MICROSOFT AZURE, DYNAMICS 365, AND ONLINE SERVICES

ISO 22301:2019 CERTIFICATION - RECERTIFICATION REVIEW SUMMARY REPORT

APRIL 24, 2023

Assessment and Compliance Services

Proprietary & Confidential

Unauthorized use, reproduction, or distribution of this report, in whole or in part, is strictly prohibited.
STATEMENT OF CONFIDENTIALITY
The sole purpose of this document is to provide Microsoft Corporation (Microsoft) with the summary of the ISO
22301:2019 (ISO 22301) recertification review. At Microsoft’s discretion, it may distribute this report to its clients.
Each recipient of this report agrees that it shall not distribute or use the information contained herein and any other
information regarding Microsoft for any purpose other than those stated. This document, and any other Microsoft
related information provided, shall remain the sole property of Microsoft and may not be copied, reproduced, or
distributed without the prior written consent of Microsoft.

APPLICABILITY
This document is supplemental to the ISO 22301 recertification review performed by Schellman Compliance, LLC
(Schellman), the primary deliverable which is the certificate. The information found in this report and the conclusions
reached were dependent upon the complete and accurate disclosure of information by Microsoft. The information
provided in this report is “AS IS” without warranties of any kind. Schellman expressly disclaims any warranties of
representations including implied warranties and fitness for a particular purpose.

INDEPENDENCE DISCLOSURE
Schellman assessed the Business Continuity Management System (BCMS) for Microsoft. Schellman does not hold
any investment or control over Microsoft. During the course of the assessment, Schellman did not willfully and
unnecessarily market services to achieve conformance to ISO 22301. No Schellman service was recommended
during the course of the engagement.

Schellman also performed the following reviews for Microsoft’s Azure, Dynamics 365, and other Online Services
that are deployed in Azure Public and Government Cloud:
• ISO/IEC 27001:2022 recertification review
• ISO 9001:2015 recertification review
• ISO/IEC 20000-1:2018 recertification review
• Cloud Security Alliance (CSA) Security, Trust, and Assurance Registry (STAR) certification review
TABLE OF
CONTENTS
SECTION 1 AUDIT TEAM RECOMMENDATION .......... 1
SECTION 2 PROJECT OVERVIEW ................................. 5
SECTION 3 RECERTIFICATION REVIEW TESTING
RESULTS ................................................... 14
SECTION 4 CERTIFICATION CYCLE PROGRAM........ 19
APPENDIX MICROSOFT AZURE SCOPE
STATEMENT ............................................. 21
 SECTION 1
AUDIT TEAM
RECOMMENDATION

ISO 22301 Recertification Review Summary Report Proprietary and Confidential 1

AUDIT TEAM RECOMMENDATION, AND GENERAL DESIGN AND
OPERATING EFFECTIVENESS OF THE BCMS
Summary of Findings and Recommendation, General Design and Operating Effectiveness of the Client
BCMS

Overall, the BCMS appears to be operating effectively and the client has met the requirements of the ISO 22301
standard. There were no nonconformities noted as a result of the 2023 recertification review.

Microsoft Azure, Dynamics, and other Online Services (Microsoft Azure) has implemented and maintains policies
and procedures that are designed in accordance with the ISO 22301 standard. The policies are well-defined,
detailed, regularly reviewed and updated, communicated, and understood by users within the organization. This
includes both Microsoft corporate level and Microsoft Azure, Dynamics and other Online Services policies and
procedures which have been adopted to support the implementation of the BCMS. Microsoft Azure, Dynamics, and
other Online Services has defined standard operating procedures (SOPs) at a team level to provide additional
guidance to personnel.

The audit team concluded that procedures were effectively implemented within the organization to monitor
conformance with the standard and achievement of objectives specified by Microsoft Azure that are in alignment
with the strategic direction of the organization. Based on the activities demonstrated by Microsoft Azure
management and the supporting documentation provided during the course of the recertification review, the audit
team determined that effective processes were in place to manage and monitor information security risks and to
identify and monitor compliance with relevant standards and contractual commitments. The Microsoft Azure
leadership team has supported the BCMS by providing the resources necessary to maintain and implement risk
treatment plans and projects designed to improve the risk posture of the organization.

A formally defined global risk management program is in place, and Microsoft Azure has demonstrated an effective
process to manage and monitor risk in accordance with the direction of management and the organization’s
tolerance for risk. The sponsorship of the BCMS is headed by the Integrated Management Forum (IMF). The IMF
is the management group that oversees the various components of the BCMS and the communication and
exchange of information between those components.

It is the audit team’s recommendation to reissue the certification for another three-year term with an updated scope
statement.

Finding Ref Status Correction1 Corrective Action Plan1 Evidence of Remediation1

No nonconformities were identified during the 2023 recertification review.
1
Correction is the immediate action taken to address the nonconformance; the corrective action plan includes the root cause related to the
nonconformance and the organization’s plan to address the root cause; and evidence of remediation includes the implementation of the
corrective action plan (i.e., the full implementation of the plan that addresses the root cause related to the nonconformance).

As part of the assessment, Schellman concluded that the scope of the BCMS was appropriate, and the audit
objectives of the recertification review were met.

Clause Conclusion Comment

Context of the Organization – Understanding the Organization
Effective No Comment
and its Context
Context of the Organization – Understanding the Needs and
Effective No Comment
Expectations of Interested Parties
Context of the Organization – Determining the Scope of the
Effective No Comment
Business Continuity Management System

