management reviews the Office 365 Information Security Management System (ISMS) at planned intervals to ensure its Examined Office 365 audit reports, risk assessments, meeting minutes, presentations, and various communications (e-mails, and training content), and determined that
of actions from previous continuing suitability, adequacy, and effectiveness and that these review include consideration of the status of actions from previous Microsoft management reviews the ISMS at planned intervals to ensure its continuing suitability, adequacy, and effectiveness, and that these review include consideration of
management reviews. management reviews. These requirements are aligned with Microsoft's strategic business objectives of securing the confidentiality, the status of actions from previous management reviews.
integrity, availability, and reliability of Office 365 systems and data.
Examined continuous monitoring reports, MSR communications and meeting minutes, quarterly and annual risk assessment presentations, and audits reports, to determine
In support of this objective, Microsoft management conducts the following reviews: that:

- Monthly continuous monitoring program findings to evaluate information security and privacy performance and to evaluate the - Microsoft reviews information security controls for Office 365 primarily through a monthly continuous monitoring program.
effectiveness of the ISMS.
- Microsoft management measures, evaluates, and reviews key security metrics for Office 365 during each MSR.
- Key security metrics during each Monthly Service Review (MSR) to allow for more granular monitoring and continual improvement
throughout the year. - Office 365 and Microsoft management review quarterly and annual risk assessments.

- Top risks with management quarterly, as well as an in-depth review of risk assessment annually. - Office 365 management reviews audit reports as audited by third-party independent auditors who performed FedRAMP, ISO, and SOC audits in last 12 months.

- FedRAMP, ISO, and SOC audits are performed on an annual basis. However, since FedRAMP, ISO, and SOC audits are staggered
across a 12-month period, effectively Office 365 controls are audited, analyzed, and evaluated by third-party independent auditors
and reviewed by Microsoft management almost quarterly.
C.9.3.Part2.b Consideration of changes in Microsoft management reviews the Office 365 Information Security Management System (ISMS) at planned intervals to ensure its Examined Office 365 audit reports, risk assessments, meeting minutes, presentations, and various communications (e-mails, and training content), and determined that
external and internal issues continuing suitability, adequacy, and effectiveness. The management review includes consideration of changes in external and management review includes consideration of changes in external and internal issues that are relevant to the ISMS.
internal issues that are relevant to the ISMS. These requirements are aligned with Microsoft's strategic business objectives of
securing the confidentiality, integrity, availability, and reliability of Office 365 systems and data. Examined continuous monitoring reports, MSR communications and meeting minutes, quarterly and annual risk assessment presentations, and audits reports, to determine
that:
In support of this objective, Microsoft management conducts the following reviews:
- Microsoft reviews information security controls for Office 365 primarily through a monthly continuous monitoring program.
- Monthly continuous monitoring program findings to evaluate information security and privacy performance and to evaluate the
effectiveness of the ISMS. - Microsoft management measures, evaluates, and reviews key security metrics for Office 365 during each MSR.

- Key security metrics during each Monthly Service Review (MSR) to allow for more granular monitoring and continual improvement - Office 365 and Microsoft management reviews quarterly and annual risk assessments.
throughout the year.
- Office 365 management reviews audit reports as audited by third-party independent auditors who performed FedRAMP, ISO, and SOC audits in last 12 months.
- Top risks with management quarterly, and an in-depth review of risk assessment annually.

- FedRAMP, ISO, and SOC audits are performed on an annual basis. However, since FedRAMP, ISO, and SOC audits are staggered
across a 12-month period, effectively Office 365 controls are audited, analyzed, and evaluated by third-party independent auditors
and reviewed by Microsoft management almost quarterly.

C.9.3.Part2.c Consideration of feedback Microsoft management reviews the Office 365 Information Security Management System (ISMS) at planned intervals to ensure its Examined Office 365 audit reports, risk assessments, meeting minutes, presentations, and various communications (e-mails, and training content), and determined that
on the information security continuing suitability, adequacy, and effectiveness. The management review includes consideration of feedback on information management review includes consideration of feedback on the information security performance, including trends in non-conformities and corrective actions, monitoring and
performance security performance, including trends in non-conformities and corrective actions, monitoring and measurement results, audit measurement results, audit results, and the fulfilment of information security objectives.
results, and the fulfilment of information security objectives. These requirements are aligned with Microsoft's strategic business
objectives of securing the confidentiality, integrity, availability, and reliability of Office 365 systems and data. Examined continuous monitoring reports, MSR communications and meeting minutes, quarterly and annual risk assessment presentations, and audits reports, to determine
that:
In support of this objective, Microsoft management conducts the following reviews:
- Microsoft reviews information security controls for Office 365 primarily through a monthly continuous monitoring program.
- Monthly continuous monitoring program findings to evaluate information security and privacy performance and to evaluate the
effectiveness of the ISMS. - Microsoft management measures, evaluates, and reviews key security metrics for Office 365 during each MSR.

- Key security metrics during each Monthly Service Review (MSR) to allow for more granular monitoring and continual improvement - Office 365 and Microsoft management reviews quarterly and annual risk assessments.
throughout the year.
- Office 365 management reviews audit reports as audited by third-party independent auditors who performed FedRAMP, ISO, and SOC audits in last 12 months.
- Top risks with management quarterly, as well as an in-depth review of risk assessment annually.

- FedRAMP, ISO, and SOC audits are performed on an annual basis. However, since FedRAMP, ISO, and SOC audits are staggered
across a 12-month period, effectively Office 365 controls are audited, analyzed, and evaluated by third-party independent auditors
and reviewed by Microsoft management almost quarterly.

C.9.3.Part2.d Consideration of feedback Microsoft management reviews the Office 365 Information Security Management System at planned intervals to ensure its Examined Office 365 audit reports, risk assessments, meeting minutes, presentations, and various communications (e-mails, and training content), and determined that
from interested parties. continuing suitability, adequacy, and effectiveness. Management review includes the consideration of feedback from interested management review includes the consideration of feedback from interested parties such as key customers, partners, supporting Microsoft teams, including the Azure and
parties such as key customers, partners, and supporting Microsoft teams, including the Azure and Microsoft's Cloud Infrastructure & Microsoft's Cloud Infrastructure & Operations teams.
Operations teams.
C.9.3.Part2.e Consideration of results of Microsoft management reviews the Office 365 Information Security Management System at planned intervals to ensure its Examined Office 365 audit reports, risk assessments, plan of actions and milestones, meeting minutes, presentations, and various communications (e-mails, and training
risk assessment and status of continuing suitability, adequacy, and effectiveness. Management review includes the consideration of the results of risk assessments content), and determined that management review includes the consideration of the results of risk assessments and the status of risk treatment plans.
risk treatment plan. and the status of risk treatment plans.

C.9.3.Part2.f Consideration of Microsoft management reviews the Office 365 Information Security Management System at planned intervals to ensure its Examined Office 365 audit reports, risk assessments, plan of actions and milestones, meeting minutes, presentations, and various communications (e-mails, and training
opportunities for continual continuing suitability, adequacy, and effectiveness. Management review includes the consideration of continual improvement. content), and determined that management review includes the consideration of continual improvement.
improvement.

C.9.3.Part3 Outputs of management Microsoft management reviews the Office 365 Information Security Management System (ISMS) at planned intervals to ensure its Examined Office 365 audit reports, risk assessments, plan of actions and milestones, MSR meeting minutes, management review meeting minutes, presentations, and various
review continuing suitability, adequacy, and effectiveness. The outputs of the management review include the decisions related to communications (e-mails, and training content), and determined that the outputs of management reviews include the decisions related to continued improvement
continued improvement opportunities and any need for changes to the ISMS. opportunities and any need for changes to the ISMS.

C.9.3.Part4 Documented information as Microsoft management reviews the Office 365 Information Security Management System at planned intervals to ensure its Examined Office 365 audit reports, risk assessments, plan of actions and milestones, MSR meeting minutes, management review meeting minutes, presentations, and various
evidence of the resultN226s continuing suitability, adequacy, and effectiveness. Microsoft retains documented information as evidence of the results of communications (e-mails, and training content), and determined that Microsoft retains documented information as evidence of the results of management reviews.
of management reviews. management reviews.

C.10.1.a Actions to control and When a non-conformity is identified, either through internal continuous monitoring or through a third-party independent auditor Examined Office 365 risk management standard operating procedures and multiple risk assessments of Office 365 conducted by Microsoft and determined that when a non-
correct non-conformity assessment, Microsoft assesses the non-conformity through the Office 365 Risk Management Team and through plans of actions conformity is identified, either through internal continuous monitoring or through a third-party independent auditor assessment, Microsoft assesses the non-conformity
and milestones (POAMs) processes. The non-conformity is assessed for impact, scored for the level of risk, and action is taken to through the Office 365 Risk Management team and POAM processes, and that actions are taken to control and correct it. Also noted that Microsoft deals with the
control and correct it and to deal with the consequences. consequences of any non-conformity.

Microsoft develops POAMs in accordance with performed risk assessments. POAMs are developed and maintained by the Office 365 Examined Office 365 risk assessment documents, risk register, risk remediation reports, POAMs, presentations, and meeting minutes, and determined that Office 365 follows
Risk and Remediation team. They are recorded to ensure an auditable record of each POAM. POAMs describe how the information an established approach to risk management. Risk assessment documents demonstrate that the purpose of risk management is to ensure that when a non-conformity is
system owner intends to address the vulnerabilities and risks (e.g., risk acceptance, risk mitigation, risk avoidance, and risk identified, either through internal continuous monitoring or third-party independent auditor assessment, Microsoft assesses the non-conformity through the Office 365 Risk
transference). Management team and POAM processes, and that actions are taken to control and correct it. Also noted that Office 365 dealt with the consequences. Also noted that
Microsoft deals with the consequences of any non-conformity.
C.10.1.b Evaluation for action to When a non-conformity is identified, either through internal continuous monitoring or through a third-party independent auditor Examined Office 365 risk management standard operating procedures, multiple risk assessments of Office 365 conducted by Microsoft, risk assessment documents, risk
eliminate the causes of assessment, Microsoft evaluates the need for action to eliminate the cause(s) of non-conformity, to ensure that it does not recur or register, risk remediation reports, POAMs, presentations and meeting minutes, and determined that when a non-conformity is identified, either through internal continuous
nonconformity occur elsewhere, by: monitoring or a third-party independent auditor assessment, Microsoft evaluates the need for action to eliminate the causes of non-conformity, to ensure that it does not
recur or occur elsewhere, by:
- Reviewing the non-conformity;
- Determining the cause(s) of the non-conformity; and - Reviewing the non-conformity;
- Determining if similar non-conformities exists, or could potentially occur. - Determining the cause(s) of the non-conformity; and
- Determining if similar non-conformities exists, or could potentially occur.
Microsoft develops plans of action and milestones (POAMs) in accordance with risk assessments performed. POAMs are developed
and maintained by the Office 365 Risk and Remediation team. They are recorded to ensure an auditable record of each POAM.
POAMs describe how the information system owner intends to address the vulnerabilities and risks (e.g., risk acceptance, risk
mitigation, risk avoidance, and risk transference).

