ULB O365 AuditedControls

Audited Controls Information
What is in this spreadsheet?

The tabs in this spreadsheet
Columns within each of the other tabs:
Control Id
Control Title
Office 365 Control Ids
Implementation Details
Testing Details
Last Tested
Tested By
Control Family Id
Control Family Name
Control Family Description
s Information
This spreadsheet provides information about Microsoft Office 365 controls, implementation details, and audit test
The first tab of this spreadsheet is the "Introduction" tab - which you are reading right now :-). Each of the rest of the tab(s)
he other tabs:
Control identification number as established by the regulation or standard

Title of the control
Control identificaion number(s) of the Microsoft Office 365 controls aligned to the regulation or standard
Detailed information on how Microsoft Office 365 implements controls to comply with the regulation or standard in order
Detailed information on the testing of this control that was performed by either independent third party auditors or
Date that the control was last tested
Who tested the control
Control family or control area identification number as established by the regulatory standard or compliance guidance
Control family or control area name based on guidelines from the regulatory standard or compliance guidance
Control family or control area summary including a high level explanation of the underlying controls implemented within
Name:
Description:
Control Id
A.5.1.1
A.5.1.2
A.6.1.1
A.6.1.2
A.6.1.3
A.6.1.4
A.6.1.5
A.6.2.1
A.6.2.2
A.7.1.1
A.7.1.2
A.7.2.1
A.7.2.2
A.7.2.3
A.7.3.1
A.8.1.1
A.8.1.2
A.8.1.3
A.8.1.4
A.8.2.1
A.8.2.2
A.8.2.3
A.8.3.1
A.8.3.2
A.8.3.3
A.9.1.1
A.9.1.2
A.9.2.1
A.9.2.2
A.9.2.3
A.9.2.4
A.9.2.5
A.9.2.6
A.9.3.1
A.9.4.1
A.9.4.2
A.9.4.3
A.9.4.4
A.9.4.5
A.10.1.1
A.10.1.2
A.11.1.1
A.11.1.2
A.11.1.3
A.11.1.4
A.11.1.5
A.11.1.6
A.11.2.1
A.11.2.2
A.11.2.3
A.11.2.4
A.11.2.5
A.11.2.6
A.11.2.7
A.11.2.8
A.11.2.9
A.12.1.1
A.12.1.2
A.12.1.3
A.12.1.4
A.12.2.1
A.12.3.1
A.12.4.1
A.12.4.2
A.12.4.3
A.12.4.4
A.12.5.1
A.12.6.1
A.12.6.2
A.12.7.1
A.13.1.1
A.13.1.2
A.13.1.3
A.13.2.1
A.13.2.2
A.13.2.3
A.13.2.4
A.14.1.1
A.14.1.2
A.14.1.3
A.14.2.1
A.14.2.2
A.14.2.3
A.14.2.4
A.14.2.5
A.14.2.6
A.14.2.7
A.14.2.8
A.14.2.9
A.14.3.1
A.15.1.1
A.15.1.2
A.15.1.3
A.15.2.1
A.15.2.2
A.16.1.1
A.16.1.2
A.16.1.3
A.16.1.4
A.16.1.5
A.16.1.6
A.16.1.7
A.17.1.1
A.17.1.2
A.17.1.3
A.17.2.1
A.18.1.1
A.18.1.2
A.18.1.3
A.18.1.4
A.18.1.5
A.18.2.1
A.18.2.2
A.18.2.3
C.4.1
C.4.2.a
C.4.2.b
C.4.3.a
C.4.3.b
C.4.3.c
C.4.4
C.5.1.a
C.5.1.b
C.5.1.c
C.5.1.d
C.5.1.e
C.5.1.f
C.5.1.g
C.5.1.h
C.5.2.a
C.5.2.b
C.5.2.c
C.5.2.d
C.5.2.e
C.5.2.f
C.5.2.g
C.5.3.a
C.5.3.b
C.6.1.1.a
C.6.1.1.b
C.6.1.1.c
C.6.1.1.d
C.6.1.1.e.1
C.6.1.1.e.2
C.6.1.2.a.1
C.6.1.2.a.2
C.6.1.2.b
C.6.1.2.c.1
C.6.1.2.c.2
C.6.1.2.d.1
C.6.1.2.d.2
C.6.1.2.d.3
C.6.1.2.e.1
C.6.1.2.e.2
C.6.1.3.a
C.6.1.3.b
C.6.1.3.c
C.6.1.3.d
C.6.1.3.e
C.6.1.3.f
C.6.2.a
C.6.2.b
C.6.2.c
C.6.2.d
C.6.2.e
C.6.2.f
C.6.2.g
C.6.2.h
C.6.2.i
C.6.2.j
C.7.1
C.7.2.a
C.7.2.b
C.7.2.c
C.7.2.d
C.7.3.a
C.7.3.b
C.7.3.c
C.7.4.a
C.7.4.b
C.7.4.c
C.7.4.d
C.7.4.e
C.7.5.1.a
C.7.5.1.b
C.7.5.2.a
C.7.5.2.b
C.7.5.2.c
C.7.5.3.Part1.a
C.7.5.3.Part1.b
C.7.5.3.Part2.c
C.7.5.3.Part2.d
C.7.5.3.Part2.e
C.7.5.3.Part2.f
C.8.1.Part1
C.8.1.Part2
C.8.1.Part3
C.8.1.Part4
C.8.2
C.8.3
C.9.1.a
C.9.1.b
C.9.1.c
C.9.1.d
C.9.1.e
C.9.1.f
C.9.2.a.Part1
C.9.2.a.Part2
C.9.2.b
C.9.2.c
C.9.2.d
C.9.2.e
C.9.2.f
C.9.2.g
C.9.3.Part1
C.9.3.Part2.a
C.9.3.Part2.b
C.9.3.Part2.c
C.9.3.Part2.d
C.9.3.Part2.e
C.9.3.Part2.f
C.9.3.Part3
C.9.3.Part4
C.10.1.a
C.10.1.b
C.10.1.c
C.10.1.d
C.10.1.e
C.10.1.f
C.10.1.g
C.10.2
ISO 27001:2013
Office 365 has been accredited to latest ISO 27001:2013 standards. Information under this standard
Control Title
Policies for information security
Review of information security policies
Information security roles and responsibilities
Implementation of segregation of duties
Contacts with authorities
Contacts with information security special interest organizations
Information security management for Office 365 projects
Policies for mobile devices
Management of teleworking
Screening requirements
Employment terms and conditions
Management responsibilities around information security
Plan for information security awareness, education, and training
Disciplinary process around information security breach