ISO 22301 Recertification Review Summary Report Proprietary and Confidential 2

 Clause Conclusion Comment
Context of the Organization – Business Continuity
Effective No Comment
Management System
Leadership – Leadership and Commitment Effective No Comment
Leadership – Management Commitment Effective No Comment
Leadership – Policy Effective No Comment
Leadership – Organizational Roles, Responsibilities and
Effective No Comment
Authorities
Planning – Actions to Address Risks and Opportunities Effective No Comment
Planning – Business Continuity Objectives and Planning to
Effective No Comment
Achieve Them
Planning – Planning Changes to the Business Continuity
Effective No Comment
Management System
Support – Resources Effective No Comment
Support – Competence Effective No Comment
Support – Awareness Effective No Comment
Support – Communication Effective No Comment
Support – Documented Information Effective No Comment
Operation – Operational Planning and Control Effective No Comment
Operation – Business Impact Analysis and Risk Assessment Effective No Comment
Operation – Business Continuity Strategies and Solutions Effective No Comment
Operation – Business Continuity Plans and Procedures Effective No Comment
Operation – Exercise Programme Effective No Comment
Operation – Evaluation of Business Continuity Documentation
Effective No Comment
and Capabilities
Performance Evaluation – Monitoring and Measurement Effective No Comment
Performance Evaluation – Internal Audit Effective No Comment
Performance Evaluation – Management Review Effective No Comment
Improvement – Nonconformity / Corrective Action Effective No Comment
Improvement – Continual Improvement Effective No Comment

Performance of the BCMS Over the Certification Cycle

Overall, Microsoft continued to demonstrate a sound understanding of its BCMS as it continued to meet the
requirements of the ISO 22301 standard. During the recertification review, an assessment was performed to
determine the overall effectiveness of the BCMS during the certification lifecycle and no negative trends were
identified. The BCMS and control framework are established, have been supported by top management, and are
supported by a competent team dedicated to the foundation and maintenance of the management system. During
the previous certification term, Microsoft continued to expand their BCMS scope to include additional service
offerings, and did so in continued conformance of the ISO 22301 standard and with regard to achieving the
objectives of Microsoft’s business continuity management policy and Microsoft’s maintenance, monitoring, and
improvement activities of the BCMS.

ISO 22301 Recertification Review Summary Report Proprietary and Confidential 3

Microsoft has implemented continual improvement activities since the 2022 recertification review based on results
from its risk assessments and implementation of risk treatment plans that were based on available or planned
resources that took into consideration external and internal factors such as new organizational changes and
location-specific regulations. Further, there have been no complaints and Microsoft has properly marketed their
certificate in accordance with the client obligations and marketing guidelines provided to Microsoft.

ISO 22301 Recertification Review Summary Report Proprietary and Confidential 4

 SECTION 2
PROJECT OVERVIEW

ISO 22301 Recertification Review Summary Report Proprietary and Confidential 5

EXECUTIVE SUMMARY
Introduction

Microsoft (or the “client”) was the subject of a recertification review in February 2023 of their ISO 22301 (or the
“standard”) certification which was originally issued in September 2016. The purpose of the recertification review
was to verify that the approved BCMS continued to be effectively implemented, to consider the implications of
changes to that system initiated as a result of changes in the client organization’s operations, and to confirm
continued compliance with the certification requirements. This report includes the results of the 2023 recertification
review mentioned above.

Schellman performed the recertification review to summarily review the documentation and maintenance,
monitoring, and operating effectiveness of the BCMS in order to achieve multiple objectives. The recertification
review included the following:
• The system maintenance elements which include the risk assessment process, internal audit, measurement
and monitoring, management review, corrective action, and continual improvement
• Communications from external parties as required by the BCMS standard ISO 22301 and other documents
required for certification
• Changes to the documented system
• Areas subject to change
• Selected elements of ISO 22301
• Assessment of the management system over the course of the certification lifecycle
• Other selected areas as appropriate

The scope of the review was limited to the BCMS supporting Microsoft Azure, Dynamics, and other Online Services
that are deployed in Azure Public and Government Cloud including their development, operations, and infrastructure
and their associated security, privacy, and compliance. The scope of the BCMS includes the BCMS development,
operations and infrastructure teams for Azure and Azure based services deployed in the Public and Government
Cloud, collectively referred as Microsoft Azure, Dynamics, and other Online Services. Microsoft Azure, Dynamics,
and other Online Services applies to information resources, processes, and personnel within the Microsoft Azure,
Dynamics, and other Online Services Group. Information Resources include any Microsoft Azure, Dynamics, and
other Online Services owned or managed systems, applications, and network elements, and any information
processed by, or used to provide Microsoft services.

The scope includes operations at the corporate headquarters facility located at One Microsoft Way, Redmond,
Washington 98052, United States.

Opening Meeting Description

An opening meeting occurred remotely utilizing the Microsoft Teams web conferencing application, at approximately
09:30 AM PST on Monday, February 13, 2023. An agenda was provided as well as a project plan and audit plan
for the recertification review. The opening meeting was held to perform the following:
• Reconfirm the audit plan, scope, and deliverables for the recertification review
• Identify the client points of contact for the objectives and domains
• Discuss the timing expectations of the fieldwork as well as the activities following the fieldwork

ISO 22301 Recertification Review Summary Report Proprietary and Confidential 6

Audit Review Details

The recertification audit covered the documentation requirements of the ISO 22301 standard, as well as testing
which included evidence of the monitoring, maintenance, and operating effectiveness of the BCMS. The
recertification audit objectives included the following:
• Determine the continued conformance of the BCMS to the ISO 22301 standard, specifically with regard to
achieving the objectives of Microsoft’s business continuity policy and Microsoft’s maintenance, monitoring,
and improvement activities of the BCMS.
• Determine effectiveness of the procedures and processes for evaluation and review of compliance with
relevant legislation and regulations.
• Validate the functions at each in-scope location to help ensure the functions performed are relevant to the
scope of the management system.
• Review the performance of the management system over the period of certification, including the review of
previous audits.

The focus of the review enabled Schellman to maintain confidence that Microsoft’s certified BCMS continued to
fulfill the requirements of ISO 22301 between recertification audits. The ISO 22301 recertification included an
analysis of the following BCMS activities, as applicable:
• assessment of monitoring, measurement, analysis, and evaluation to ensure that the methods selected
produce comparable and reproducible results;
• documentation information required per clauses 4 through 10 of ISO 22301;
• reviews of the effectiveness of the BCMS and measurements of the effectiveness of the service controls,
reporting, and reviewing against the BCMS objectives;
• internal audits and management reviews;
• management responsibility for the business continuity management policy;
• leadership and support of the BCMS;
• implementation of controls, taking into account the organization’s measurements of effectiveness of
controls, to determine whether controls are implemented and effective to achieve the stated objectives;
• programs, processes, procedures, records, internal audits, and reviews of the BCMS effectiveness to
ensure that these are traceable to management decisions and the BCMS policy and objectives;
• whether the BCMS documents information required by ISO 22301 and information determined by the
organization as being necessary for the effectiveness of the BCMS;
• complaints handling;
• progress of planned activities aimed at continual improvement;
• continuing operational control;
• review of any changes as well as an assessment of the certification lifecycle;
• use or marks and/or any reference to certification; and
• the performance of the management system over the period of certification, including the review of previous
surveillance audits.