C.10.1.c Implementation of any When a non-conformity is identified, either through internal continuous monitoring or a third-party independent auditor Examined Office 365 risk management standard operating procedures and multiple risk assessments of Office 365 conducted by Microsoft and determined that when a non-
action needed to manage assessment, Microsoft implements any needed actions. conformity is identified, either through internal continuous monitoring or a third-party independent auditor assessment, Microsoft implements any needed actions.
non-conformity
Microsoft develops plans of action and milestones (POAMs) in accordance with risk assessments performed. POAMs are developed Examined Office 365 risk assessment documents, risk register, risk remediation reports, POAMs, presentations and meeting minutes, and determined that Microsoft follows an
and maintained by the Office 365 Risk and Remediation team. They are recorded to ensure an auditable record of each POAM. established approach to risk management. Risk assessment documents demonstrate that the purpose of risk management is to ensure that when a non-conformity is
POAMs describe how the information system owner intends to address the vulnerabilities and risks (e.g., risk acceptance, risk identified, either through internal continuous monitoring or a third-party independent auditor assessment, Microsoft implements any needed actions.
mitigation, risk avoidance, and risk transference).

C.10.1.d Effectiveness for corrective When a non-conformity is identified, either through internal continuous monitoring or a third-party independent auditor Examined Office 365 risk management standard operating procedures (SOPs) and multiple risk assessments conducted by Office 365 and determined that when a non-
actions taken assessment, Office 365 reviews the effectiveness of any corrective action taken. conformity is identified, either through internal continuous monitoring or a third-party independent auditor assessment, Microsoft reviews the effectiveness of any corrective
action taken.
Microsoft develops plans of action and milestones (POAMs) in accordance with risk assessments performed. POAMs are developed
and maintained by the Office 365 Risk and Remediation team. They are recorded to ensure an auditable record of each POAM. Examined Office 365 risk assessment documents, risk register, risk remediation reports, POAMs, presentations and multiple meeting minutes, and determined that Microsoft
POAMs describe how the information system owner intends to address the vulnerabilities and risks (e.g., risk acceptance, risk follows an established approach to risk management. Risk assessment documents demonstrate that the purpose of risk management is to ensure that when a non-conformity
mitigation, risk avoidance, and risk transference). is identified, either through internal continuous monitoring or a third-party independent auditor assessment, Microsoft reviews the effectiveness of any corrective action
taken.

C.10.1.e Changes to the information When a non-conformity is identified, either through internal continuous monitoring or a third-party independent auditor Examined Office 365 risk management standard operating procedures and multiple risk assessments of Office 365 conducted by Microsoft, and determined that when a non-
security management system assessment, Microsoft makes changes to the Office 365 Information Security Management System (ISMS), as necessary. conformity is identified, either through internal continuous monitoring or a third-party independent auditor assessment, Microsoft makes changes to the ISMS, as necessary.
as necessary
Microsoft develops plans of action and milestones (POAMs) in accordance with risk assessments performed. POAMs are developed Examined Office 365 risk assessment documents, risk register, risk remediation reports, POAMs, presentations and multiple meeting minutes, and determined that Microsoft
and maintained by the Office 365 Risk and Remediation team. They are recorded to ensure an auditable record of each POAM. follows an established approach to risk management. Risk assessment documents demonstrate that the purpose of risk management is to ensure that when a non-conformity
POAMs describe how the information system owner intends to address the vulnerabilities and risks (e.g., risk acceptance, risk is identified, either through internal continuous monitoring or a third-party independent auditor assessment, Microsoft makes changes to the ISMS, as necessary.
mitigation, risk avoidance, and risk transference).

C.10.1.f Documented information as When a non-conformity is identified, either through internal continuous monitoring or a third-party independent auditor Examined Office 365 risk management standard operating procedures and multiple risk assessments of Office 365 conducted by Microsoft to determine that when a non-
evidence assessment, Microsoft retains documented information as evidence of the nature of the non-conformity and any subsequent actions conformity is identified, either through internal continuous monitoring or a third-party independent auditor assessment, Microsoft retains documented information as
taken. evidence of the nature of the non-conformity and any subsequent actions taken.

Microsoft develops plans of action and milestones (POAMs) in accordance with risk assessments performed. POAMs are developed Examined Office 365 risk assessment documents, risk register, risk remediation reports, POAMs, presentations and multiple meeting minutes, and determined that Microsoft
and maintained by the Office 365 Risk and Remediation team. They are recorded to ensure an auditable record of each POAM. follows an established approach to risk management. Risk assessment documents demonstrate that the purpose of risk management is to ensure that when a non-conformity
POAMs describe how the information system owner intends to address the vulnerabilities and risks (e.g., risk acceptance, risk is identified, either through internal continuous monitoring or a third-party independent auditor assessment, Microsoft retains documented information as evidence of the
mitigation, risk avoidance, and risk transference). nature of the non-conformity and any subsequent actions taken.

C.10.1.g Documented evidence of the When a non-conformity is identified, either through internal continuous monitoring or a third-party independent auditor Examined Office 365 risk management standard operating procedures and multiple risk assessments of Office 365 conducted by Microsoft, and determined that when a non-
results of any corrective assessment, Microsoft retains documented information as evidence of the results of any corrective action. conformity is identified, either through internal continuous monitoring or a third-party independent auditor assessment, Microsoft retains documented information as
action evidence of the results of any corrective action.
Microsoft develops plans of action and milestones (POAMs) in accordance with risk assessments performed. POAMs are developed
and maintained by the Office 365 Risk and Remediation team. They are recorded to ensure an auditable record of each POAM. Examined Office 365 risk assessment documents, risk register, risk remediation reports, POAMs, presentations and meeting minutes, and determined that Microsoft follows an
POAMs describe how the information system owner intends to address the vulnerabilities and risks (e.g., risk acceptance, risk established approach to risk management. Risk assessment documents demonstrate that the purpose of risk management is to ensure that when a non-conformity is
mitigation, risk avoidance, and risk transference). identified, either through internal continuous monitoring or a third-party independent auditor assessment, Microsoft retains documented information as evidence of the
results of any corrective action.

C.10.2 Continual improvement of Based on risk management, audit activities, and new compliance requirements, Microsoft continually improves the suitability, Examined risk assessments, audit reports and compliance gap analysis documents and related updates to ISMS, and determined that Microsoft continually improves the
the information security adequacy and effectiveness of the Office 365 Information Security Management System (ISMS). Microsoft management suitability, adequacy and effectiveness of the ISMS.
management system. continuously reviews the results and findings from risk assessments, audit activities, compliance requirements, and gap analysis. As
and when deemed appropriate by Microsoft management, updates are made to the ISMS.
Name:

Description:

Control Id

A.1.1

A.2.1

A.2.2
A.4.1

A.5.1

A.5.2

A.7.1

A.9.1

A.9.2
A.9.3

A.10.1

A.10.2

A.10.3
A.10.4

A.10.5
A.10.6

A.10.7

A.10.8

A.10.9
A.10.10

A.10.11

A.10.12
A.10.13

A.11.1

A.11.2

C.5.1.1.Part1
C.5.1.1.Part2

C.6.1.1

C.7.2.2
C.9.2.1

C.9.4.2

C.10.1.1

C.11.2.7
C.12.1.4.Part1

C.12.1.4.Part2

C.12.3.1.Part1

C.12.3.1.Part2

C.12.3.1.Part3
C.12.3.1.Part4

C.12.3.1.Part5

C.12.3.1.Part6

C.12.4.1.Part1
C.12.4.1.Part2

C.12.4.1.Part3

C.12.4.1.Part4
C.12.4.2.Part1

C.12.4.2.Part2

C.13.2.1.Part1

C.13.2.1.Part2
C.16.1.1

C.18.2.1
ISO 27018:2014
In line with Office 365's commitment to maintain strict privacy of your data, Office 365 has been
accredited to latest ISO 27018:2014 standards. In this section you will see implementation and
testing of controls specific to protection of Personally Identifiable Information (PII) and Privacy.

Control Title

PII principals’ rights to access, correct, and/or erase PII pertaining to them.

PII to be processed under a data processing contract

Express consent for data usage


Temporary files and documents

Customer notification for disclosure of PII to a law enforcement authority

Recording disclosures of PII

Disclosing the use of sub-contractors bused to process PII

Customer notification in the event of any unauthorized access to PII

Records of security policies and operating procedures


Policy for the return, transfer, and/or destruction of PII

Confidentiality obligation.

Restriction on the creation of hardcopy material displaying PII

Procedure for, data restoration efforts


Protection of data on storage media leaving the premises

Portable physical media and portable devices


Encryption of PII that is transmitted over public data-transmission networks

Destruction of hardcopy material

Distinct user ID for identification, authentication and authorization purposes.

Up-to-date record of the users


Management of de-activated or expired user IDs

Data processing contracts between customers and Office 365

Data processing contracts between Office 365 and any sub-contractors that process PII
Data visibility to customers

Countries in which PII might possibly be stored.

Controls over PII transmitted using a data-transmission network

Privacy and PII processing policies


Independently audited compliance

Privacy and PII processing responsibilities

Awareness education and training


User registration and deregistration process

Access control policy

Policy on the use of cryptographic controls

Storage media verification


Separation of development, testing, and operational environments

Risk assessment around PII handling

Backup copies of information

Capabilities with respect to backup and restoration of customer data.

Restoration of data processing operations


Backup policy for the erasure of PII contained in information held for backup purposes.

Use of sub-contractors to store replicated or backup copies of data being processed

Contractual and/or legal requirements for the erasure of PII contained in information held for back

Event logs
Logs and PII Deletion

Criteria regarding if, when and how log information can be made available to or usable by the cust

Restriction on access records that relate to a customer’s activities


Logging facilities and log information

Deletion of logged information

Transfer of information

Physical media containing PII


Office 365 management responsibilities and procedures to ensure a quick, effective, and orderly resp

Independent evidence that information security is implemented and operated in accordance with the
Office 365 Control Ids
IP-0102, IP-0106

UL-0100, UL-0101

UL-0100, UL-0102, UL-9510


DM-0105

UL-0101

AR-0117

TR-9501

IR-0118

PM-9501
DM-0106, SE-9505, UL-0101

PL-0120

MP-0127, SC-0157

CP-9501
MP-0113, MP-0116

AC-0228
SC-0136

DM-0105

IA-0104

AC-0107, AC-0118
IA-0122

PM-9502

AR-0110
SC-0107

SE-0100, TR-9506

SC-0142

AR-0104
AR-0110

TR-0108

AR-0112
IA-0129

IA-0104, IA-0114

SC-0148

MP-0119
DM-0108

DM-0110

CP-0150

SA-0131

CP-0133
CP-0103

SA-0146

DM-0105

AU-0118
AU-0110

AU-9500

AU-9500
AU-0129

AU-0135

MP-0115

MP-0118
IR-0109

PM-9504, PM-9505
Implementation Details
Microsoft provides Office 365 customers with the means to enable them to fulfil their obligation to facilitate the exercise of a pe
personally identifiable information (PII) pertaining to them. Microsoft provides a process for customers to have inaccurate PII ma
as appropriate. As documented in the Data Processing Terms of the Microsoft Online Services Terms (http://www.microsoftvolu
Mode=3&DocumentTypeId=31) (OST), the features and functionality of Microsoft Online Services mean that customers remain i
Office 365.

Office 365 does not process personally identifiable information (PII) under a data processing contract for any purpose independe
Microsoft describes the purpose(s) for which PII is collected, used, maintained, and shared in its privacy notices. For more inform
Privacy Statement (http://www.microsoft.com/online/legal/v2/).