Responsibilities around termination
Asset inventory
Asset ownership
Assets acceptable use policy
Asset collection upon termination
Information classification
Standards for information labelling
Data handling
Removable media management
Media disposal
Physical media transfer and handling
Access control policy
Network and network service management
User registration and de-registration process
Provisioning process for user access
Privileged access rights management
User secret authentication information management
User access right reviews
Process for removal or adjustment of access rights
Secret authentication information
Restriction on information access
Secure log-on procedures
Management of passwords
Usage of privileged utility programs
Source code access controls
Cryptographic controls policy
Key management policy
Physical perimeter security
Physical access controls around distribution and transmission
Security around offices, rooms, and facilities
External and environment threat protection
Secure area work procedures
Controls for delivery and loading areas
Controls for equipment siting and protection
Controls for supporting utilities
Controls for cabling security
Controls for equipment maintenance
Controls for removal of assets
Controls for security of equipment and assets off-premises
Controls for secure disposal or reuse of equipment
Controls for unattended user equipment
Controls for secure disposal or reuseof equipment
Operating procedures
Change management procedures
Capacity planning and management
Development, testing, and operational environment separation
Malware prevention controls
Backup procedures
Event logs
Log protection
Administrative and operational logs
Clock synchronization process
Software installation
Vulnerabilities management
Software installation restrictions
Information systems audit controls
Controls for network management
Network service agreements
Network segregation
Policies and procedures for information transfer
Information transfer agreements
Electronics messaging
Agreements for confidentiality / non-disclosure
Information security requirement analysis and specification
Application security over public networks
Application service transactions protection
Policy for secure development
Change control process
Application change reviews
Software change restrictions
Principals for engineering secure systems
Secure development
Outsourced development
Testing for system security
System acceptance testing
Test data security
Information security requirements for Office 365 suppliers
Supplier information security agreements
Technology supply chain supporting online services
Supplier services monitoring and review
Managing changes to Office 365 supplier services
Incident management responsibilities and procedures
Incident reporting
Security vulnerability reporting
Security event assessment
Incident response
Information security incident learnings
Incident evidence management
Information security continuity management
Information security continuity implementation
Verification, and evaluation of information security continuity
Information processing facilities availability
Applicable legislation and contractual requirements
Intellectual property rights management
Records protection
Privacy and protection of personally identifiable information
Cryptographic controls regulations
Independent review
Compliance
Technical compliance
Intended outcomes of information security management system
Relevant parties
Information security requirements
Information security management system scope
Information security requirements relating to ISMS scope
ISMS boundaries and interfaces
Information security management system
Leadership commitment to information security policy and objectives
Leadership commitment to integration of processes
Leadership commitment to resource management
Leadership commitment to communications
Leadership commitment for support and review
Leadership commitment for contribution to ISMS effectiveness
Leadership commitment to continual improvement
Leadership commitment to other relevant management roles
Information security policy's appropriateness to purpose of organization
Information security policy framework
Information security policy - commitment to satisfy applicable requirements
Information security policy commitment to continual improvement