During the assessment, all BCMS-related documentation was available for the audit team to assess the BCMS and
in relation to the audit objectives of this assessment.

A closing meeting occurred remotely utilizing the Microsoft Teams web conferencing application, at approximately
4:00 PM PST on Monday, April 24, 2023. The closing meeting included discussions on the conformity of the client’s
BCMS in relation to the ISO 22301 standard and discussions regarding the recommendation to reissue the
certificate of conformance.

ISO 22301 Recertification Review Summary Report Proprietary and Confidential 7

Confidentiality Statement

The information included in this report is to be treated as confidential.

OVERVIEW OF OPERATIONS
Company Background and Description of Services Provided

Microsoft Azure is a cloud computing platform for building, deploying, and managing applications through a global
network of Microsoft and third-party managed datacenters. It supports both Platform as a Service (PaaS) and
Infrastructure as a Service (IaaS) cloud service models and enables hybrid solutions that integrate cloud services
with customers’ on-premises resources. Microsoft Azure supports many customers, partners, and government
organizations that span across a broad range of products and services, geographies, and industries. Microsoft
Azure is designed to meet their security, confidentiality, and compliance requirements.

Dynamics 365 is an online business application suite that integrates the Customer Relationship Management (CRM)
capabilities and its extensions with the Enterprise Resource Planning (ERP) capabilities. Microsoft Dynamics 365
products/offerings and its supporting Datacenters are covered under the Azure, Dynamics 365, and Online Services
report.

Microsoft datacenters support Microsoft Azure, Dynamics 365, and many other Microsoft Online Services (“Online
Services”). Online Services such as Intune, Power BI, and others are Software as a Service (SaaS) services that
leverage the underlying Microsoft Azure platform and datacenter infrastructure.

For a full description of the scope and services provided, refer to the Appendix.

BCMS REVIEW
Context of the Organization (Clause 4)

Microsoft Azure maintains a BCMS manual which documents the Microsoft Azure Cloud Services Platform and
Azure Cloud Services based services’ business continuity management program. The BCMS manual contains
mappings and references linking the current policies, procedures, standards, and guidelines along with controls
relevant to its ISO 22301 program. Microsoft Azure Cloud Services management establishes, operates, and
maintains a BCMS in accordance with ISO 22301, while maintaining and leveraging the organizational, cultural,
and operational integrity and acceptance of the established business continuity management program. The BCMS
manual document serves as the BCMS plan of record, authorized by Microsoft Azure Cloud Services compliance
management. Microsoft Azure Cloud Services BCMS is a combination of:
• People: The Microsoft Azure Cloud Services BCMS includes personnel with roles and responsibilities
required to maintain continuity of the cloud services noted in the Microsoft Azure Cloud Services BCMS
scope statement documented as well as in the Azure Cloud Services business continuity plan (BCP) and
SOPs.
• Process: The Microsoft Azure Cloud Services BCMS workflow meets the requirements of the workflow
defined in Microsoft’s enterprise business continuity management (EBCM) methodology and is controlled
through various forums including the periodic leadership reviews, business continuity working group
meetings, etc. documented in the Azure Cloud Services BCP and disaster recovery plans (DRP), SOPs,
and individual plans.
• Technology: The Microsoft Azure Cloud Services BCMS defines the requirements for technology required
to implement the business continuity policy in conjunction and agreement with the business continuity

ISO 22301 Recertification Review Summary Report Proprietary and Confidential 8

 subject matter experts in order to adequately maintain continuity of operations in the case of disruptive
events documented within the Azure Cloud Services DRP, SOPs, and individual plans.

A formally documented organizational chart has been defined to demonstrate the organizational structure and lines
of reporting within the scope of Microsoft Azure Cloud Services’ BCMS.

The scope of the BCMS is reviewed and approved annually as a part of approval of the BCMS manual.

Understanding the Organization and its Context (Clause 4.1)

Microsoft Azure Cloud Services has a diverse set of stakeholders with high expectations for business continuity.
Customer workloads span the full range of criticality from prototypes to essential government functions, and
workloads comply with stringent regulations. Azure Cloud Services’ viability critically depends on meeting
stakeholder expectations for business continuity.

Understanding the Needs and Expectations of Interested Parties (Clause 4.2)

The Microsoft Azure Cloud Services BCMS considers the needs of relevant interested parties to determine the
obligations and expectations that the Azure Cloud Services BCMS needs to meet.

Determining the Scope of the BCMS (Clause 4.3)

The scope of the BCMS is defined and documented as part of the IMS scope statement, which was most recently
updated as of April 14, 2023, version 2023.03*. The scope of the BCMS is reviewed by the Microsoft compliance
manager at least annually or upon significant changes.

* Note that the IMS scope document was provided prior to the audit start and did not change from the scope in the
IMS scope document dated and approved in April 2023.

Business Continuity Management System (Clause 4.4)

Microsoft Azure Cloud Services establishes, implements, manages, and monitors the BCMS in adherence to the
ISO 22301 standard that are in alignment with the Microsoft corporate policies and standards, as well as Azure
Cloud Services defined in policies and SOPs. Microsoft Azure leadership drives the monitoring, review, and
improvement objectives of the BCMS periodically. Strategic alignment and directions provided by Azure leadership
are based on the periodic reviews of the BCMS and risk analysis.

Leadership (Clause 5)

Leadership and Commitment (Clause 5.1)

The Microsoft Azure Cloud Services leadership team provides governance for Microsoft Azure Cloud Services as
a whole. The Microsoft Azure Cloud Services leadership team is represented by the corporate vice president (VP)
and directors of the feature teams. Meetings are held on a periodic basis by the enterprise team as part of a
leadership council.