Office 365 does not use personally identifiable information (PII) processed under a data processing contract for the purposes of
consent. Such consent should not be a condition of receiving the service. Microsoft describes the purpose(s) for which PII is colle
privacy notices. For more information, see the Microsoft Online Services Privacy Statement (http://www.microsoft.com/online/leg
Office 365 erases or destroys temporary files and documents within a specified and documented period. Microsoft disposes of, d
identifiable information (PII), regardless of the method of storage, in accordance with a National Archives and Records Administr
and in a manner that prevents loss, theft, misuse, or unauthorized access. Per the Data Processing Terms of the Microsoft Online
(http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31), within no more than 180 da
customer’s use of a Microsoft Online Service, Microsoft will disable the account and delete the customer data from the account.

The contract between Microsoft and the customer requires Microsoft to notify customers of any legally binding request for discl
(PII) by a law enforcement authority, unless such a disclosure is otherwise prohibited. Microsoft describes the purposes for which
in the Microsoft Online Services Privacy Statement (http://www.microsoft.com/online/legal/v2/) and in the Microsoft Online Serv
(http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31) (OST). Microsoft will not dis
law enforcement, other government entity, or civil litigant; excluding our subcontractors) except as directed by a customer or un
contact Microsoft with a request for customer data, Microsoft will attempt to redirect the third party to request the data directly
Microsoft may provide customer contact information to the third party. If compelled to disclose customer data to a third party, M
efforts to notify the customer in advance of a disclosure unless legally prohibited.

Microsoft records disclosures of personally identifiable information (PII), including what PII has been disclosed, to whom, and at
accounting of disclosures of information held in each system of records under its control, including the date, nature, and purpos
to disclose customer data to a third party, Microsoft will use commercially reasonable efforts to notify affected customers in adv

Microsoft discloses to relevant customers the use of sub-contractors that process personally identifiable information (PII) before
new instances of sharing PII with third parties to assess whether the sharing is authorized, and whether additional or new public
access to customer data without authorization. Microsoft subcontractors handle PII data only when required to provide or maint
which subcontractors are used and for what purpose. Customers may download the current Office 365 Subcontractor (http://go
LinkId=213175&clcid=0x409) list from Microsoft's Web site. Customers who subscribe to compliance notifications are notified w
Microsoft Online Services.
Microsoft promptly notifies relevant customers in the event of any unauthorized access to personally identifiable information (PI
equipment or facilities resulting in the loss, disclosure, or alteration of PII. Microsoft requires personnel to report suspected secu
response teams. Incidents are identified through an internal monitoring systems, external customer communication or internal id
immediately brought to the attention of the Microsoft Online Services Investigation and Response team. Tickets for incidents are
as necessary. Contractual obligations in the Data Processing Terms of the Microsoft Online Services Terms (http://www.microsof
Mode=3&DocumentTypeId=31) require Microsoft to notify customers promptly in the event of an incident affecting their data.
rare, sensitive, and unique. Therefore, a formal process has been developed to tailor notification to the specific incident on a cas
email, phone, broad communication, or by direct engagement, depending on the issue and impact.

Microsoft retains records of security policies and operating procedures for a specified and documented period upon replacemen
retains its security documents pursuant to its retention requirements.
Microsoft has a policy regarding the return, transfer and/or destruction of personally identifiable information (PII) and makes thi
disposes of, destroys, erases and/or anonymizes PII data, regardless of the method of storage, in accordance with a National Arc
record retention schedule and in a manner that prevents loss, theft, misuse, or unauthorized access. Per the Data Processing Ter
(http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31), Microsoft will disable an ac
account no more than 180 days after the expiration or termination of a customer’s use of a Microsoft Online Service.
Individuals under Microsoft's control with access to personally identifiable information (PII) are subject to a confidentiality obliga
requiring access to organizational information and information systems containing customer data sign the appropriate access ag
Microsoft Online Services staff are required to review and sign confidentiality and non-disclosure agreements, as well as the Mic
as a condition for employment. Additionally, the Microsoft corporate general use standard describes user responsibilities and es
Microsoft Online Services. Users, including employees, vendors, and contractors are required to follow the rules of behavior outl
contractors are required to have a signed Microsoft Master Vendor Agreement (MMVA) to ensure compliance with Microsoft's p
agreements are put in place to protect trade secrets, sensitive, or business confidential information, and assets. Microsoft’s Onlin
non-disclosure agreement at the time of engagement and before being given access to Microsoft’s online services.

Microsoft restricts the creation of hardcopy material displaying personally identifiable information (PII). Microsoft personnel do n
Office 365 environment. Office 365 has implemented controls and processes to enable just-in-time (JIT) and role-based access to
hours. Office 365 has implemented operational controls that log all access attempts to the Office 365 production environment o

Restorations are performed based on a customer’s requests per the Service Level Agreements established for the services. The a
requested by the customer. Microsoft defines standard operating procedures (SOPs) for data restorations and logs data restora
Microsoft protects data on storage media leaving the premises. Microsoft protects and controls data on storage media during tr
control, digital media at Microsoft datacenters consists of servers, network devices, and magnetic backup tapes. Microsoft datac
Microsoft uses 3 methods to protect media that is being transported outside its datacenter:

1. Secure Transport. Media being transported from Microsoft datacenters require accurate tracking. Tickets are created to arra
Microsoft has contracted with several approved vendors to provide secure shipping services. Secure Transport begins with an ac
Authorized asset managers are required to manage the exchange of assets. Assets are inventoried at the time of delivery to the
the container being locked and a tamper-proof seal being applied. Secure Transport could have additional requirements such as
assets, GPS tracking, and only stopping at Microsoft locations. In cases of longer transport routes, the requirement could be that
sleeping quarters to provide for non-stop delivery. At the delivery location, the transport company’s approved personnel must b
tamper-proof seal and the unlocking of the container. The receiving personnel will inventory the shipment and send a message
inventory is validated by the Microsoft Asset Manager.

2. Encryption. Some assets are required by Microsoft to be encrypted during transport. Magnetic backup tapes are required to
KeySecure to manage cryptographic keys using a FIPS 140-2 Level 3-validated encryption module (certificate #1694) and HSM (c
encrypted data on the magnetic tapes. When magnetic tapes are picked up for offsite storage, an approved Asset Manager mus
storage vendor and enter an account PIN before inventorying the tapes being transported. Upon receipt of by the storage vend
received is sent to the Asset Manager.

3. Cleanse, Purge, or Destroy. Microsoft contracts with a vendor to provide equipment destruction. Depending on Microsoft ass
to be destroyed onsite. Microsoft assets are required to be cleansed or purged before leaving the datacenter. Microsoft assets a
consistent with NIST SP 800-88 prior to reuse or disposal. Microsoft uses data erasure units from Extreme Protocol Solutions (EP
requirements for cleansing, purging, and secure erasure. Prior to cleansing or destruction, an inventory is created by the Microso
destruction, the vendor provides a certificate of destruction for each asset destroyed, which is validated by the Asset Manager.

Microsoft prohibits the use of portable physical media and portable devices (such as mobile devices) that do not permit encrypt
supporting security measures to manage the risks introduced by using mobile devices. Unauthorized mobile computing devices
any Office 365 production environment. Microsoft staff and contingent staff must adopt and follow the appropriate security pra
to protect against the risks of using mobile equipment. Such risks relate to the mobile nature of these devices, and the security p
these risks may include, but are not limited to, mobile device physical protection, access controls, cryptographic requirements, vi
be coming from. Mobile computing and data recording devices include PDAs, portable hard drives, laptop computers, flash driv
monitors for any unauthorized use of mobile devices in the Office 365 production environment and performs investigations acco
in Microsoft facilities that are access-controlled. While Office 365 technicians have physical access to the servers within the cages
servers that is required to make use of portable media. Microsoft personnel must obtain Microsoft authorization prior to storing
accessing customer data, or processing customer data outside Microsoft’s facilities.
Microsoft encrypts personally Identifiable information (PII) that is transmitted over public data transmission networks prior to tra
protection through the use of controlled devices at the network boundary and at key points within the network. The primary prin
connections and communications that are necessary to allow systems to operate, blocking other ports, protocols and connection
encryption mechanisms on communications between partners and between customers. Encryption modules are operated in FIPS
validated. This ensures that the confidentiality and integrity of communications between services teams, partners, and customers
2-validated cipher support for customer, third-party and remote access connections into the accreditation boundary. Office 365
TLS encryption for connections that travel outside the boundary of Office 365. TLS uses cryptographic mechanisms that allow cli
a network in a way that is designed to prevent eavesdropping and tampering. The FIPS 140-2 encryption modules used for trans
relevant NIST certificate numbers for Microsoft can be found at FIPS 140-1 and FIPS 140-2 List (http://csrc.nist.gov/groups/STM/
more information, see FIPS 140 Validation (http://technet.microsoft.com/en-us/library/cc750357.aspx).

Digital media in Microsoft Online Services datacenters is required to be cleansed or purged using approved tools and in a mann
being reused or disposed of. Non-digital media is not used by the Microsoft Online Services datacenter environment. Office 365
before leaving the datacenter. Office 365 assets are cleansed or purged with methods consistent with NIST SP 800-88 prior to re
units from Extreme Protocol Solutions (EPS). EPS software supports NIST SP 800-88 requirements for cleansing, purging, and sec
an inventory is created by the Microsoft Asset Manager. If a vendor is used for destruction, the vendor provides a certificate of d
validated by the Asset Manager.
If more than one individual has access to stored personally identifiable information (PII), Microsoft then requires them to each ha
authentication and authorization purposes. Microsoft, where required by the access control policy, controls access to systems an
procedure. Office 365 systems uniquely identify and authenticate Office 365 users through the use of multiple Active Directory d
perform administrative functions must access the environment remotely by design.

Microsoft maintains an up-to-date record of the users or profiles of users who have authorized access to the information system
registration and de-registration process to assign or revoke access rights for user types to systems and services. Microsoft create
information system accounts in accordance with the Office 365 Information Security Policy. The Office 365 Information Security P
and temporary accounts. Account requests go through the standard account management process. Account changes are manag
tools that allow Office 365 teams to track the process through account request, approval, creation, modification, and deletion.
Microsoft does not grant de-activated or expired user IDs to other individuals. Account requests go through the standard accou
managed with automated workflow management tools that allow Office 365 teams to track the process through account reques
deletion. Terminated users are removed from the corporate Active Directory (AD). As the regular AD sync occurs, this also remo
Additionally, Office 365 team management is notified of terminations and transfers and removes users as needed.
Data processing contracts between the customer and Office 365 specify the minimum technical and organizational measures to
arrangements are in place and that data is not processed for any purpose independent of the instructions of the controller. In th
customers know which subcontractors are used and what they do. Customers may download a current list of Office 365 Subcont
LinkId=213175&clcid=0x409) from Microsoft's Web site. Customers who subscribe to compliance notifications are notified when
Any subcontractors to whom Microsoft transfers customer data, even those used for storage purposes, will have entered into wr
less protective than the Data Processing Terms of the Microsoft Online Services Terms (http://www.microsoftvolumelicensing.co
Mode=3&DocumentTypeId=31) (OST). Office 365 makes information about its data processing capabilities available to current o
Assurance ((http://aka.ms/serviceassurance)).