Information security policy documented information
Information security policy communication within Office 365
Information security policy shall be available to interested parties, as appropriate.
Office 365 top management supporting information security management system conformation
Top management reporting on the performance of the information security management system
Actions to determine the risks and opportunities
Actions to prevent, or reduce, undesired effects
Actions to achieve continual improvement
Actions to address risks and opportunities
Actions for Integration, implementation
Effectiveness of actions
Information security risk assessment process
Information security risk criteria
Information security risk assessments focus on consistent, valid and comparable results
Identification of the information security risks
Identify the risk owners
Office 365's assessment of the potential consequences of information security risks
Assessment and the realistic likelihood of the occurrence of the risks identified
Determination of the levels of risk
Comparison of the results of risk analysis with the risk criteria established
Prioritization of the analyzed risks for risk treatment
Selection of appropriate information security risk treatment options
Determination of controls that are necessary to implement the information security risk treatment o
Office 365's definition and application of an information security risk treatment process
Office 365's production of a Statement of Applicability that contains the necessary controlN160s
Information security risk treatment process to formulate an information security risk treatment plan
Approval of the information security risk treatment plan and acceptance of the residual information s
Information security objectives consistent with the information security policy
Measurable information security objectives
Applicable information security requirements, and results from risk assessment and risk treatment
Communication of information security objectives
Updates to e information security objectives
Planning for achieving its information security objectives
Resource management to achieve its information security objectives
Responsibilities for information security objectives
Completion timelines for information security objectives
Evaluation of results for information security objectives
Resources needed for the establishment, implementation, maintenance and continual improvement
Competence of personnel doing work under Office 365s control that affects its information security
Competencies on the basis of appropriate education, training, or experience
Actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken
Documented information as evidence of competence
Information security policy awareness
Office 365 personnel awareness around contribution to the effectiveness of the information securi
Personnel awareness of the implications of non-conformance
Internal and external communications relevant to the information security management system
Determination for the need for internal and external communications (when to communication)
Information security communications (whom to communicate)
Determination for the need for internal and external communications (who shall communicate)
Internal and external information security communications process
Information security management system shall include documented information required by this Int
Documentation evidencing the effectiveness of the information security management system
Office 365 documentation for appropriate identification and description
Documentation in appropriate format and media
Documentation under appropriate review and approval
Appropriate control of documentation
Adequate protection of documentation
Document distribution, access, retrieval and use
Document storage and preservation
Document control of changes
Document retention and disposition
Plans to achieve information security objectives determined in ISMS
Documented information for processes have been carried out as part of information security plan
Office 365's actions to mitigate any adverse effects
Outsourced processes
Information security risk assessments at planned intervals
Information security risk treatment plan.
Effectiveness of the information security management system.