Microsoft Azure Cloud Services leadership is committed to lead and strategically align the BCMS to meet business
goals and objectives.

Policy (Clause 5.2)

The EBCM standard defines a common set of business continuity policies and practices that Microsoft Azure Cloud
Services teams subscribe to in order to help ensure standardized business continuity practices and
operationalization of Microsoft Azure Cloud Services BCMS. The EBCM policy defines the process for
determination of business continuity objectives, validation of capabilities, and continuous improvement. The Azure
Cloud Services Business Continuity SOP defines the specific implementation of the EBCM policy in Microsoft Azure
Cloud Services.

ISO 22301 Recertification Review Summary Report Proprietary and Confidential 9

Roles, Responsibilities and Authorities (Clause 5.3)
Microsoft Azure Cloud Services management has ensured that appropriate roles and responsibilities for activities
relevant to business continuity are assigned and communicated. The Azure Cloud Services business continuity
SOP aligns the control processes and assigns adequate responsibilities and authorities for their execution, ensuring
conformity to the required policies, standards, and legal regulatory requirements.

Planning (Clause 6)

Actions to Address Risks and Opportunities (Clause 6.1)

Microsoft Azure Global risk management program (RMP) is in place to oversee and evaluate existing and emerging
risks / threats to Microsoft Azure environment. The RMP aligns the risk management framework with the Microsoft
Azure risk management procedures and processes (Microsoft Azure engineering, service operation, infrastructure,
and compliance). This includes determining relevant external and internal issues that impact and affect the outcome
of the BCMS.

The Microsoft Azure risk and exception management SOP outlines the management of risks associated with the
Microsoft Cloud Services BCDR plan. The BCMS risks and opportunities are regularly reviewed and documented
in the BCMS risks and opportunities document. Microsoft Azure Cloud Services has a dedicated EBCM program
to oversee the implementation of the process and assess conformance to policy and recoverability.

Business Continuity Objectives and Planning to Achieve Them (Clause 6.2)

The business continuity objectives are documented as part of the operationalization of recovery documents. The
business continuity objectives are to present a clear course of action to accomplish the goals of the BCMS.

The business continuity objectives are monitored as part of the BCMS risk and opportunities assessment. Further,
BCMS risks and opportunities meetings are performed at least on an annual basis to discuss updates regarding the
status of BCMS risk treatment plans relevant to BCMS risks and opportunities identified.

Planning of Changes to the Business Continuity Management System (Clause 6.3)

The organization determines the need for changes to the BCMS based on the BCMS risks and opportunities
assessment and review process. When a BCMS risk is identified, the organization allocates appropriate resources
and target completion timeframe to remediate the risk. For any changes to the BCMS, the organization takes into
consideration the integrity of the BCMS and any potential consequences.

Support (Clause 7)

Resources (Clause 7.1)

The Microsoft Azure Cloud Services leadership team is committed to providing the resources necessary to
implement, operate, monitor, and continually improve the BCMS. As such, the organization has established and
implemented BCMS roles and responsibilities.

Competency and Awareness (Clauses 7.2 and 7.3)

Competence requirements are defined for each role required to operate the BCMS, and training is provided as
appropriate. Competence for each role is based on education, training, and direct experience. New employees
are hired based on applicable education or equivalent direct experience. Competence is evaluated by senior team
members before new hires are allowed to perform critical functions independently. Azure Cloud Services personnel
are made aware of BCM policies and procedures, their contribution to the effectiveness, and the implications of
non-conformity, through a variety of methods depending on their role and knowledge requirements as defined in
the BCDR training and awareness SOP.

The Microsoft Azure BCDR education and awareness program is an ongoing process, which staff and contingent
staff are made aware of their contingency roles and responsibilities and actively help Microsoft Azure deliver more
resilient products and services.

ISO 22301 Recertification Review Summary Report Proprietary and Confidential 10

Communication (Clause 7.4)
Microsoft Azure Cloud Services management is committed to proper communication of information related to the
BCMS. Communications are divided into two types:
• communications during disruptive incidents as documented with the incident management SOP; and
• communications related to the BCMS.

Documented Information (Clause 7.5)

The documents and records management procedure provides guidance on creating and maintaining the
documentation relevant to the Microsoft Azure Cloud Services BCMS. Microsoft Azure Cloud Services leverages
SharePoint as a repository for documentation and retention, disposition, change control, storage and distribution
are managed accordingly.

Operation (Clause 8)

Operational Planning and Control (Clause 8.1)

The enterprise business continuity standard identifies the baseline requirements for implementing business
continuity disaster recovery, and overall resilience at Microsoft to ensure Microsoft’s capability of recovery in the
event of a major or catastrophic disruption that impacts our ability to meet customer expectations. The enterprise
business continuity standard applies to Microsoft employees, interns, and external staff, that support attainment of
Microsoft’s goals. Work related to the implementation of a business continuity, disaster recovery, and / or resilience
capability follow the associated annual enterprise continuity requirements. Additionally, the business group (BG) /
engineering group (EG) build upon these baseline requirements to adhere to more stringent internal or external
standards, requirements, or best practices.

Business Impact Analysis and Risk Assessment (Clause 8.2)

A formal process is implemented and maintained for business impact analysis and risk assessment which considers
the requirements of interested parties. Microsoft has established a risk and exception management SOP which
documents the Azure risk management program. Risk assessments are performed by Global Azure teams to
review the effectiveness of existing controls and safeguards as they pertain to information security and privacy, as
well as to identify new risks. These assessments ensure policies and supporting procedures properly address the
environment considering changing regulatory, contractual, business, technical, and operational requirements.
Microsoft Cloud Services implements the EBCM BIA process as defined within the BCDR Microsoft C+AI and Azure
SOP and extends it to represent the unique context of Azure’s cloud platform business continuity implementation.
Specifically, the Azure BIA process adds support for the concepts of supporting services and regional services
mapped to regional classification requirements with identifiable metric requirements such as RPO and RTO.

Business Continuity Strategies and Solutions (Clause 8.3)

Strategies and solutions are determined based on the output of business impact analysis and risk assessment for
the resumption of operations in the case of disruptive events. Sufficient resources are made available to execute
strategies. Proactive measures are taken to reduce the likelihood or reduce the impact or duration of a disruption.