Data processing contracts between Microsoft and any sub-contractors that process personally identifiable information (PII) spec
measures that meet the information security and PII protection obligations of Microsoft. Such measures are not subject to unilat
establishes and agrees to relevant information security requirements with each supplier that may access, process, store, commun
for the organization’s information. Microsoft requires that providers of external information system services comply with organiz
employ security controls in accordance with applicable federal laws, executive orders, directives, policies, regulations, standards,
(external information system services) that are engaged with Office 365 to sign a Microsoft Master Vendor Agreement (MMVA) a
(ISAs). The MMVA and ISAs requires the third party to comply with applicable Office 365 security policies and implement security
Microsoft Confidential Information. Microsoft includes provisions in the MMVA and any associated Statement of Work (SOW) wi
the appropriate security controls. Vendors that handle sensitive data must be in compliance with Microsoft's vendor privacy prac
subcontractors to whom Microsoft transfers customer data, even those used for storage purposes, will have entered into written
protective than the Data Processing Terms of the Microsoft Online Services Terms (http://www.microsoftvolumelicensing.com/D
Mode=3&DocumentTypeId=31) (OST).
Microsoft ensures that whenever data storage space is assigned to a customer, any data previously residing on that storage spac
prevents unauthorized and unintended information transfer via shared system resources. Per the Data Retention Policies in the D
Services Terms (http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31) (OST), Micro
delete customer data when it is no longer needed. Microsoft uses best practice procedures and a wiping solution that complies
cleansed or purged with methods consistent with NIST SP 800-88 prior to reuse or disposal. Microsoft uses data erasure units fro
software supports NIST SP 800-88 requirements for cleansing, purging, and secure erasure. Prior to cleansing or destruction, an
Manager. If a vendor is used for destruction, the vendor provides a certificate of destruction for each asset destroyed, which is va

Microsoft specifies and documents the countries in which personally identifiable information (PII) might possibly be stored. Micr
inventory that contains a listing of programs and information systems identified as collecting, using, maintaining, or sharing PII.
governing the location of customer data at rest, see the Data Processing Terms of the Microsoft Online Services Terms
(http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31) (OST).
Microsoft subjects personally identifiable information (PII) transmitted using a data transmission network to the appropriate con
reaches its intended destination. Microsoft protects the confidentiality and integrity of transmitted information. Encryption mod
been FIPS 140-2 Level 2-validated. This ensures that the confidentiality and integrity of communications between services teams
Microsoft provides FIPS 140-2-validated cipher support for customer, third-party, and remote access connections into the FISM
use FIPS 140-2-validated TLS encryption for connections that travel outside the boundary of Microsoft Online Services. TLS empl
client/server applications to communicate across the network in a way that is designed to prevent eavesdropping and tampering
Validation (https://technet.microsoft.com/en-us/library/cc750357.aspx).

Microsoft and Office 365 policies regarding privacy and personally identifiable information (PII) processing and make these polic
Online Services Terms (http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31) (OST)
Microsoft privacy program documents privacy policies and procedures. These documents are distributed via a Microsoft privacy
standards that exceed Microsoft company standards are maintained in the Office 365 Data Handling standard that describes dat
classifications.
Microsoft's approach to managing information security and its implementation (e.g., control objectives, controls, policies, proces
is reviewed independently at planned intervals or when significant changes occur. Microsoft regularly reviews information system
security policies and standards. Microsoft regularly assesses the security controls in the information system and its environment
the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting esta
controls are assessed periodically to determine the extent to which the controls are implemented and operating as intended.

Microsoft identifies individuals having information system security roles and responsibilities. The Microsoft Online Services priva
customers. The Office 365 security policies address the purpose, scope, roles, responsibilities, compliance requirements, and requ
Microsoft organizations providing some level of support for the security of Office 365. Office 365 security policies contain the ru
delivery and operation of Office 365. Microsoft employees and contingent staff are accountable and responsible for complying w
designated roles.
Microsoft provides employees of the organization and, where relevant, contractors appropriate awareness education and trainin
policies and procedures, as relevant for their job function, including awareness of the possible consequences to Office 365 of bre
procedures, including those addressing the handling of PII. Office 365 provides role-based security training to personnel with as
Appropriate Office 365 team members take part in a Microsoft Online Services-sponsored security-training program, and are rec
when applicable. Security education is an on-going process and is conducted regularly in order to minimize risks. Microsoft Onli
any training determined to be appropriate to the services being provided and the role they perform. Employees are required to
security awareness training course and standards of business conduct, within the first 30 days of their employment or transfer in
Management team has implemented security training controls by requiring employees and contractors to take the security and
operational personnel, which refers to anyone that is involved in development and quality assurance, are also required to take th
Online Services, as well as training associated with the operational procedures related to Asset Handling, Incident Response, and
to the system being accessed, along with associated procedures, may be required. Security training is also required when there i
environment.
Microsoft implements a formal user registration and de-registration process to enable assignment of access rights. Microsoft spe
system, group and role membership, and access authorizations (e.g., privileges) and other attributes (as required) for each accou
of personnel authorized to access Office 365 systems that contain customer data.

Microsoft, where required by access control policies, controls access to systems and applications by using a secure log-on proce
uniquely identify and authenticate users through the use of multiple Active Directory (AD) deployments. Operations staff needin
access the environment remotely by design. Operations staff are identified by the AD username specific to each service’s environ
password or two-factor authentication. Microsoft implements authenticator feedback through the use of built-in Windows opera
passwords when authenticating to system components. Passwords are obfuscated during the login process. No feedback is prov
could lead to the potential exploitation by unauthorized users. Microsoft also has policies that define session time-out requirem

Microsoft has developed and implemented a policy on the use of cryptographic controls for protection of information. Encryptio
Office 365 teams follow the requirements and restrictions outlined in the Office 365 Information Security Policy. Service data and
the requirements and restrictions specified in the asset classification and data handling standards when cryptography is used. Th
standards establish the mandatory minimum requirements for Office 365 asset ownership, classification and protection. Cryptog
implemented to protect the confidentiality, integrity, and availability of Office 365 information. Office 365 provides digital certific
Office 365 support personnel use FIPS 140-2-validated TLS encryption for connections that travel outside the boundary of Office
that allow client/server applications to communicate across the network in a way that is designed to prevent eavesdropping and
140 Validation (https://technet.microsoft.com/en-us/library/cc750357.aspx).

Microsoft verifies items of equipment containing storage media to ensure that any sensitive data and licensed software has been
disposal or re-use. Microsoft uses sanitization mechanisms for Office 365 with the strength and integrity commensurate with the
information. Microsoft uses data erasure units and processes to cleanse and purge data in a manner consistent with NIST SP 800
Office 365 Asset Classification of the asset. For assets requiring destruction, Microsoft uses onsite asset destruction services.
Microsoft separates development, testing, and operational environments to reduce the risk of unauthorized access or changes to
analyzes changes to the Office 365 information system in a separate test environment before implementation in an operational e
flaws, weaknesses, incompatibility, or intentional malice. Office 365 systems are partitioned at multiple layers to support system
partitions can be divided into two categories: physical partitions and logical partitions. Office 365 systems are also housed in dat
Physical access is restricted to only authorized datacenter personnel, and governed by least privilege. Additionally, logical partiti
systems. The preferred method for logically partitioning systems, at the network level, are router access control lists, virtual local
firewalls. Microsoft operates both types of devices for Office 365 properties. This partitioning strategy is used to separate front-e
back-end components (e.g., databases or management devices) for each system. Office 365 production environments are logica
various development environments) in the same manner.

In accordance with the Acceptable Use Standard documented in the Microsoft Security Policy, customer personally identifiable in
training and any customer data used for research must be anonymized via aggregation.

Microsoft regularly tests backup copies of Office 365 information, software and system images in accordance with an agreed up
backup information to verify media reliability and information integrity. Office 365 systems do not use any media backups. Office
Each of the Office 365 service's Business Continuity Plans indicates the procedures in place for the replication of Office 365 data.

Microsoft has an explicit policy regarding data handling and makes this policy available to customers in the Microsoft Online Ser
(http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31).

Microsoft establishes, documents, implements, and maintains processes, procedures, and controls to ensure the required level o
adverse situation. Microsoft develops a contingency plan for the information system that provides recovery objectives, restoratio
and maintained per industry best practices to be reflective of the current production environment. For more information, see the
(https://technet.microsoft.com/en-us/library/office-365-service-continuity.aspx). Microsoft maintains a framework that is consist
continuity program at levels. The framework includes:

- Assignment of key resource responsibilities


- Notification, escalation, and declaration processes
- Recovery Time Objectives and Recovery Point Objectives
- Continuity plans with documented procedures
- Training program for preparing appropriate parties to execute the Continuity Plan
- A testing, maintenance, and revision process
Microsoft erases or destroys temporary files and documents within a specified and documented period. Microsoft disposes of, d
identifiable information (PII), regardless of the method of storage, in accordance with a National Archives and Records Administr
and in a manner that prevents loss, theft, misuse, or unauthorized access. Per the Data Processing Terms of the Microsoft Online
(http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31), no more than 180 days afte
of an online service, Microsoft will disable the account and delete all customer data from the account.
Microsoft requires third parties (external information system services) that are engaged with Office 365 to sign a Microsoft Mast
requires the third party to comply with applicable Microsoft security policies and implement security procedures to the prevent d
Information. Microsoft includes provisions in the MMVA and any associated Statement of Work (SOW) with each vendor address
controls. Vendors that handle sensitive data must be in compliance with Microsoft's vendor privacy practices and data protection
Interconnection Security Agreements (ISAs) with external information systems; ISAs define Microsoft oversight, roles, and respon
Cloud Infrastructure & Operations (MCIO) are the only external information system service providers for Office 365 that store or
have a FedRAMP P-ATO and are required to follow the FedRAMP security control baseline. Microsoft discloses the use of subcon
relevant customers. Microsoft evaluates any proposed new instances of sharing PII with third parties to assess whether the sharin
new public notice is required. By default, no one has access to customer data without authorization. Microsoft subcontractors ha
or maintain the service. In the interest of transparency, Microsoft publishes a list of the subcontractors it uses and what the subc
current list of Office 365 Subcontractors (http://go.microsoft.com/fwlink/?LinkId=213175&clcid=0x409) from Microsoft's Web si
notifications are notified when Microsoft adds a new subcontractor to Microsoft Online Services.