Methods for monitoring, measurement, analysis and evaluation
Determination of monitoring and measuring period
Responsibilities for monitoring and measuring
Analysis of results from monitoring and measurements
Responsibilities to analyze and evaluate results
Internal audits
Internal audits to measure conformation to ISO 271001 standard
Internal audits to measure effectiveness of information security management system implemented
Audit program
Audit criteria and scope
Selection of auditors
Office 365 reporting of audits results to relevant management
Documented information as evidence of the audit program
Management review
Consideration of the status of actions from previous management reviews.
Consideration of changes in external and internal issues
Consideration of feedback on the information security performance
Consideration of feedback from interested parties.
Consideration of results of risk assessment and status of risk treatment plan.
Consideration of opportunities for continual improvement.
Outputs of management review
Documented information as evidence of the resultN226s of management reviews.
Actions to control and correct non-conformity
Evaluation for action to eliminate the causes of nonconformity
Implementation of any action needed to manage non-conformity
Effectiveness for corrective actions taken
Changes to the information security management system as necessary
Documented information as evidence
Documented evidence of the results of any corrective action
Continual improvement of the information security management system.
AC-0100, AU-0100, CM-0100, CP-0100, IA-0100, IR-0100, MA-0100, MP-
AC-0102, AU-0102, CM-0102, CP-0102, IA-0102, IR-0102, MA-0102, MP-
PM-0101
AC-0144
PM-0132, PM-0133, PM-0134, SI-0146
PM-0132, PM-0133, PM-0134, SI-0146
SA-0104, SA-0105, SA-0106
AC-0100, AC-0207, AC-0208
AC-0100, AC-0183, AC-0185
PS-0109, PS-0107
PL-0120, PS-0131, PS-0133
PL-0120, PS-0131, PS-0132, PS-0133
AT-0104, AT-0105, AT-0106, AT-0108, AT-0109, AT-0110
PS-0136, PS-0100
PS-0138
CM-0152, CM-0153
CM-0160
PL-0120
PS-0116
RA-0129, RA-0130, RA-0131
SI-0172
MP-0101, AC-0141
MP-0101
MP-0119
MP-0113, MP-0114, MP-0115, MP-0116
AC-0100
AC-0147, AC-0115
IA-0119, AC-0106, AC-0107, AC-0108, AC-0109
AC-0107, AC-0109
AC-0147, AC-0124, AC-0126
IA-0129
AC-0118
AC-0109, PS-0113, PS-0114
IA-0134
AC-0127
IA-0104, IA-0114
IA-0136, IA-0137, IA-0140, IA-0141
AC-0148, SA-0107
DX-0306
SC-0148
SC-0143, SC-0148
PE-0111, PE-0112, PE-0122, PE-0123
PE-0111, PE-0112, PE-0122, MP-0112
PE-0111, PE-0112, PE-0114, PE-0115, PE-0118
PE-0122, PE-0158, PE-0144, PE-0146, PE-0147, PE-0149, PE-0150, PE-0152,
PE-0101, PE-0103, PE-0104, PE-0105, PE-0106, PE-0107
PE-0114, PE-0154
PE-0158
PE-0132, PE-0137
PE-0122, PE-0132
MA-0104
MA-0106, MP-0113, PE-0154
PE-0155, CM-0113, CM-0114
MP-0121
SC-0141, AC-0167, AC-0168, PE-0116
MP-0100, AC-0100, AC-0167, AC-0169, MP-0109, MP-0110
SA-0128, SA-0129, SA-0131, SA-0132, SA-0133, SA-0136
CM-0116, CM-0124, SA-0153, MA-0118, PE-0152, PS-0121
CP-0117, SA-0105
CM-0125
AT-0104, AT-0105, AT-0106, AT-0108, AT-0109, AT-0110, AT-0117, SI-
CP-0145, CP-0146, CP-0149
AU-0138, AU-0118, SI-0122, SI-0123
AU-0129
AU-0107, AU-0129, AU-0138
AU-0127, AU-0128
CM-0172, CM-0173
RA-0112, RA-0116, RA-0117, RA-0119, SI-0146, SI-0147, SI-0148, SI-0149
CM-0172, CM-0173
AU-0142
AU-0110, AU-0113
CA-0112, CA-0113, SA-0146
SC-0104, SC-0115
SC-0100, SC-0101, AC-0100, AC-0101, AC-0127, AC-0141, SC-0135
CA-0112, CA-0113, CA-0114, SA-0146
SC-0135
PL-0120, PL-0121, PL-0122, PL-0123, PS-0123, PS-0124, PS-0125, PS-0126
SA-0110, SA-0145
AC-0127, AU-0133, IA-0104, IA-0155, SC-0135, SC-0148
AU-0133, AC-0127, IA-0104, IA-0155, SC-0135, SC-0148
AC-0127, CM-0127, SA-0107, SA-0110
CM-0101, CM-0122, SA-0153
CM-0122, CM-0124
CM-0179
SA-0145
SA-0173
SA-0148
SA-0110, SA-0158, SA-0159
CA-0122, CM-0122, CM-0126, SA-0158
SA-0174
SA-0100, SA-0146, SA-0148
PL-0120, PL-0121, PS-0125, PS-0132, SA-0146
SA-0146, SA-0164
SA-0148, CA-0114
SA-0146, SA-0148
IR-0100, IR-0101
IR-0117, IR-0118
IR-0117
AU-0118, AU-0119, IR-0101
IR-0101, IR-0118
IR-0111
AU-0107, AU-0125, AU-0129, AU-0135, AU-0138, IR-0109
CP-0104
CP-0108
CP-0124
CP-0133
PM-0136
CM-0168, CM-0169
AU-0129, AU-0135, SI-0172
SI-0172
SC-0148
PM-0121, CA-0102
CA-0128, CA-0129
CA-0107, CA-0128
PM-0119, PM-0136
PM-0136
PM-0136
PL-0105
PL-0105
PL-0108, AR-0110
PM-0101
PL-0100, AR-0104
PM-0101
PM-0108, TR-0108
PM-0101