BCDR assessment reports and test records for in-scope services were documented most recently as of October
2022, and identified the following BCDR data properties were mapped within the BCDR manager tool to denote
that the business continuity strategy and solutions were operating effectively in conformance with the requirements
of the standard:
• Description of resiliency • Local service interruptions
• Region recovery classifications for the • Service availability zones
service

Business Continuity Plans and Procedures (Clause 8.4)

Procedures are established, implemented, and maintained to respond to disruptive events. These procedures
consider execution of incident response workflow and structure, service recovery plans, communications protocol,

ISO 22301 Recertification Review Summary Report Proprietary and Confidential 11

unanticipated conditions. The Cloud services and Azure program have leveraged two standard plans that apply to
all business services and technology plans. The BCP master plan does not require each business process service
to create their own unless it requires tasks or processes over and above the master plan. The organization uses a
standard BCP plan for personnel across the spectrum.

Exercise Program (Clause 8.5) / Evaluation of Business Continuity Documentation and Capabilities (Clause 8.6)
Business continuity procedures are tested to ensure consistency with business continuity objectives. The BCP
team tracks testing of the business continuity and disaster recovery plans for critical services, per the defined testing
schedule for a variety of loss scenarios with the BCDR manager tool. Test frequency varies by service and is
defined by the service’s criticality and risk tolerance annually or upon significant change. Testing occurs in
production or in an environment which realistically simulates production. Issues that are identified are resolved
when possible during exercises and plans are updated accordingly. Issues that cannot be immediately resolved
are tracked as a risk, remediation planned, and re-testing occurs to close.

Performance Evaluation (Clause 9)

Monitoring, Measurement, Analysis and Evaluation (Clause 9.1)

Microsoft Azure manages availability KPIs to adequately measure performance and effectiveness across the
BCMS. Annual, independent entity managed assessments are conducted over the design and operating
effectiveness of the control environment, which allow monitoring, measurement, and effectiveness of the operating
controls. Monitoring is embedded in each service area supporting the BCMS. Senior leadership reviews and
amends the security KPIs and major milestones as part of the semester planning process on a semi-annual basis.

Internal Audit (Clause 9.2)

Microsoft Azure Cloud Services management is committed to investing in the continuous independent reviews and
assessments of the Microsoft Azure Cloud Services BCMS and control environment to ensure design and operating
effectiveness of the controls is assessed and validated on periodic basis. Microsoft Azure Cloud Services
undergoes several independent internal / external entities managed assessments.

The most recent internal audit was performed in March 2023, the internal audit report was dated April 7, 2023*, and
covered the conformance of the BCMS to requirements of the ISO 22301 standard. The internal audit report
included an overall conclusion, audit objectives, scope, audit criteria (inclusive of frequency and methods),
assessment of areas reviewed, as well as detailed audit results to support the audit conclusion. The internal audit
report was provided to management in April 2023*.

* Note that the IMS internal audit plan and internal audit report were provided to the audit team in April, which was
post recertification review fieldwork, but prior to reporting. The audit process related to the BCMS internal audit did
not change compared to the 2022 internal audit process.

Management Review (Clause 9.3)

Management reviews are performed of the BCMS, ensuring continuing suitability, adequacy, and effectiveness of
the BCMS. The IMF’s role is to provide management oversight and guidance on the business operations and
effectiveness of the BCMS via periodic meetings.

EBCM executive scorecards are communicated through C+AI committee meetings that reflect across levels of
leadership noting EBCM readiness to recover as well as trending compliance scoring which discusses the above-
mentioned items related to the BCMS and how they met the business continuity objectives.

Improvement (Clause 10)

Microsoft Azure Cloud Services management will take corrective action to eliminate the cause of nonconformities
within the scope of the BCMS in order to prevent the recurrence of control failures and reduce the likelihood and
impact of future business continuity incidents.

ISO 22301 Recertification Review Summary Report Proprietary and Confidential 12

Microsoft Azure management is committed to continual improvement of the effectiveness of the BCMS through
implementation of the EBCM methodology, audit results, analysis of monitored events, corrective and preventive
actions, and management reviews. These are performed quarterly by the EBCM, monthly during C+AI fundamental
meetings, and annually by the Azure Cloud Services BCDR program as part of the approval process. In addition,
monthly reporting is provided to the primary business owner on status and outstanding issues or opportunities.

ISO 22301 Recertification Review Summary Report Proprietary and Confidential 13

 SECTION 3
RECERTIFICATION
REVIEW TESTING
RESULTS

ISO 22301 Recertification Review Summary Report Proprietary and Confidential 14

TEST RESULT CLASSIFICATIONS
Explanation of ISO Requirement Classifications

This report provides management with an identification of the documentation efforts, in addition to the review and
testing of the maintenance, monitoring, and operating effectiveness of the BCMS in relation to the ISO 22301
standard requirements, specifically Clauses 4 through 10, that are applicable to the BCMS. Documentation
requirements as well as the maintenance, monitoring, and operating effectiveness of the BCMS have been
classified according to their significance in achieving conformance to the standard. The classifications are defined
as follows:
• Conform (C) – Based on observations, discussions with personnel, and inspection testing, these
documentation requirements and/or controls are currently in place and found to be operating effectively.
• Nonconformities (Major (MJ) and Minor (MN))
Per definition from ISO 17021-1, a nonconformity is a nonfulfillment of the requirement. Major and Minor
Nonconformity definitions are included below:
o Major: nonconformity that affects the capability of the management system to achieve the
intended results
Note 1 to entry: Nonconformities could be classified as major in the following circumstances: 1) if
there is a significant doubt that effective process control is in place, or that products or services will
meet specified requirements, or 2) a number of minor nonconformities associated with the same
requirement or issue could demonstrate a systemic failure and thus constitute a major
nonconformity.
o Minor: nonconformity that does not affect the capability of the management system to
achieve the intended results
• Not Applicable (NA) – The Clause was not applicable to the review.