Microsoft erases or destroys temporary files and documents within a specified and documented period. Microsoft disposes of, d
identifiable information (PII), regardless of the method of storage, in accordance with a National Archives and Records Administr
and in a manner that prevents loss, theft, misuse, or unauthorized access. Per the Data Processing Terms of the Microsoft Online
(http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31), no more than 180 days afte
of an online service, Microsoft will disable the account and delete all customer data from the account.
Microsoft produces, keeps, and regularly reviews event logs that record user activities, exceptions, faults and information securit
Engineering team has developed a general set of auditable events specific to Office 365 based on ongoing risk assessments of th
vulnerabilities, business requirements, and Office 365 Security Standards. The general event set is reviewed by Security Service En
system is made to ensure that any vulnerabilities exposed are being addressed by the set of auditable events. New events may b
online or when a vulnerability or threat is identified (e.g., through security assessments, security bulletins, etc.). When changes to
executed through Office 365 Change Management. The change management process also includes a risk assessment of the cha
compliance features that enable customers to directly view a subset of logs to verify who’s accessed what data, and what they di
administrative activities, and SharePoint site activity. In-service features that provide this visibility include Exchange Online auditi
Center console, and the Office 365 admin center portal. For more information, see the Reports section of the Office 365 Service D
us/library/office-365-reports.aspx).
Office 365 has implemented automated procedures to ensure that logged information is deleted within a specified and docume
standards. Office 365 auditable events are required to contain at a minimum the following information to establish what events
outcomes of the events:

- Source user ID
- Target user ID as relevant/appropriate for event type
- Event timestamp (Date & Time)
- Event details
- Event type
- Outcome (success/failure)
- Detailed information as defined per event type
- Source and target hostname as relevant and appropriate for event type
- Source and target network addresses and protocols as relevant and appropriate for event type

This information is sufficient to identify the event type, source, location, outcome, time and the entity associated with the event (
the Windows event log contain the minimum information required and in many cases additional information is captured.

Based on data handling requirements - Office 365 ensures that personally identifiable information (PII) is erased within 180 days
of Office 365 service.

Office 365 has in-service logs and compliance features that enable customers to directly view a subset of logs to verify who’s acc
This includes viewing mailbox usage, administrative activities and SharePoint site activity. In-service features that provide this vis
SharePoint Online auditing, the eDiscovery Center console, the Office 365 Security & Compliance Center, and the Office 365 adm
Reports section of the Office 365 Service Description (https://technet.microsoft.com/en-us/library/office-365-reports.aspx).

Office 365 has in-service logs and compliance features that enable customers to directly view a subset of logs to verify who’s acc
This includes viewing mailbox usage, administrative activities and SharePoint site activity. In-service features that provide this vis
SharePoint Online auditing, the eDiscovery Center console, the Office 365 Security & Compliance Center, and the Office 365 adm
to seeing only logs that are applicable to their tenant. For more information, see the Reports section of the Office 365 Service De
us/library/office-365-reports.aspx).
Microsoft protects Office 365 facilities and log information against tampering and unauthorized access. Audit records are contin
or unusual activity using a formal monitoring process. Findings are reported using the security incident response process. Micros
Office 365 that include frequency of review for standard operating procedures and review oversight processes and procedures. M
auditing operator (administrator) access and actions.

Microsoft has automated controls to scrub personally identifiable information (PII) when logs are stored to a central logging sto
data handling procedures when protecting and retaining log data.

Microsoft has formal transfer policies, procedures and controls in place to protect the transfer of information through the use of
Microsoft implements boundary protection through the use of controlled devices at the network boundary and at key points wit
network security is to allow only those connections and communications that are necessary to allow systems to operate, blockin
default. Access Control Lists (ACLs) are the preferred mechanism through which to restrict network communications by source a
numbers. Approved mechanisms to implement networked-based ACLs include tiered ACLs on routers managed by Microsoft Clo
policies applied to hosts to restrict communications (when used in conjunction with tiered ACLs), firewall rules, and host-based f
validated cipher support for customer, third-party, and remote access connections into the Office 365 accreditation boundary. O
Level 2-validated TLS encryption for connections that travel outside the boundary of Office 365. TLS employs cryptographic mec
to communicate across the network in a way that is designed to prevent eavesdropping and tampering.

All media being transported from Microsoft datacenters requires accurate tracking. Tickets are created to arrange and track the
contracted with several approved vendors to provide secure shipping services. Secure Transport begins with an accurate invento
Managers are required to manage the exchange of assets. Assets are inventoried at the time of delivery to the transporter. The A
being locked and a tamper-proof seal being applied. Secure Transport could have additional requirements such as a dedicated t
tracking, and only stopping at Microsoft locations. In cases of longer transport routes, the requirement could be that there are m
quarters to provide for non-stop delivery. At the delivery location, the transport company’s approved personnel must be presen
seal and unlocking of the container. The receiving personnel will inventory the shipment and send a message confirming the rec
by the Microsoft Asset Manager. Based on the asset classification including assets containing personally identifiable information
encrypted during transport. Magnetic backup tapes are required to be encrypted. Microsoft uses SafeNet KeySecure to manage
3-validated encryption module and HSM to secure AES 256-bit encrypted data on the magnetic tapes. When magnetic tapes are
asset manager must deliver the locked container to the off-site storage vendor and enter an account PIN before inventorying th
the storage vendor, a message confirming the inventory received is sent to the asset manager.
The Office 365 Security Incident Response (SIR) team is responsible for managing the investigation and resolution of security inc
team works with other Office 365 teams to ensure that security incidents are contained and eradicated, and that recovery is com
performed depend on the security incident itself, there are several critical activities that are performed as part of the process of m
These activities include preparation, detection and analysis, containment, eradication, and recovery. Microsoft promptly notifies
unauthorized access to personally identifiable information (PII), or unauthorized access to processing equipment or facilities resu
Microsoft requires personnel to report suspected security incidents. Incidents are identified through internal monitoring systems
identification. Upon identification, incidents are immediately brought to the attention of the Microsoft SIR team. Tickets for the i
and escalated as necessary. Contractual obligations in the Data Processing Terms of the Microsoft Online Services Terms
(http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31) (OST) require Microsoft to n
incident affecting their data. Security notifications are, by nature, extremely rare, sensitive, and unique. Therefore, a formal proce
the specific incident on a case-by-case basis. Notifications can occur via email, phone, broad communication, or by direct engag

Office 365 undergoes various audits such as ISO 27001, ISO 27018, FedRAMP, and SOC 2 Type 2 at planned intervals throughou
from third-party independent auditors available via the Office 365 Security & Compliance Center (http://protection.office.com) a
(http://aka.ms/stphelp). In addition, Microsoft publishes trust documents that provide detailed insights about the technical imple
compliance controls, along with FAQs and whitepapers on security, privacy, and compliance topics, guidance on controls that cu
Office 365 tenant, and guidance on how to use Office 365 features that support security, compliance, and privacy.
Testing Details
Examined the Data Processing Terms of the Microsoft OST as well as privacy statements and the controls associated with the han
that Microsoft provides customers with the means to enable them to fulfil their obligation to facilitate the exercise of a person's
pertaining to them.

The controls that were examined and validated included:

- Access controls that strictly restrict access to customer data.

- Access controls that eliminate all standing access to the Office 365 environment.

- Access control that enable just-In-time, role-based access to customer data that expires within a few hours.

- Operational controls that log any attempt to access the Office 365 production environment or customer data.

- The Microsoft Security Development Lifecycle, which ensures that Office features are developed to comply with security and pr
365 security policies and ISMS.

For detailed testing plans of each of these controls, refer to the ISO 27001 control validation tests.

Interviewed Office 365 team leads and Trust team leads and confirmed that Office 365 does not process PII under a data process
the instructions of the customer.

Examined controls used to appropriately restrict PII as per defined and agreed upon purposes and validated that Microsoft does
contract for any purpose independent of the instructions of the customer.

The controls that were examined and validated included:

- Access controls that strictly restrict access to customer data.

- Access controls that eliminate all standing access to the Office 365 environment.

- Access control that enable just-In-time, role-based access to customer data that expires within a few hours.

- Operational controls that log any attempt to access the Office 365 production environment or customer data.

- The Microsoft Security Development Lifecycle, which ensures that Office features are developed to comply with security and pr
365 security policies and ISMS.

For detailed testing plans of each of these controls, refer to the ISO 27001 control validation tests.

Examined the Data Processing Terms of the Microsoft Online Services Terms as well as privacy statements and the controls assoc
that Microsoft does not use PII processed under a data processing contract for the purposes of marketing or advertising withou
a condition of receiving the service.
Examined Office 365 Asset Classification and Data Handling standards and validated that erasure of PII data is required within 18
customer's use of Office 365.

Interviewed Office 365 engineering team members and Trust team lead and validated that configuration controls are in place to
customer's use of Office 365 and to delete customer data within 180 days of such expiration or termination.

Examined the Data Processing Terms of the Microsoft OST, Microsoft privacy notices, and Microsoft privacy statements, and dete
customers with the means to enable them to fulfill their obligation to facilitate the exercise a person's rights to access, correct, a

Interviewed Office 365 Privacy team leads, Engineering team leads, and Trust team leads, and determined that Microsoft conside
security incident and that Microsoft will activate an incident response plan for any PII disclosure.

For more information, see the implementation and testing details for Incident Management for ISO 27001.
Examined list of Office 365 subcontractors and validated that Microsoft discloses its use of sub-contractors.

Interviewed Office 365 Engineering, Privacy, and Trust team leads and determined that Microsoft discloses to relevant customers
before their use.

Interviewed Office 365 Engineering, Privacy, and Trust team leads and determined that Microsoft considers unauthorized access
and that Microsoft will activate an incident response plan for any PII disclosure.

For more information, see the implementation and testing details for Incident Management for ISO 27001.

Reviewed and validated that the following security policies exist and confirmed that the documents address purpose, scope, role
commitment, coordination among organizational entities, and compliance. In addition, a review of samples of the associated sta
that these documents provide additional granularity and policy clarification (engineering guidance) and articulate details for wha
SOPs identified roles for involved entities to whom the SOP will be made available and who have the responsibilities (outputs) th
appropriately retained and distributed to an internal SharePoint site.

- Microsoft Information Security Policy


- Office 365 Information Security Policy
- Office 365 Awareness and Training Policy
- Office 365 Audit and Logging Policy
- Office 365 Security Assessment and Authorization Policy
Examined Office 365 Asset Classification and Data Handling standards and validated that it requires erasure of PII data within 18
customer's use of Office 365.

Interviewed Office 365 Engineering team members and a Trust team lead and validated that configuration controls are in place t
customer's use of Office 365 and to delete customer data within 180 days of such detection.
Examined the Office 365 system security plan and resource access agreement and determined that all Office 365 staff are require
disclosure agreements and the Microsoft Employee Handbook, at the time of hire as a condition of employment and access to O
contractors are required to sign the MMVA to ensure compliance with Microsoft's policies on required engagements. The Emplo
disclosure agreements, and the MMVA are reviewed and updated annually to reflect changes to the Microsoft environment.

Interviewed Office 365 Trust team members and determined that the rules of behavior are embodied in the Microsoft Employee
available online on the internal Human Resources portal and can be accessed by all employees. Additionally, Office 365 team use
part of their annual security awareness training. Determined that users are asked to provide explicit acknowledgement during th
completion constitutes agreement that the user understood this document.

Examined the view & sign agreement (screenshot of the Employee Handbook signature page) for employees and determined th
that they have read, understood, and accept all modifications to the Employee Handbook.

Examined a training report and determined that annual security awareness training is conducted in accordance with the annual f
the rules of behavior contained in the Microsoft Employee Handbook.

Examined sample of account creation, account modification and account disabling actions within account management logs and
valid access authorization, intended system usage, and other attributes, as required by Microsoft or its associated mission or bus
the creation of hardcopy material displaying PII.

Interviewed multiple Office 365 administrators and confirmed that an access control too is used for privileged activity in order to
restrict access to PII.

Examined a sample of account management and JIT system audit logs and interviewed a sample of organizational personnel wit
of least privilege. Confirmed that the implementation of least privilege is applied as intended to restrict access to PII.