PM-0116
PM-0101
PM-0116
PM-0101
PL-0100
PL-0100
PL-0100
PL-0100
PL-0100
PL-0100
PL-0100
PM-0101
PM-0116
CA-0119
CA-0119
CA-0119
CA-0119
CA-0119
CA-0120
RA-0101
RA-0101
RA-0101
RA-0107
RA-0107
RA-0107
RA-0107
RA-0107
RA-0107
RA-0107
CA-0119
CA-0119
CA-0119
PL-0111
CA-0119
CA-0119
PM-0100
PM-0100
PM-0100
PM-0100
PM-0105
PM-0100
PM-0100
PM-0100
PM-0100
PM-0100
PM-0108
AT-0112, AR-0114
AT-0112
AT-0112
AT-0114
PL-0120, AR-0112
PL-0120, AR-0112
PL-0120, AR-0112
PL-0119, AC-0231
PL-0119, AC-0231
PL-0119, AC-0231
PL-0119, AC-0231
PL-0119, AC-0231
PL-0100, PL-0101
PL-0100, PL-0101
PL-0100
PL-0100
PL-0112
PL-0100
PL-0116
PL-0100
PL-0116
PL-0116
PM-9501
CA-0119, CA-0120
CA-0119, CA-0120
SA-0153
SA-0146
RA-0111, RA-0108
CA-0119
CA-0126
CA-0126
CA-0127
CA-0129
CA-0129
CA-0129
CA-0106
CA-0106
CA-0106, CA-0105, CA-0107
CA-0106
CA-0110
CA-0109
PM-9501
CA-0107
PM-0111
PM-0121
PM-0116
PM-0114
PM-0114
CA-0107
PM-9501
CA-0119
CA-0119
CA-0119
CA-0120
CA-0120
PM-9501
PM-9501
CA-0119
Microsoft develops, documents, and distributes a security policy that addresses purpose, scope, roles, responsibilities, managem
Office 365 regularly reviews policies for information security at planned intervals, or if significant changes occur, to ensure their
Office 365 identifies individuals with information system security roles and responsibilities. The Office 365 security policies addre
Office 365 segregates duties and areas of responsibility to reduce opportunities for unauthorized use, unintentional modificatio
Office 365 is partnered with the Microsoft Trustworthy Computing Team to maintain contacts with external parties such as regu
Office 365 establishes and institutionalizes contact with selected groups and associations within the security community to facil
Office 365 addresses Information security in project management, regardless of the type of the project. Office 365’s implementa
Microsoft has adopted a policy and supporting security measures to manage the risks introduced by using mobile devices. Una
Office 365 employs a policy and supporting security measures to protect information accessed, processed, or stored at telework
Office 365 screens individuals prior to authorizing access to the information system. Office 365 has implemented personnel scr
Office 365 ensures that individuals requiring access to organizational information and information systems sign the appropriate
Office 365 management requires employees and contractors to apply information security in accordance with Microsoft's estab
Office 365 provides employees of the organization and, where relevant, contractors with appropriate awareness education and
Microsoft uses a formal sanctions process for personnel that fail to comply with established information security policies and pr
Upon termination of individual employment, Microsoft conducts exit interviews that include a discussion of information security
Microsoft develops and documents an inventory of information system components that is at the level of granularity deemed n
Microsoft develops and documents an inventory of information system components that accurately reflects the current informa
Microsoft regularly reviews and updates the rules of acceptable usage standards of the infrastructure and other technology asse
Upon termination of individual employment, Microsoft retrieves security-related organizational information and system-related
Microsoft categorizes information and the information system in accordance with applicable federal laws, executive orders, dire
Microsoft policy requires that information assets must be protected based upon their classification. Office 365 asset classificatio
Microsoft protects media that contains information against unauthorized access, misuse, or corruption during transportation. M
Microsoft develops, documents, and disseminates to organization-defined personnel or roles, procedures to facilitate the imple
Microsoft disposes of media securely when no longer required, using formal procedures. Microsoft sanitizes media prior to disp
Microsoft protects media containing information against unauthorized access, misuse or corruption during transportation. Micr
The Microsoft Security Policy provides a baseline for Office 365 information security policies. This document addresses the purp
Office 365 team personnel are provided with access only to networks and network services that they have been specifically auth
