Assessment Report

Microsoft Office 365

Assessment dates 03/15/2019 to 03/18/2019 (Please refer to Appendix for details)

Assessment Location(s) Redmond (001)
Report Author Leonard Glover
Assessment Standard(s) ISO 22301:2012

Page 1 of 18
 Assessment Report.

Table of contents
Executive Summary ............................................................................................................................................................ 3
Changes in the organization since last assessment ........................................................................................................... 4
NCR summary graphs ......................................................................................................................................................... 5
Your next steps ................................................................................................................................................................... 6
NCR close out process.................................................................................................................................................... 6
Assessment objective, scope and criteria .......................................................................................................................... 7
Assessment Participants .................................................................................................................................................... 8
Assessment conclusion ...................................................................................................................................................... 8
Findings from this assessment ........................................................................................................................................... 9
Enterprise Business Continuity Management comes from the Board of Directors. EBMC Framework are split to BC
and DR. 12 month validation life cycle for the testing of the services. : ...................................................................... 9
Next visit objectives, scope and criteria........................................................................................................................... 12
Next Visit Plan .................................................................................................................................................................. 14
Appendix: Your certification structure & ongoing assessment programme.................................................................... 15
Scope of Certification................................................................................................................................................... 15
Assessed location(s) ..................................................................................................................................................... 15
Certification assessment program ............................................................................................................................... 16
Definitions of findings: ................................................................................................................................................. 16
How to contact BSI....................................................................................................................................................... 17
Notes ............................................................................................................................................................................ 17
Regulatory compliance ................................................................................................................................................ 18

Page 2 of 18
 Assessment Report.

Executive Summary
The business continuity management system in relation to the availability of Microsoft Office 365 services.

Page 3 of 18
 Assessment Report.

Changes in the organization since last assessment

There is no significant change of the organization structure and key personnel involved in the audited
management system.

No change in relation to the audited organization’s activities, products or services covered by the scope of
certification was identified.

There was no change to the reference or normative documents which is related to the scope of
certification.

Page 4 of 18
 Assessment Report.

NCR summary graphs

There have been no NCRs raised.

Page 5 of 18
 Assessment Report.

Your next steps

NCR close out process

There were no outstanding nonconformities to review from previous assessments.

No new nonconformities were identified during the assessment. Enhanced detail relating to the overall
assessment findings is contained within subsequent sections of the report.

Please refer to Assessment Conclusion and Recommendation section for the required submission and the
defined timeline.

Page 6 of 18
 Assessment Report.

Assessment objective, scope and criteria

The objective of the assessment was to conduct a certification assessment to ensure the elements of the
proposed scope of registration and the requirements of the management standard are effectively addressed
by the organization's management system and to confirm the forward strategic plan.

The scope of the assessment is the documented management system with relation to the requirements of
ISO 22301:2012 and the defined assessment plan provided in terms of locations and areas of the system
and organization to be assessed.

ISO 22301:2012
Microsoft Enterprise Continuity Standard FY19
Microsoft Enterprise Business Continuity Management (EBCM) dated July 1, 2018.

Page 7 of 18
 Assessment Report.

Assessment Participants
Opening Closing Interviewed
Name Position
Meeting Meeting (processes)
Patricia Anderson BC
BC Lead X X X
Lead

Assessment conclusion
BSI assessment team

Name Position
Leonard Glover Team Leader

Assessment conclusion and recommendation

The audit objectives have been achieved and the certificate scope remains appropriate. The audit team
concludes based on the results of this audit that the organization does fulfil the standards and audit criteria
identified within the audit report and it is deemed that the management system continues to achieve its
intended outcomes.

RECOMMENDED - The audited organization can be recommended for certification to the above listed
standards, and has been found in general compliance with the audit criteria as stated in the above-
mentioned audit plan.

Use of certification documents, mark / logo or report

The use of the BSI certification documents and mark / logo is effectively controlled.

Page 8 of 18
 Assessment Report.