Tested administrator use of the JIT system through observation, both with successful login and escalations as well as with an uns
escalate within an environment where the account management entitlement had not been set for that user.

Obtained and inspected evidence for a selection of restorations and ascertained that data backup restorations occur as requeste
Examined the Office 365 security plan and determined that Office 365 relies on the Microsoft Cloud Infrastructure & Operations
control. Review the ISO and SOC audit reports for MCIO for further details, which are available in the Compliance Reports sectio

Validated that the Office 365 documentation, including the Office 365 security plan, affirms that mobile devices are not allowed

Interviewed an Office 365 Principal Program Manager Lead and an Office 365 Program Manager and confirmed that there have

Examined the Office 365 security plan and determined that Office 365 relies on the Microsoft Cloud Infrastructure & Operations
this control. Review the ISO and SOC audit reports for MCIO for further details, which are available in the Compliance Reports se
Interviewed Senior Service Engineers and a Program Manager and determined that Office 365 uses encryption to protect the int
identifiable information (PII) transmitted over public data transmission networks. Specifically, Office 365 provided FIPS 140-2-val
customer connections, interconnected system connections and remote access connections to Office 365.

Examined screenshot of enabled use of a FIPS-validated algorithm, a screenshot of enabled encryption, a screenshot of server ce
of a TechNet article on how cryptographic modules are employed in Microsoft products. Determined that that FIPS-validated alg
365 environment.

Interviewed Office 365 architects and determined that certificates are generated internally by a secure certification generation to

Tested by examining the certificate deployment configuration script, screenshots of certificate path, screenshot of key certificate
256 and TLS 1.2 and determined that deployment scripts make calls to secrets management and that current settings are config

Tested by examining screenshots of certificate key usage, screenshots of general certificate information, screenshots of certificat
screenshot of the certificates management system and determined that the certificate management system is used to request ce
Authority which is configured as required.

Examined the Office 365 security plan and determined that Office 365 relies on the Microsoft Cloud Infrastructure & Operations
control. Review the ISO and SOC audit reports for MCIO for further details, which are available in the Compliance Reports sectio

Interviewed Office 365 security personnel and determined that if more than one individual has access to stored PII, Microsoft the
ID for identification, authentication, and authorization purposes. User accounts (and processes acting on behalf of users) are ass
strictly enforced by Active Directory.

Tested authentication mechanisms within the Office 365 environment by observing the login process for Office 365 team memb
required and that users must use a unique identifier for system access. This confirmed that the identity and authentication meth

Reviewed the Office 365 Information Security Policy and account management procedures and confirmed that Office 365 mainta
profiles of users who have authorized access to the information system. The Office 365 team's management identify personnel w
the system and specify the type of privilege each Office 365 team member should have based on their role. Microsoft account m
automatically enforce the access privileges of each Office 365 team member based on role-based access controls.

Interviewed Office 365 team members and Trust team members and identified several account types and the respective conditio
Interviewed security and engineering personnel as well as members of the Trust team and confirmed that account procedures ar
management architecture and business logic to include identification of account types, conditions for membership to entitlemen

Interviewed a sample of organizational personnel with account management responsibilities and confirmed that the measures a
account types (requisite access authorizations/privileges), establish conditions for group and role membership, and require appr
accounts.

Examined sample of account creation, account modification, and account disabling actions within account management logs an
requires approval by a requestor's manager) operates as described within account management procedures.
Examined sample of account disabling actions within account management logs and confirmed that terminated users are remov
sync occurs, this also removes them from Office 365 team AD.

Examined the list of Office 365 subcontractors available, as well as data protection capabilities information available through Off
that Office 365 is transparent about its capabilities during the process of entering into contract.

Examined the Data Processing Terms of the OST as well as privacy statement and validated the controls associated with handling
confirm that data processing contracts between the customer and Office 365 specify the minimum technical and organizational
security arrangements are in place and that data is not processed for any purpose independent of the instructions of the contro

The controls that were examined and validated included:

- Access controls that strictly restrict access to customer data.

- Access controls that eliminate all standing access to the Office 365 environment.

- Access control that enable just-In-time, role-based access to customer data that expires within a few hours.

- Operational controls that log any attempt to access the Office 365 production environment or customer data.

- The Microsoft Security Development Lifecycle, which ensures that Office features are developed to comply with security and pr
365 security policies and ISMS.

For detailed testing plans of each of these controls, refer to the ISO 27001 control validation tests.

Examined the MMVA as well as the Data Processing Terms of the OST and determined that data processing contracts between M
PII specify the minimum technical and organizational measures that meet Microsoft's information security and PII protection obl
supplier must also use security procedures to prevent disclosure of Microsoft Confidential Information to unauthorized third par
protect system access, system and application development and maintenance, change management, asset classification and con
environmental security, disaster recovery and employee training. Determined that vendors and contractors sign the MMVA prior
requirements are detailed in the MMVA which is signed prior to beginning the engagement. Also interviewed Office 365 Trust te
and contractors are subject to the MMVA and to non-disclosure agreements.

Examined the Office 365 security plan and determined that vendors and contractors are subject to the same screening requirem
requires that approved screening vendors submit screening outcomes for third-party personnel directly to Microsoft, where they
Information System. Also examined the MMVA and determined that it defines personnel security requirements for vendors and

Examined several Office 365 ISAs and associated control matrices and determined that Microsoft authorizes identified connectio
information systems through the use of ISAs. Examined several ISAs and associated control matrices and determined that the ISA
security requirements, and nature of the information communicated respectively.
Examined the Office 365 security plan and determined that Office 365 relies on the Microsoft Cloud Infrastructure & Operations
control. Review the ISO and SOC audit reports for MCIO for further details, which are available in the Compliance Reports sectio

Examined the location of customer data at rest policies in the Data Processing Terms of the OST and determine that Microsoft sp
PII might possibly be stored.

Interviewed Senior Service Engineers and a Program Manager and determined that Microsoft uses encryption to protect the inte
over public data transmission networks. Specifically, Office 365 uses FIPS 140-2-validated cipher support and TLS protocols for c
connections, and remote access connections to Office 365.

Examined a screenshot of enabled use of a FIPS-validated algorithm, a screenshot of enabled encryption, a screenshot of server
contents of a TechNet article on how cryptographic modules are used in Microsoft products. Determined that FIPS-validated alg
365 environment.

Interviewed Office 365 architects and determined that certificates are generated internally by a secure certification generation to

Tested by examining the certificate deployment configuration script, screenshots of certificate path, screenshot of key certificate
and TLS 1.2 and determined that deployment scripts make calls to secrets management and that current settings were configure

Tested by examining screenshots of certificate key usage, screenshots of general certificate information, screenshots of certificat
and a screenshot of the certificates management system and determined that the certificates management system is used to req
Authority which is configured as required.

Examined the Microsoft OST, the Microsoft privacy portal and Office 365 Data Handling standards and determined that Microso
privacy and PII processing and that those policies are made available to customers.
Examined the Office 365 security plan, the Office 365 information security policy and the Office 365 controls framework and ass
procedures related to security assessment and authorization, and determined that security controls are assessed annually or whe
vulnerability change occurs.

Examined the Office 365 assessment report, an Office 365 report on the controls in the service organization relevant to security a
Office 365, the suitability of the design and operating effectiveness of the controls, an Office 365 security assessment report and
determined that security controls are assessed in accordance with the required annual frequency.

Interviewed Office 365 Trust team members and determined that plan of actions and milestones progress tracking is conducted
held to show progress.

Examined monthly service review documentation such as meeting agendas, meeting minutes and dashboards and determined t
performance indicators (KPIs) that reflect the relevant security metrics for the service and that Office 365 teams monitor and rep
measurable data to dashboards for consumption by relevant stakeholders, as well as by reviewing security data with manageme

Examined the output of various independent Office 365 audits performed by third-party independent auditors, Microsoft interna
Management team, and determined that Microsoft's approach to managing information security and its implementation (e.g., co
and procedures for information security) is reviewed independently at planned intervals, multiple times throughout year and wh

Examined the Office 365 information security policy and the Microsoft Online Services privacy statement, and determined that O
information system security roles and responsibilities and that the Microsoft Online Services privacy statement provides a point

Examined the Office 365 system security plan, information security policy, and security training policy, and determined that Micr
and, where relevant, contractors appropriate awareness education and training and regular updates to organizational policies an
function. This training includes awareness of possible consequences of breaches of privacy or security rules and procedures, incl
personally identifiable information. All personnel are required to take a NEO security awareness training course, and Standards o
days of their employment or transfer into the organization. Microsoft's Information Technology (MSIT) department and Microso
course which encompasses the standard business security measures, information security, and user actions to maintain security a
incidents. The Office 365 Risk Management team has implemented the security training controls by requiring new employees an
awareness training annually. Non-operational personnel, which refers to anyone that is involved in development and quality assu
training offered by Microsoft Online Services, as well as training associated with the operational procedures related to Asset Han
Control. In addition, training related to the system being accessed, along with associated procedures, may be required.

Examined the Office 365 system security plan, information security policy, controls framework and the security training policy, an
when there is a significant change to the system environment.

Examined a report of training records and screenshots identifying course content and determined that annual security awarenes
annual frequency.
Reviewed the Office 365 Information Security Policy and account management procedures and confirmed that Office 365 teams
membership by defining conditions for each group and role in the appropriate account management tool. Office 365 managem
given authorization to access the system and specify the type of privilege each Office 365 team member should have based on t
tools are configured to automatically enforce the access privileges of each Office 365 team member based on role- based access

Interviewed Office 365 team members and Trust team members to identify several account types and the respective conditions f
security and engineering personnel as well as members of the Trust team and confirmed that account procedures are appropriat
architecture and business logic to include the identification of account types, conditions for membership to entitlement groups,

Interviewed a sample of Office 365 personnel with account management responsibilities to confirm that the measures are being
(requisite access authorizations, privileges), establish conditions for group and role membership, and require appropriate approv

Examined sample of account creation, account modification, and account disabling actions within account management logs an
requires approval by a requestor's manager) operates as described within account management procedures.

Examined the Office 365 access control policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, m
among organizational entities, and compliance.

Examined Office 365 information system program documentation for procedures that facilitate the implementation of the acces
and that the procedures are reviewed and updated at least annually.

Examined the Office 365 access control policy and procedures and other relevant documents for the organization elements havi
responsibilities, and to which the access control policy is disseminated or otherwise made available.

Examined sample of Office 365 account disabling actions within account management logs and confirmed that terminated users
as the regular AD sync occurs, this also removes them from the Office 365 team AD.

Reviewed the Office 365 Information Security Policy and confirmed that it is an effective system communications protection poli
responsibilities, compliance requirements, and required coordination among the various Microsoft organizations providing som
365.

Interviewed members of the Office 365 Compliance team who confirmed that TLS connections are used.

Examined screenshot of enabled use of FIPS-validated algorithm, a screenshot of enabled encryption, a screenshot of server cert
of a TechNet article on how cryptographic modules are used in Microsoft products. Determined that that FIPS-validated algorith
environment.

Examined the Office 365 security plan and determined that Office 365 relies on the Microsoft Cloud Infrastructure & Operations
control. Review the ISO and SOC audit reports for MCIO for further details, which are available in the Compliance Reports sectio
Microsoft employs separation between development, testing, and production Office 365 environments using the change manag
controls tested below.