Microsoft implements a formal user registration and deregistration process to enable assignment of access rights. Microsoft spe
Microsoft implements a formal user registration and deregistration process to assign or revoke access rights for user types to sy
Microsoft restricts and controls the allocation and use of privileged access rights in Office 365. Microsoft restricts privileged acc
Microsoft controls the allocation of secret authentication information through a formal management process. Microsoft manag
Office 365 asset owners review user access rights at least quarterly. Microsoft reviews accounts for compliance with account ma
Microsoft disables information system access upon termination of individual employment. Microsoft's Human Resources team h
Microsoft requires its personnel to follow it's practices with respect to the use of secret authentication information. Microsoft m
Microsoft restricts access to Office 365 information and application system functions in accordance with an access control polic
Microsoft, where required by the access control policy, controls access to Office 365 systems and applications by a secure log-o
Office 365 password management systems are interactive and ensure quality passwords. For password-based authentication, M
Microsoft restricts and tightly controls the use of utility programs that might be capable of overriding system and application co
Microsoft restricts access to program source code. Microsoft enforces access restrictions and supports auditing of the enforcem
Microsoft has developed and implemented a policy on the use of cryptographic controls for protection of Office 365 informatio
Microsoft has developed and implemented a policy on the use, protection, and lifecycle of cryptographic keys. Microsoft establ
Microsoft defines and uses security perimeters to protect areas that contain either sensitive or critical information and informat
Microsoft protects secure areas by appropriate entry controls to ensure that only authorized personnel are allowed access. Micr
Microsoft designs and applies physical security for offices, rooms and facilities. Microsoft provides security safeguards to contro
Microsoft designs and applies physical protection against natural disasters, malicious attack, or accidents. Microsoft develops, d
Microsoft designs and applies procedures for working in secure areas. Microsoft develops, documents, and disseminates to rele
Microsoft controls access points such as delivery and loading areas and other points where unauthorized persons could enter th
Microsoft manages sites and protects equipment to reduce the risks of environmental threats and hazards, and opportunities fo
Microsoft protects equipment from power failures and other disruptions caused by failures in supporting utilities. Microsoft pro
Microsoft protects power and telecommunications cabling carrying data or supporting information services from interception, i
Microsoft correctly maintains equipment to ensure its continued availability and integrity. Microsoft schedules, performs, docum
Microsoft ensures that equipment, information, and software shall not be taken off-site without prior authorization. Microsoft a
Microsoft applies security to off-site assets taking into account the different risks of working outside the organization’s premise
Microsoft verifies items of equipment containing storage media to ensure that any sensitive data and licensed software has bee
Microsoft prevents access to the system by initiating a session lock after a period of inactivity or upon receiving a request from
Microsoft physically controls and securely stores digital and non-digital media in controlled areas. Microsoft has implemented a
Microsoft documents Office 365 operating procedures and makes them available to users who need them. The Office 365 Inform
Microsoft controls changes to it's organization, business processes, information processing facilities and systems that affect info
Microsoft monitors, tunes, and makes projections of future capacity requirements to ensure the required system performance fo
Microsoft separates the development, testing, and production environments for Office 365 to reduce the risks of unauthorized
Microsoft implements detection, prevention and recovery controls, combined with appropriate user awareness, to protect Office