Findings from this assessment

Enterprise Business Continuity Management comes from the Board of

Directors. EBMC Framework are split to BC and DR. 12 month validation
life cycle for the testing of the services. :
The audit was done in compliance with PP117 (BMS/Global/Products/ISO 22301) ISO 22301 Scheme
Manual Revision 15 (January 2018) .

All Office 365 commercial, government and education online services offerings.

Enterprise Business Continuity Management comes from the Board of Directors. EBMC Framework are split
to BC and DR. 12 month validation life cycle for the testing of the services.

Documented clause sections 4-10 of the Standard have been validated in the Business Continuity Manual.
The continuity plan focuses on service to customers through Microsoft 365.

Top management is showing great interest in the system with assuring BCMS clear objectives of the BCMS
system.

The following aspects were covered:

• Review of the client’s BCM system documentation- SharePoint Enterprise Business Continuity Management
(EBCM) site.
• Evaluation of the client’s readiness for certification
• Good understanding of the requirements of the BCM standard.
• Business impact analysis – Has been completed for services .

5. Leadership and Commitment- Enterprise level has the Policy documented.

5.3 Organizational roles, responsibilities and authorities have been documented and reviewed in Stage 1 &
2.

8 people make up the scope of the BCMS with :

• BC Council Lead
• BC Lead
• 4 -BC team members (coordinators and auditors)
• partial leverage of BCMS central resources = 2 people by percentage

Scope of Services for the BCMS:

Office 365
-=-=-=
6. Planning and 6.1 Actions to address risks and opportunities
6.2 Business continuity objectives and plan to achieve them

Page 9 of 18
 Assessment Report.

The Microsoft Office 365 Business Continuity program aligns the Enterprise Business Continuity
Management which is the high level document.

7.3 Awareness
There is documented annual awareness training required. Verified the process owners sign for the entire
team awareness of the contingency plan, Verified December 2018 training in Feb. 2019.

7.5 Documented information

Microsoft Office 365 implements and operates its BCMS as described in the following documents in 2019:
• BCMS Manual January 2019
• Business Continuity Management Contingency Plan
• Microsoft Enterprise Business Continuity Standard FYQ4 18 and new one to be FYQ1 2020
• Microsoft 365 Onboarding tool in internal SharePoiint site.
• Normative Terms January 2019

8.2Business impact analysis and risk assessment

Risk is done by Microsoft Risk Management Program . Microsoft Enterprise Risk Management
methodology.

9.2 Internal Audit

Internal Audit leverages Enterprise approach and Internal Audit program. The BCMS was able to present a
redacted report in which the service could be determined along with appropriate management for Office
365 management.

9.3 Management Review

The Q2 FY19 Scorecard January 15, 2019 was used as evidence. The CVP and EVP level of communication
for all the different scoring of the entire organization.
Criteria for criticality and RTO
Mission Critical 0-4 hours
Critical 1 >4-12
Critical 2 >12-24 hours
Critical 3 >24- 72 hours
Important 2 >72-168 hours
Deferred > 168 hours

Service Tree tool for coordination

BCDR Manager tool is the record repository

Dashboard updates quarterly for Sponsors information.

List of services under 365

90 services line item under what is available as a service to consumers

10 services – sample size for this audit:

Page 10 of 18
 Assessment Report.

Planner Dashboard in BCDR manager this service was Approved in September 12, 2018.
The Full assessment has the RTO (.5 hour) and Dependencies included along with people and location.

Power Point Image Analysis Dashboard in BCDR manager this service was Approved in May 2018.
The Full assessment has the RTO (8 hour) and Dependencies included along with people and location.

SharePoint in BCDR manager this service was Approved in Feb. 2018 February 2019. SLA for this service
commitment is 99.99%. The Full assessment has the RTO (4 hour) and Dependencies included along with
people and location.

Whiteboard Services in BCDR manager this service was Approved in August 10, 2018.
The Full assessment has the RTO 25 hours and Dependencies included. RPO (5min) Reviewed test record
and after action report was verified to update the plan.

Exchange Dashboard in BCDR manager this service was Approved in March 2018 and January 2019.
The Full assessment has the RTO (1 hour) and Dependencies included along with people and location.