Examined the Office 365 system security plan, and determined that Office 365 teams must test potential software and firmware c
separate test environment, or by removing a server from production, making changes, testing, and returning it to production up

Examined tickets for a change being tested prior to implementation in production and determined that the changes for Office 3
environment. The ticket demonstrated that sign-off is required before the changes are deployed in production. The other two tic
testing and to production.

Interviewed multiple Office 365 service engineers and confirmed that software implementation must be tested within the develo
approved prior to the implementation on any production server.

Interviewed senior security and engineering leads and members of the Microsoft Trust team regarding the definition of required
granting access to Office 365 development, testing, and production systems. Determined that managers must review and appro
individual's role, prior to access being granted to that individual. Additionally, examined training records that demonstrate that i
requirements must complete specialized training and undergo background checks (such as Public Trust Security Clearance inves

Examined Office 365 risk management standard operating procedures and multiple risk assessments of Office 365 conducted by
for the Office 365 Information Security Management System (ISMS), Microsoft considers issues related to customer PII data and
the risks and opportunities that need to be addressed to ensure the risk assessment around customer PII data handling can achi

Examined Office 365 replication standard operating procedures to determine that Office 365 uses datacenter replication solution

Obtained and inspected evidence for a selection of replication logs to ascertain that replication is occurring according to defined
are available for restoration, failover, or activation.

Examined Office 365 replication standard operating procedures to determine that Office 365 uses datacenter replication solution

Obtained and inspected evidence for a selection of replication logs to ascertain that replication is occurring according to defined
are available for restoration, failover, or activation.

Examined the Office 365 system and service restoration plan, and determined that Microsoft maintains its recovery and reconstit
in the process include notifying all appropriate personnel and failing over to an alternate processing facility.

Determined that Microsoft maintains both a primary and multiple alternate instances of services and data in different datacenter
failure occurs in one environment, either automatic failover to an alternate instance occurs, or administrators can quickly manua
determined that these instances are maintained in an Active/Active hot standby state to expedite the recovery process.
Examined Office 365 Asset Classification and Data Handling standards to validate that it requires erasure of PII data within 180 d
customer's use of Office 365.

Interviewed Office 365 Engineering team members as well as a Trust team lead, and validated that configuration controls are in p
of a customer's use of Office 365 and to delete data within 180 days of such detection.
Examined the MMVA and determined that suppliers must comply with physical and information security policies set out in the S
Microsoft. Determined that, per the MMVA, the supplier must also use security procedures to prevent disclosure of Microsoft Co
parties. Suppliers must have controls in place to protect the system access, system and application development and maintenan
and control, incident response, physical and environmental security, disaster recovery, and employee training. Finally, determine
MMVA prior to beginning work at Microsoft. Security requirements are detailed in the MMVA that must be signed prior to begin
365 Trust team personnel and determined that vendors and contractors are subject to the MMVA and to non-disclosure agreem

Examined the Office 365 system security plan and determined that vendors and contractors are subject to the same screening re
requires that approved screening vendors submit screening outcomes for third-party personnel directly to Microsoft, where they
Information System. Also examined the MMVA and determined that it defines personnel security requirements for vendors and

Interviewed Office 365 Program Managers and determined that ISAs are used to identify system interconnections and that data
ISAs are reviewed annually. Examined several Office 365 ISAs and associated control matrices and determined that Microsoft aut
information system to other information systems through the use of ISAs.

Examined several Office 365 ISAs and associated control matrices and determined that the ISAs document the interface characte
the information communicated respectively.

Examined Office 365 Asset Classification and Data Handling standards to validate that it requires erasure of PII data within 180 d
customer's use of Office 365.

Interviewed Office 365 Engineering team members and a Trust team lead and validated that configuration controls were put in p
customer's use of Office 365, and to delete data within 180 days of such detection.
Interviewed Office 365 engineers regarding auditing and logging functions and determined that the Office 365 Incident Respons
identified findings, assignment of follow-up actions, and tracking of any associated incident response activities. Event logs record
and information security events are produced, kept, and regularly reviewed.

Interviewed key personnel and administrators on Office 365 teams and determined that Office 365 audit logs are pushed to stor
these logs then available for the purpose of using statistical pattern analysis measurements in order to detect inappropriate or u

Tested through the review of the Office 365 security team-generated Product Studio tickets and associated auto-generated ema
traffic or system events that the statistical pattern analysis measurements determine inappropriate or unusual activity.

Tested by examining Group Policy Objects, audit log settings, and centrally collected logs for multiple Office 365 teams to determ
system auditing in accordance with the guidance provided by the Office 365 Security team and aligned with audit record genera
Examined Office 365 Asset Classification and data handling standards to validate that it requires erasure of personally identifiabl
expiration or termination of customer's use of Office 365 service.

Examined Office 365 auditable event logs and determined auditable events captured in the Windows event logs contain the min
events occurred.

Interviewed Office 365 engineering team as well as trust team lead and validated configuration controls were put in place to det
use of Office 365 services and delete data within 180 days of such an identification.

Examined the Office 365 Security & Compliance Center and the Office 365 admin center as well as various sample reports to det
compliance features that enable customers to directly view a subset of logs to verify who’s accessed what data, and what they di

Examined Office 365 audit logs and activities handling processes to validate that Office 365 lists the name of the event that appe
Management Activity API schema and in the CSV file when customers export the search results.

Interviewed Office 365 Engineering team members and a Trust team lead and verified that configuration controls are in place to
made available to or usable by a customer.

Examined the Office 365 Security & Compliance Center and the Office 365 admin center as well as various sample reports to det
compliance features that enable customers to directly view a subset of logs to verify who’s accessed what data and what they did
restricted to seeing only logs that are applicable to their tenant.

Examined Office 365 audit logs and activities handling processes to validate that Office 365 has a permission control process to

Interviewed Office 365 engineering team members and a Trust team lead and verified that configuration controls are in place to
be made available to or usable by a customer.
Examined data within audit storage to determine that collected audit events are sent up to the centralized auditing system, using
integrity of the data and confidentiality of any sensitive data, as well as providing a means to protect audit records from unautho
Additionally, Office 365 audit logs are pushed to storage every five to fifteen minutes, greatly limiting the adverse effects that an

Reviewed collected audit events sent up to the centralized auditing storage system and audit log access within Office 365 team s
administrators have the ability to view or alter local logs.

Examined Office 365 facilities access control policy, procedures addressing access enforcement, security plan, information system
documents for the measures to be employed to enforce approved authorizations for logical access to the system or system reso

Examined Office 365 documentation describing the current user privileges on the information system for a sample of informatio
authorizations (user privileges) for evidence that user privileges on the information system are consistent with the approved use

Tested a sample of the processes and configuration settings for evidence that these mechanisms are operating as intended.

Examined the configuration and output from scrubbing controls put in place by Microsoft to determine that Microsoft has autom
stored in the central logging storage system and that Microsoft follows the appropriate data handling procedures when protecti

Examined samples of Office 365 firewall rules and ACLs in place to implement the deny-all-permit-by-exception information flow
as well as the router and firewall ACLs in use on perimeter devices. This confirmed that the approved mechanisms used to contro
and between interconnected systems are implemented.

Tested the current configuration of the active ACLs by means of attempting a connection to a known open port on a server beyo
observed that the connection was denied as intended by the ACLs.

Examined the Office 365 security plan and determined that Office 365 relies on the Microsoft Cloud Infrastructure & Operations
control. Review the ISO and SOC audit reports for MCIO for further details, which are available in the Compliance Reports sectio
Examined the Office 365 incident response policy, procedures addressing incident response testing and exercises, incident respo
incident response testing and exercises to be conducted for the Office 365 systems and services.

Interviewed Office 365 SIR team Program Managers to validate the documentation of testing and exercising the incident respon
incident response in accordance with the required frequency for the Office 365 systems and services.

Validated that incident management individuals meet Office 365 personnel security requirements commensurate with the critica
processed, stored, and transmitted by Office 365 and that Microsoft defines roles and clearance levels of the responsible person

Examined Office 365 incident handling records and any problem records, change control records, incident response test and exe
associated with an agreed-upon sample of security incidents identified for Office 365 for evidence that the measures are being a
incidents.

Obtained and inspected evidence for a selection of incidents to ascertain that security incidents are documented within an incide

Obtained and inspected evidence for a selection of incidents to ascertain that adverse security incidents are escalated and review
required action is taken.

Examined SOC, FedRAMP, and ISO audit reports and the Security & Compliance Center and the Cloud Service Trust Portal to det
audits such as ISO 27001, ISO 27018, FedRAMP, and SOC 2 Type 2 at planned intervals throughout a given year, and that Micros
independent auditors available to customers.

Examined the Office 365 audit and accountability policy for evidence that the policy addresses purpose, scope, roles and respon
coordination among Office 365 entities, and compliance.

Examined Office 365 documentation for procedures that facilitate the implementation of the audit and accountability policy, and
updated at least annually.

Examined Office 365 audit reports that provide details on the implementation of security, privacy, and compliance controls.
Last Tested Tested By Control Family Id

10/19/2016 Third party independent auditor A.1

10/19/2016 Third party independent auditor A.2

10/19/2016 Third party independent auditor A.2


10/19/2016 Third party independent auditor A.4

10/19/2016 Third party independent auditor A.5

10/19/2016 Third party independent auditor A.5

10/19/2016 Third party independent auditor A.7

10/19/2016 Third party independent auditor A.9

10/19/2016 Third party independent auditor A.9


10/19/2016 Third party independent auditor A.9

10/19/2016 Third party independent auditor A.10

10/19/2016 Third party independent auditor A.10

10/19/2016 Third party independent auditor A.10


10/19/2016 Third party independent auditor A.10

10/19/2016 Third party independent auditor A.10


10/19/2016 Third party independent auditor A.10

10/19/2016 Third party independent auditor A.10

10/19/2016 Third party independent auditor A.10

10/19/2016 Third party independent auditor A.10


10/19/2016 Third party independent auditor A.10

10/19/2016 Third party independent auditor A.10

10/19/2016 Third party independent auditor A.10


10/19/2016 Third party independent auditor A.10

10/19/2016 Third party independent auditor A.11

10/19/2016 Third party independent auditor A.11

10/19/2016 Third party independent auditor C.5


10/19/2016 Third party independent auditor C.5

10/19/2016 Third party independent auditor C.6

10/19/2016 Third party independent auditor C.7


10/19/2016 Third party independent auditor C.9

10/19/2016 Third party independent auditor C.9

10/19/2016 Third party independent auditor C.10

10/19/2016 Third party independent auditor C.11


10/19/2016 Third party independent auditor C.12

10/19/2016 Third party independent auditor C.12

10/19/2016 Third party independent auditor C.12

10/19/2016 Third party independent auditor C.12

10/19/2016 Third party independent auditor C.12


10/19/2016 Third party independent auditor C.12

10/19/2016 Third party independent auditor C.12

10/19/2016 Third party independent auditor C.12

10/19/2016 Third party independent auditor C.12


10/19/2016 Third party independent auditor C.12

10/19/2016 Third party independent auditor C.12

10/19/2016 Third party independent auditor C.12


10/19/2016 Third party independent auditor C.12

10/19/2016 Third party independent auditor C.12

10/19/2016 Third party independent auditor C.13

10/19/2016 Third party independent auditor C.13


10/19/2016 Third party independent auditor C.16

10/19/2016 Third party independent auditor C.18


Control Family Name

Office 365 - Obligation to co-operate regarding Personally Identifiable Information (PII)