ISO 22301 Recertification Review Summary Report Proprietary and Confidential 15

RECERTIFICATION REVIEW TESTING RESULTS – BCMS FRAMEWORK
Clause Classification
Clause Subject Audited Remarks
C MN MJ NA
4 Context of the Organization
4.1 Understanding the organization and its context 
Understanding the needs and expectations of 
4.2
interested parties
Determining the scope of the quality 
4.3
management system
Quality management system and its
4.4 
processes
5 Leadership
5.1.1 General leadership and commitment 
5.1.2 Customer focus 
5.2.1 Establishing the quality policy 
5.2.2 Communicating the quality policy 
Organizational roles, responsibilities, and
5.3 
authorities
6 Planning
6.1 Actions to address risks and opportunities 
Quality objectives and planning to achieve
6.2 
them
6.3 Planning of changes 
7 Support
7.1.1 Resources – general 
7.1.2 People 
7.1.3 Infrastructure 
7.1.4 Environment for the operation of processes 
7.1.5.1 Monitoring and measuring resources – general 
Monitoring and measuring resources –
7.1.5.2 
measurement and traceability
7.1.6 Organizational knowledge 
7.2 Competence 
7.3 Awareness 
7.4 Communications 
7.5.1 Documented information – general 
Documented information – creating and
7.5.2 
updating

ISO 22301 Recertification Review Summary Report Proprietary and Confidential 16

 Clause Classification
Clause Subject Audited Remarks
C MN MJ NA
Documented information – control of
7.5.3 
documented information
8 Operation
8.1 Operational planning and control 
Requirements for products and services –
8.2.1 
customer communication
Requirements for products and services –
8.2.2 determining the requirements for products and 
services
Requirements for products and services –
8.2.3 review of the requirements for products and 
services
Requirements for products and services –
8.2.4 changes to requirements for products and 
services
Design and development of products and
8.3.1 
services – general
Design and development of products and
8.3.2 
services – design and development planning
Design and development of products and
8.3.3 
services – design and development inputs
Design and development of products and
8.3.4 
services – design and development controls
Design and development of products and
8.3.5 
services – design and development outputs
Design and development of products and
8.3.6 
services – design and development changes
Control of externally provided processes,
8.4.1 
products, and services – general
Control of externally provided processes,
8.4.2 products, and services – type and extent of 
control
Control of externally provided processes,
8.4.3 products, and services – information for 
external parties
Production and service provision – control of
8.5.1 
production and service provision
Production and service provision –
8.5.2 
identification and traceability
Production and service provision – property
8.5.3 
belonging to customers or external providers
Production and service provision –
8.5.4 
preservation

ISO 22301 Recertification Review Summary Report Proprietary and Confidential 17

 Clause Classification
Clause Subject Audited Remarks
C MN MJ NA
Production and service provision – post-
8.5.5 
delivery activities
Production and service provision – control of
8.5.6 
changes
8.6 Release of products and services 
8.7 Control of nonconforming outputs 
9 Performance Evaluation
Monitoring, measurement, analysis, and
9.1.1 
evaluation – general
Monitoring, measurement, analysis, and
9.1.2 
evaluation – customer satisfaction
Monitoring, measurement, analysis, and
8.1.3 
evaluation – analysis and evaluation
9.2 Internal audit 
9.3.1 Management review – general 
9.3.2 Management review – inputs 
9.3.2 Management review – outputs 
10 Improvement
10.1 Improvement – general 
Improvement – nonconformity and corrective
10.2 
action
10.3 Improvement – continual improvement 

ISO 22301 Recertification Review Summary Report Proprietary and Confidential 18

 SECTION 4
CERTIFICATION CYCLE
PROGRAM

ISO 22301 Recertification Review Summary Report Proprietary and Confidential 19

CERTIFICATION CYCLE PROGRAM
Locations to
Year Type of Review Process to be Reviewed Audit Time
be Visited
3.0 days remote / 1.0 days Redmond, WA
2023 Recertification BCMS and full system scope
off-site
BCMS and specific scope 1.5 days on-site / 0.5 day Redmond, WA
2024 Surveillance
testing surrounding operations off-site
BCMS and specific scope 1.5 days on-site / 0.5 day Redmond, WA
2025 Surveillance
testing surrounding operations off-site
3.0 days on-site / 1.0 days Redmond, WA
2026 Recertification BCMS and full system scope
off-site

Legend
Future projects

ISO 22301 Recertification Review Summary Report Proprietary and Confidential 20

 APPENDIX
MICROSOFT AZURE
SCOPE STATEMENT

ISO 22301 Recertification Review Summary Report Proprietary and Confidential 21

MICROSOFT AZURE SCOPE STATEMENT
Scope of the BCMS

The scope of the IMS (which includes the ISMS, PIMS, SMS, BCMS, and QMS) comprises the development,
operations and infrastructure teams for Azure and Azure based services deployed in Public and Government Cloud,
collectively referred as Microsoft Azure, Dynamics, and other Online Services.

Microsoft: Azure, Dynamics, and other Online Services IMS applies to information resources, processes, and
personnel within the Microsoft: Azure, Dynamics, and other Online Services Group. Information Resources include
any Microsoft: Azure, Dynamics, and other Online Services owned or managed systems, applications, and network
elements, and any information processed by, or used to provide Microsoft services.

Azure Cloud-based Services Inclusions

The IMS scope includes selective Microsoft: Azure, Dynamics, and other Online Services noted below that are
deployed in Azure Public and Government Cloud including their development and operations, infrastructure and
their associated security, privacy, and compliance:

Cloud Environment Scope

Product
Service/Offering Name Azure
Category Azure
Government
Azure Applied AI Services ✓ ✓
Azure Bot Service ✓ ✓
Azure Open Datasets ✓ -
Cognitive Services ✓ ✓
Cognitive Services: Anomaly Detector ✓ -
Cognitive Services: Form Recognizer ✓ ✓
Cognitive Services: Metrics Advisor ✓ -
Cognitive Services: Computer Vision ✓ ✓
Cognitive Services: Container Platform ✓ ✓
AI + Machine
Cognitive Services: Content Moderator ✓ ✓
Learning
Cognitive Services: Custom Vision ✓ ✓
Cognitive Services: Cognitive Service Platform ✓ ✓
Cognitive Services: Face ✓ ✓
Cognitive Services: Immersive Reader ✓ -
Cognitive Services: Personalizer ✓ ✓
Cognitive Services: Text Analytics ✓ ✓
Cognitive Services: Language Understanding ✓ ✓
Cognitive Services: Translator ✓ ✓
Cognitive Services: QnAMaker Service ✓ ✓