To DO for WEB in BCDR manager this service was Approved in November 2018. April 4, 2018 Tabletop was
verified in audit. The Full assessment has the RTO 168 hours so deferred status .

Service Trust Portal in BCDR manager this service was Approved in May 2018.
The Full assessment has the RTO 24 hours and Dependencies included. RPO (5min) Reviewed test record
and after action report.

Yammer in BCDR manager this service was Approved in June 26, 2018.
The Full assessment has the RTO 24 hours and Dependencies included. Reviewed test record and after
action report.

OneNote in BCDR manager this service was Approved in April 2018.

The Full assessment has the RTO 4 hours and Dependencies included. Reviewed test record and after
action report had no issues.

Skype for Business in BCDR manager this service was Approved in Feb. 2018 & Feb. 2019.
The Full assessment has the RTO 3 hours and Dependencies included. Reviewed test record and after
action report which had not issues. SLA for this service commitment is 99.99%.

Skype TEAMS in BCDR manager this service was Approved in March 2018 & Jan. 2019.
The Full assessment has the RTO 3 hours and Dependencies included. Reviewed test record and after
action report which had issues and corrected in bug database. SLA for this service commitment is 99.9%.

Page 11 of 18
 Assessment Report.

Next visit objectives, scope and criteria

The objective of the assessment is to conduct a surveillance assessment and look for positive evidence to
ensure the elements of the scope of certification and the requirements of the management standard are
effectively addressed by the organization's management system and that the system is demonstrating the
ability to support the achievement of statutory, regulatory and contractual requirements and the
organizations specified objectives, as applicable with regard to the scope of the management standard, and
to confirm the on-going achievement and applicability of the forward strategic plan.

Next Visit Plan

Date Auditor Time Area/Process Clause

Day 1 2020
9AM Leonard Glover Review Regulatory requirements
Review of Security and business objectives Review of Risk Assessment from site visits , Risk Treatment Plan
4.1 Understanding of the organization and its context

10:00 AM Leonard Glover BCMS, Monitoring and Review Processes

Monitoring and Review Procedures
-Maintenance and Improvement
Management Responsibilities

-Resource Management Process

5.1 Leadership and commitment
12.00 noon Leonard Glover Working Lunch
1.00 PM Leonard Glover Management Review of the BCMS (Security)
-Inputs
-Outputs
Internal Audits 6.
9.1 Monitoring, measurement, analysis and evaluation
BC scope and test exercises
9.2 Internal audit
9.3 Management review

5pm closing meeting

The scope of the assessment is the documented management system with relation to the requirements of
ISO 22301:2012 and the defined assessment plan provided in terms of locations and areas of the system
and organization to be assessed.

Page 12 of 18
 Assessment Report.

ISO 22301:2012
Microsoft Enterprise Continuity Standard FY19
Microsoft Enterprise Business Continuity Management (EBCM) dated July 1, 2018.
Please note that BSI reserves the right to apply a charge equivalent to the full daily rate for cancellation of
the visit by the organization within 30 days of an agreed visit date. It is a condition of Registration that a
deputy management representative be nominated. It is expected that the deputy would stand in should
the management representative find themselves unavailable to attend an agreed visit within 30 days of its
conduct.

Page 13 of 18
 Assessment Report.

Next Visit Plan

Date Auditor Time Area/Process Clause

Page 14 of 18
 Assessment Report.

Appendix: Your certification structure & ongoing assessment

programme

Scope of Certification

BCMS 706252 (ISO 22301:2012)

The business continuity management system in relation to the availability of Microsoft Office 365 services.

Assessed location(s)

The audit has been performed at Permanent Locations.

Redmond / BCMS 706252 (ISO 22301:2012)

Location reference 0047358928-001
Address Microsoft Office 365
1 Microsoft Way
Redmond
Washington
98052-8300
USA
Visit type Stage 2 Audit
Assessment reference 9716327
Assessment dates 03/15/2019
Deviation from Audit Plan No
Total number of Employees 7
Effective number of 7
Employees
Scope of activities at the site development, operations and support
Assessment duration 2 Day(s)

Page 15 of 18
 Assessment Report.