Office 365 - Purpose and commercial use

Office 365 - Purpose and commercial use


Data minimization - Secure erasure of temporary files

Office 365 - PII disclosure notification and recording of PII disclosures

Office 365 - PII disclosure notification and recording of PII disclosures

Office 365 - Disclosure of sub-contracted PII processing

Office 365 - Accountability for PII data

Office 365 - Accountability for PII data


Office 365 - Accountability for PII data

Office 365 - Information security

Office 365 - Information security

Office 365 - Information security


Office 365 - Information security

Office 365 - Information security


Office 365 - Information security

Office 365 - Information security

Office 365 - Information security

Office 365 - Information security


Office 365 - Information security

Office 365 - Information security

Office 365 - Information security


Office 365 - Information security

Office 365 - Privacy compliance

Office 365 - Privacy compliance

Information security policies - Privacy and PII processing


Information security policies - Privacy and PII processing

Internal organization - Information security roles and responsibilities

Office 365 - Human resource security


Access control - User access management and secure log-on procedures

Access control - User access management and secure log-on procedures

Cryptography - Policy on the use of cryptographic controls

Equipment - Secure disposal or re-use of equipment


Office 365 - Operations security

Office 365 - Operations security

Office 365 - Operations security

Office 365 - Operations security

Office 365 - Operations security


Office 365 - Operations security

Office 365 - Operations security

Office 365 - Operations security

Office 365 - Operations security


Office 365 - Operations security

Office 365 - Operations security

Office 365 - Operations security


Office 365 - Operations security

Office 365 - Operations security

Office 365 - Network security management

Office 365 - Network security management


Office 365 - Information security incident management

Compliance - Independent review of information security


Control Family Description
Understand how Office 365 fulfills it's obligation regarding (PII) principal's rights.

Understand how Office 365 ensures that PII to be processed under a contract should not be processed for any purpose
independent of the instructions of the Office 365 customer. Also understand how PII processed under a contract is not be
used by Office 365 for the purposes of marketing and advertising without express consent.

Understand how Office 365 ensures that PII to be processed under a contract should not be processed for any purpose
independent of the instructions of the Office 365 customer. Also understand how PII processed under a contract is not be
used by Office 365 for the purposes of marketing and advertising without express consent.
Understand how Office 365 ensures that temporary files and documents are erased or destroyed within a specified,
documented period.

Understand how Office 365 notifies the cloud service customer, in accordance with any procedure and time periods agreed
in the contract, of any legally binding request for disclosure of PII by a law enforcement authority, unless such a disclosure is
otherwise prohibited.

Understand how Office 365 notifies the cloud service customer, in accordance with any procedure and time periods agreed
in the contract, of any legally binding request for disclosure of PII by a law enforcement authority, unless such a disclosure is
otherwise prohibited.

Understand how Office 365 discloses the use of sub-contractors.

Understand how Office 365 notifies the relevant cloud service customer in the event of any unauthorized access to PII or
unauthorized access to processing equipment or facilities resulting in loss, disclosure or alteration of PII. Also understand
how Office 365 retains copies of security policies and operating procedures and how this policy is available to Office 365
customer..

Understand how Office 365 notifies the relevant cloud service customer in the event of any unauthorized access to PII or
unauthorized access to processing equipment or facilities resulting in loss, disclosure or alteration of PII. Also understand
how Office 365 retains copies of security policies and operating procedures and how this policy is available to Office 365
customer..
Understand how Office 365 notifies the relevant cloud service customer in the event of any unauthorized access to PII or
unauthorized access to processing equipment or facilities resulting in loss, disclosure or alteration of PII. Also understand
how Office 365 retains copies of security policies and operating procedures and how this policy is available to Office 365
customer..

Understand how Office 365 implements security controls to safeguard PII.

Understand how Office 365 implements security controls to safeguard PII.

Understand how Office 365 implements security controls to safeguard PII.


Understand how Office 365 implements security controls to safeguard PII.

Understand how Office 365 implements security controls to safeguard PII.


Understand how Office 365 implements security controls to safeguard PII.

Understand how Office 365 implements security controls to safeguard PII.

Understand how Office 365 implements security controls to safeguard PII.

Understand how Office 365 implements security controls to safeguard PII.


Understand how Office 365 implements security controls to safeguard PII.

Understand how Office 365 implements security controls to safeguard PII.

Understand how Office 365 implements security controls to safeguard PII.


Understand how Office 365 implements security controls to safeguard PII.

Understand how Office 365 specifies and documents the countries in which PII might possibly be stored. Also understand
how Office 365 ensures that PII transmitted using a data-transmission network is subject to appropriate controls designed
to ensure that data reaches its intended destination.

Understand how Office 365 specifies and documents the countries in which PII might possibly be stored. Also understand
how Office 365 ensures that PII transmitted using a data-transmission network is subject to appropriate controls designed
to ensure that data reaches its intended destination.

Understand how Office 365 top management establishes the information security policies in the context of privacy and PII
processing.
Understand how Office 365 top management establishes the information security policies in the context of privacy and PII
processing.

Understand how Office 365 defines responsibilities around privacy and PII processing.

Understand how Office 365 has put measures in place to make relevant staff aware of the possible consequences on Office
365 (e.g. legal consequences, loss of business and brand or reputational damage), on the staff member (e.g. disciplinary
consequences) and on the PII principal (e.g. physical, material and emotional consequences) of breaching privacy or security
rules and procedures, especially those addressing the handling of PII.
Understand how where appropriate, Office 365 enables the customer to manage access by cloud service users under the
cloud service customer’s control, such as by providing administrative rights to manage or terminate access. Also
understand how where required, Office 365 provides secure log-on procedures for any accounts requested by the cloud
service customer for cloud service users under its control.

Understand how where appropriate, Office 365 enables the customer to manage access by cloud service users under the
cloud service customer’s control, such as by providing administrative rights to manage or terminate access. Also
understand how where required, Office 365 provides secure log-on procedures for any accounts requested by the cloud
service customer for cloud service users under its control.

Understand how Office 365 provides information to customer regarding the circumstances in which it uses cryptography to
protect the PII it processes.

Understand how Office 365 for the purposes of secure disposal or re-use, equipment containing storage media that may
possibly contain PII treats as though it does.
Understand how Office 365 will undertake a risk assessment where the use of PII for testing purposes cannot be avoided
and how technical and organizational measures will be implemented to minimize the risks identified. Also understand how
Office 365 handles backups to ensure privacy and PII processing commitments are met. Furthermore understand how
Office 365 implements event logging and protection of log information to ensure protection of PII data.

Understand how Office 365 will undertake a risk assessment where the use of PII for testing purposes cannot be avoided
and how technical and organizational measures will be implemented to minimize the risks identified. Also understand how
Office 365 handles backups to ensure privacy and PII processing commitments are met. Furthermore understand how
Office 365 implements event logging and protection of log information to ensure protection of PII data.

Understand how Office 365 will undertake a risk assessment where the use of PII for testing purposes cannot be avoided
and how technical and organizational measures will be implemented to minimize the risks identified. Also understand how
Office 365 handles backups to ensure privacy and PII processing commitments are met. Furthermore understand how
Office 365 implements event logging and protection of log information to ensure protection of PII data.

Understand how Office 365 will undertake a risk assessment where the use of PII for testing purposes cannot be avoided
and how technical and organizational measures will be implemented to minimize the risks identified. Also understand how
Office 365 handles backups to ensure privacy and PII processing commitments are met. Furthermore understand how
Office 365 implements event logging and protection of log information to ensure protection of PII data.

Understand how Office 365 will undertake a risk assessment where the use of PII for testing purposes cannot be avoided
and how technical and organizational measures will be implemented to minimize the risks identified. Also understand how
Office 365 handles backups to ensure privacy and PII processing commitments are met. Furthermore understand how
Office 365 implements event logging and protection of log information to ensure protection of PII data.
Understand how Office 365 will undertake a risk assessment where the use of PII for testing purposes cannot be avoided
and how technical and organizational measures will be implemented to minimize the risks identified. Also understand how
Office 365 handles backups to ensure privacy and PII processing commitments are met. Furthermore understand how
Office 365 implements event logging and protection of log information to ensure protection of PII data.

Understand how Office 365 will undertake a risk assessment where the use of PII for testing purposes cannot be avoided
and how technical and organizational measures will be implemented to minimize the risks identified. Also understand how
Office 365 handles backups to ensure privacy and PII processing commitments are met. Furthermore understand how
Office 365 implements event logging and protection of log information to ensure protection of PII data.

Understand how Office 365 will undertake a risk assessment where the use of PII for testing purposes cannot be avoided
and how technical and organizational measures will be implemented to minimize the risks identified. Also understand how
Office 365 handles backups to ensure privacy and PII processing commitments are met. Furthermore understand how
Office 365 implements event logging and protection of log information to ensure protection of PII data.

Understand how Office 365 will undertake a risk assessment where the use of PII for testing purposes cannot be avoided
and how technical and organizational measures will be implemented to minimize the risks identified. Also understand how
Office 365 handles backups to ensure privacy and PII processing commitments are met. Furthermore understand how
Office 365 implements event logging and protection of log information to ensure protection of PII data.
Understand how Office 365 will undertake a risk assessment where the use of PII for testing purposes cannot be avoided
and how technical and organizational measures will be implemented to minimize the risks identified. Also understand how
Office 365 handles backups to ensure privacy and PII processing commitments are met. Furthermore understand how
Office 365 implements event logging and protection of log information to ensure protection of PII data.

Understand how Office 365 will undertake a risk assessment where the use of PII for testing purposes cannot be avoided
and how technical and organizational measures will be implemented to minimize the risks identified. Also understand how
Office 365 handles backups to ensure privacy and PII processing commitments are met. Furthermore understand how
Office 365 implements event logging and protection of log information to ensure protection of PII data.

Understand how Office 365 will undertake a risk assessment where the use of PII for testing purposes cannot be avoided
and how technical and organizational measures will be implemented to minimize the risks identified. Also understand how
Office 365 handles backups to ensure privacy and PII processing commitments are met. Furthermore understand how
Office 365 implements event logging and protection of log information to ensure protection of PII data.
Understand how Office 365 will undertake a risk assessment where the use of PII for testing purposes cannot be avoided
and how technical and organizational measures will be implemented to minimize the risks identified. Also understand how
Office 365 handles backups to ensure privacy and PII processing commitments are met. Furthermore understand how
Office 365 implements event logging and protection of log information to ensure protection of PII data.

Understand how Office 365 will undertake a risk assessment where the use of PII for testing purposes cannot be avoided
and how technical and organizational measures will be implemented to minimize the risks identified. Also understand how
Office 365 handles backups to ensure privacy and PII processing commitments are met. Furthermore understand how
Office 365 implements event logging and protection of log information to ensure protection of PII data.

Understand how Microsoft implements safeguard to protect physical media in transit that my may contain PII.

Understand how Microsoft implements safeguard to protect physical media in transit that my may contain PII.
Understand how Office 365 reviews any information security incident as part of its information security incident
management process.

Understand how Office 365 ensures that information security is implemented and operated in accordance with the
organizational policies and procedures.

You might also like