ISO 22301 Recertification Review Summary Report Proprietary and Confidential 22

 Cloud Environment Scope
Product
Service/Offering Name Azure
Category Azure
Government
Cognitive Services: Speech Services ✓ ✓
Cognitive Services: Video Indexer ✓ ✓
Azure Machine Learning ✓ ✓
AI builder ✓ ✓

AI + Machine Machine Learning Studio (Classic) ✓ -

Learning Microsoft Genomics ✓ -
Microsoft Autonomous Development Platform ✓ -
Azure Health Bot ✓ -
Open AI Enterprise ✓ -
Azure Singularity ✓ -
Azure Analysis Services ✓ ✓
Azure Data Explorer ✓ ✓
Data Factory ✓ ✓
HDInsight ✓ ✓
Analytics Azure Stream Analytics ✓ ✓
Data Catalog ✓ -
Data Lake Analytics ✓ -
Azure Data Share ✓ ✓
Power BI Embedded ✓ ✓
Cloud Services ✓ ✓
Azure Service Fabric ✓ ✓
Virtual Machine (VM) Scale Sets ✓ ✓
Virtual Machines ✓ ✓
Batch ✓ ✓
Azure Functions ✓ ✓
Compute
App Service ✓ ✓
App Service – Web Apps (including Containers) ✓ ✓
App Service – API Apps ✓ ✓
App Service – Mobile Apps ✓ ✓
App Service -Static Web Apps ✓ ✓
Service Connector ✓ -

ISO 22301 Recertification Review Summary Report Proprietary and Confidential 23

 Cloud Environment Scope
Product
Service/Offering Name Azure
Category Azure
Government
Guest Configuration ✓ ✓
Azure VMware Solution ✓ -
Planned Maintenance ✓ ✓
Azure Arc-enabled Servers ✓ ✓
Compute
Azure Spring Apps ✓ -
Azure VM Image Builder ✓ ✓
Azure Virtual Desktop ✓ ✓
Azure Service Manager (RDFE) ✓ ✓
Azure Kubernetes Service (AKS) ✓ ✓
Azure Arc-enabled Kubernetes ✓ ✓
Azure Kubernetes Configuration Management ✓ ✓
Azure Red Hat OpenShift (ARO) ✓ ✓
Containers Container Instances ✓ ✓
Container Registry ✓ ✓
Azure Container Apps ✓ -
Azure Container Service ✓ ✓
Azure Kubernetes Fleet Manager ✓ ✓
Azure Arc-enabled SQL Server ✓ -
Azure Cosmos DB ✓ ✓
Azure SQL ✓ ✓
Azure Database for MariaDB ✓ ✓
Azure Database for MySQL ✓ ✓
Azure Database for PostgreSQL ✓ ✓
Azure Database Migration Service ✓ ✓
Databases
Azure Cache for Redis ✓ ✓
Azure Health Data Services (formerly Azure API for FHIR) ✓ ✓
Azure Synapse Analytics ✓ ✓
SQL Server Registry ✓ -
SQL Server Stretch Database ✓ ✓
Azure SQL Database Edge ✓ -
Azure Managed Instance for Apache Cassandra ✓ -

ISO 22301 Recertification Review Summary Report Proprietary and Confidential 24

 Cloud Environment Scope
Product
Service/Offering Name Azure
Category Azure
Government
Azure DevTest Labs ✓ ✓
Azure Lab Services ✓ ✓
Azure Load Testing ✓ ✓
Developer Tools
Azure for Education ✓ -
Azure App Configuration ✓ ✓
GitHub AE ✓ ✓
Azure Information Protection ✓ ✓
Azure Active Directory ✓ ✓
Identity Microsoft Accounts ✓ -
Azure Active Directory B2C ✓ ✓
Azure Active Directory Domain Services ✓ ✓
Logic Apps ✓ ✓
Integration API Management ✓ ✓
Service Bus ✓ ✓
Event Hubs ✓ ✓
Event Grid ✓ ✓
Azure IoT Central ✓ -
Azure IoT Hub ✓ ✓
Notification Hubs ✓ ✓

Internet of Device Update for IoT Hub ✓ -

Things Azure Sphere ✓ -
Azure Time Series Insights ✓ -
Windows 10 IoT Core Services ✓ -
Azure Defender for IoT ✓ ✓
Azure Digital Twins ✓ -
Microsoft Cloud for Sustainability ✓ -
Application Change Analysis ✓ ✓
Azure Resource Manager (ARM) ✓ ✓
Management
and Automation ✓ ✓
Governance
Azure Advisor ✓ ✓
Azure Lighthouse ✓ ✓

ISO 22301 Recertification Review Summary Report Proprietary and Confidential 25

 Cloud Environment Scope
Product
Service/Offering Name Azure
Category Azure
Government
Azure Managed Applications ✓ ✓
Azure Managed Grafana ✓ -
Azure Migrate ✓ ✓
Azure Monitor ✓ ✓
Azure Policy ✓ ✓
Azure Resource Graph ✓ ✓
Management Cloud Shell ✓ ✓
and
Governance Microsoft Azure Portal ✓ ✓
Azure Blueprints ✓ -
Cost Management ✓ ✓
Azure Signup Portal ✓ ✓
Resource Move ✓ ✓
Quota+ Usage Blade ✓ ✓
Microsoft Purview (formerly Azure Purview) ✓ -
Media Azure Media Services ✓ ✓
Azure Spatial Anchors ✓ -
Mixed Reality
Azure Remote Rendering ✓ -
Application Gateway ✓ ✓
Load Balancer ✓ ✓
Microsoft Azure Peering Service ✓ ✓
Azure ExpressRoute ✓ ✓
Virtual Network ✓ ✓
VPN Gateway ✓ ✓
Azure Bastion ✓ ✓
Networking
Azure DDoS Protection ✓ ✓
Azure DNS ✓ ✓
Azure Firewall ✓ ✓
Azure Firewall Manager ✓ ✓
Azure Front Door ✓ ✓
Azure Internet Analyzer ✓ -
Azure Private Link ✓ ✓