Certification assessment program

Certificate Number - BCMS 706252

Location reference - 0047358928-001

Audit1 Audit2 Audit3

Business area/Location Date (mm/yy): 01/20 02/21 2/22
Duration (days): 1 1 2
Scope and Policy X X X
Organisational context X X X
Leadership and Commitment X X X
Management System Support X X
Planning and Resources X X
Human Resource Management X X
Control of Documents and Records X X
Objectives / Performance Monitoring & Measurement X X
Management Review X X X
Supply Chain X X
Internal Audits X X
Actions / Non-Conformity / Incidents / Complaints X X
Risk Management / Prevention X X
Legal and Other Requirements X
Improvement X X X

Definitions of findings:

Nonconformity:
Non-fulfilment of a requirement.

Major nonconformity:

Page 16 of 18
 Assessment Report.

Nonconformity that affects the capability of the management system to achieve the intended results.
Nonconformities could be classified as major in the following circumstances:
• If there is a significant doubt that effective process control is in place, or that products or services will
meet specified requirements;
• A number of minor nonconformities associated with the same requirement or issue could demonstrate a
systemic failure and thus constitute a major nonconformity.

Minor nonconformity:
Nonconformity that does not affect the capability of the management system to achieve the intended
results.

Opportunity for improvement:

It is a statement of fact made by an assessor during an assessment, and substantiated by objective
evidence, referring to a weakness or potential deficiency in a management system which if not improved
may lead to nonconformity in the future. We may provide generic information about industrial best
practices but no specific solution shall be provided as a part of an opportunity for improvement.

Observation:
It is ONLY applicable for those schemes which prohibit the certification body to issue an opportunity for
improvement.
It is a statement of fact made by the assessor referring to a weakness or potential deficiency in a
management system which, if not improved, may lead to a nonconformity in the future.

How to contact BSI

'Just for Customers' is the website that we are pleased to offer our clients following successful registration,
designed to support you in maximizing the benefits of your BSI registration - please go to
www.bsigroup.com/j4c to register. When registering for the first time you will need your client reference
number and your certificate number

Should you wish to speak with BSI in relation to your registration, please contact our Operations Support
Team:

BSI Management Systems

12950 Worldgate Drive
Suite 800
Herndon
VA
20170
Tel: +1 (800) 862 4977 Fax: +1 (703) 437 9001

Notes

Page 17 of 18
 Assessment Report.

This report and related documents are prepared for and only for BSI’s client and for no other purpose. As
such, BSI does not accept or assume any responsibility (legal or otherwise) or accept any liability for or in
connection with any other purpose for which the Report may be used, or to any other person to whom the
Report is shown or in to whose hands it may come, and no other persons shall be entitled to rely on the
Report. If you wish to distribute copies of this report external to your organization, then all pages must be
included.

BSI, its staff and agents shall keep confidential all information relating to your organization and shall not
disclose any such information to any third party, except that in the public domain or required by law or
relevant accreditation bodies. BSI staff, agents and accreditation bodies have signed individual
confidentiality undertakings and will only receive confidential information on a 'need to know' basis.

This audit was conducted on-site through document reviews, interviews and observation of activities. The
audit method used was based on sampling the organization’s activities and it was aimed to evaluate the
fulfilment of the audited requirements of the relevant management system standard or other normative
document and confirm the conformity and effectiveness of the management system and its continued
relevance and applicability for the scope of certification.

As this audit was based on a sample of the organization’s activities, the findings reported do not imply to
include all issues within the system.

Regulatory compliance

BSI conditions of contract for this visit require that BSI be informed of all relevant regulatory non-
compliance or incidents that require notification to any regulatory authority. Acceptance of this report by
the client signifies that all such issues have been disclosed as part of the assessment process and
agreement that any such non-compliance or incidents occurring after this visit will be notified to the BSI
client manager as soon as practical after the event.

Page 18 of 18