ISO 22301 Recertification Review Summary Report Proprietary and Confidential 26

 Cloud Environment Scope
Product
Service/Offering Name Azure
Category Azure
Government
Azure Web Application Firewall ✓ ✓
Content Delivery Network ✓ ✓
Network Watcher ✓ ✓
Traffic Manager ✓ ✓
Virtual WAN ✓ ✓
Networking
Azure Public IP ✓ ✓
Virtual Network NAT ✓ ✓
Azure Network Function Manager ✓ -
Azure Route Server ✓ ✓
Azure Virtual Network Manager ✓ -
Key Vault ✓ ✓
Azure Payment HSM ✓ -
Multi-Factor Authentication ✓ ✓
Azure Dedicated HSM ✓ ✓

Security Customer Lockbox for Microsoft Azure ✓ ✓

Microsoft Sentinel (formerly Azure Sentinel) ✓ ✓
Microsoft Defender for Cloud (formerly Azure Security
✓ ✓
Center)
Microsoft Azure Attestation ✓ -
Trusted Hardware Identity Management ✓ -
Storage (Blobs (including Azure Data Lake Storage Gen 2),
Disks, Files, Queues, Tables, Azure Disk Storage) ✓ ✓
including Cool and Premium
Azure Archive Storage ✓ ✓
Azure Data Box ✓ ✓
Azure HPC Cache ✓ ✓
Storage Azure Site Recovery ✓ ✓
StorSimple ✓ ✓
Azure Backup ✓ ✓
Azure File Sync ✓ ✓
Azure NetApp Files ✓ ✓
Azure Data Lake Storage Gen 1 ✓ -
Web Azure Cognitive Search ✓ ✓

ISO 22301 Recertification Review Summary Report Proprietary and Confidential 27

 Cloud Environment Scope
Product
Service/Offering Name Azure
Category Azure
Government
Azure Fluid Relay ✓ -
Azure Maps ✓ ✓
Web
Azure SignalR Service ✓ ✓
Azure Web PubSub ✓ ✓
Supporting Infrastructure and Platform Services ✓ ✓
Microsoft Online Services
Appsource ✓ -
Intelligent Recommendations ✓ -
Microsoft Intune ✓ ✓
Microsoft Defender for Cloud Apps ✓ ✓
Microsoft Graph ✓ ✓
Microsoft Managed Desktop ✓ -
Microsoft Stream ✓ ✓
Power Apps ✓ ✓
Power Automate ✓ ✓
Power BI ✓ ✓
Azure Public MEC ✓ -
Power Virtual Agents ✓ ✓
Microsoft Threat Experts ✓ -
Nomination Portal ✓ ✓
Microsoft 365 Defender ✓ ✓
Microsoft Defender for Endpoint ✓ ✓
Microsoft Defender for Identity ✓ ✓
Microsoft Bing for Commerce ✓ -
Universal Print ✓ -
Update Compliance ✓ -
Azure Managed Experience ✓ -
Windows Autopatch ✓ -
Microsoft Dynamics 365
Dynamics 365 Customer Service ✓ ✓
Dynamics 365 Customer Insights Engagement Insights ✓ -
Dynamic 365 Customer Voice ✓ ✓

ISO 22301 Recertification Review Summary Report Proprietary and Confidential 28

 Cloud Environment Scope
Product
Service/Offering Name Azure
Category Azure
Government
Dynamics 365 Field Service ✓ ✓
Dynamics 365 Sales ✓ ✓
Dynamics 365 Sales Professional ✓ -
Dynamics 365 Sales Insights ✓ -
Dynamics 365 AI Customer Insights ✓ ✓
Dynamics 365 Business Central ✓ -
Dynamics 365 Finance ✓ ✓
Dynamics 365 Fraud Protection ✓ -
Dynamics 365 Marketing ✓ -
Power Pages ✓ ✓
Dynamics 365 Project Service Automation ✓ ✓
Dynamics 365 Project Operations ✓ -
Dynamics 365 Retail ✓ -
Dynamics 365 Supply Chain Management ✓ -
Dynamics 365 Commerce ✓ -
Dynamics 365 Human Resources ✓ -
Dynamics 365 Intelligent Order Management ✓ -
Chat for Dynamics 365 ✓ ✓
Dynamics 365 – Data Export Service ✓ -
Dynamics 365 Athena – CDS to Azure Data Lake ✓ ✓
Dynamics 365 Guides ✓ -
Dynamics 365 Business Q&A ✓ -
Dynamics 365 Remote Assist ✓ ✓
Business 360 AI Platform ✓ -
Dataverse ✓ ✓
Microsoft Cloud for Financial Services
Unified Customer Profile ✓ -
Collaboration Manager ✓ -
Customer Onboarding ✓ -

ISO 22301 Recertification Review Summary Report Proprietary and Confidential 29

Physical Environment

Microsoft: Azure, Dynamics, and other Online Services are hosted in datacenters located throughout the world,
which are managed by Azure’s Physical Infrastructure team. The Physical Infrastructure team provides the physical
and logical infrastructure for Microsoft’s cloud and hosted applications. The Physical Infrastructure team serves as
the underlying platform that supports Microsoft’s software plus service strategy. The physical infrastructure includes
the datacenter facilities, as well as the hardware and software components that support the services and networks.
At Microsoft, the logical infrastructure consists of operating system instances, routed networks, and unstructured
data storage, whether running on virtual or physical assets. Platform services include compute runtimes, identity,
and directory stores (such as Active Directory® and Microsoft account), and other advanced functions consumed
by Microsoft properties.

The scope of the BCMS was limited to operations performed out of the Redmond, Washington, office facility. The
scope of the BCMS does not extend to the data center facilities.

Main Location of the BCMS

One Microsoft Way
Redmond, Washington Redmond, Washington 98052
United States

ISO 22301 Recertification Review Summary Report Proprietary and Confidential 30