Microsoft uses datacenter replication solutions for Office 365. Each of the applicable Business Continuity Plans detail the proced
Microsoft produces, keeps, and regularly reviews event logs recording Office 365 user activities, exceptions, faults, and informat
Microsoft protects Office 365 facilities and log information against tampering and unauthorized access. Audit records are contin
Office 365 logs system administrator and system operator activities and the logs are protected and regularly reviewed. Office 36
Microsoft synchronizes the clocks of relevant information processing systems within an organization or security domain to a sin
Microsoft implements procedures to control the installation of software on Office 365 production systems. Microsoft develops,
Microsoft obtains information in a timely fashion about technical vulnerabilities of information systems being used through dai
Microsoft implements procedures to control the installation of software on operational systems in the Office 365 production en
Microsoft carefully plans and agrees to minimize disruptions to Office 365 and other business processes for audit requirements
Microsoft manages and controls networks to protect information in systems and applications. Microsoft protects the confidenti
Microsoft identifies and includes security mechanisms, service levels, and management requirements of network services in netw
Microsoft segregates groups of information services, users, and information systems on networks. Office 365 separates user fun
Microsoft has formal transfer policies, procedures, and controls in place to protect the transfer of information through the use o
Microsoft's agreements address the secure transfer of business information between Microsoft and external parties. Microsoft d
Microsoft appropriately protects information involved in electronic messaging. Microsoft maintains the confidentiality and integ
Microsoft identifies, regularly reviews, and documents requirements for confidentiality or non-disclosure agreements reflecting
Microsoft includes information security-related requirements in the requirements for new information systems or enhancement
Microsoft protects information involved in application services passing over public networks from fraudulent activity, contract d
Microsoft protects information involved in application service transactions to prevent incomplete transmission, mis-routing, una
Microsoft has established and applied rules for the development of software and systems to developments within the organizat
Microsoft controls changes to systems within the development lifecycle by using a formal change control process. Microsoft de
Microsoft reviews and tests business critical applications to ensure that there is no adverse effects on organizational operations
Microsoft discourages modifications, limits changes to those deemed necessary, and strictly controls changes to software packa
Microsoft has established and applied rules for the development of software and systems to developments within the organizat
Microsoft establishes and appropriately protects secure development environments for system development and integration ef
Microsoft does not rely on outsourced development. Thus this control is not applicable to Office 365.
Microsoft's testing of security functionality is carried out during development. Microsoft requires the developer of a production
Microsoft has established acceptance testing programs and related criteria for new information systems, upgrades, and new ver
Microsoft carefully selects, protects and controls test data. Microsoft requires the developer of an Office 365 information system
Microsoft enters into agreements with suppliers and documents information security requirements for mitigating the risks asso
Microsoft establishes and agrees to relevant information security requirements with each supplier that may access, process, stor
Microsoft includes in agreements with suppliers requirements to address the information security risks associated with informat
Microsoft regularly monitors, reviews and audits supplier service delivery. Microsoft uses processes, methods, and techniques to
Microsoft manages changes to the provision of services by suppliers, including maintaining and improving existing information
Microsoft responds to information security incidents in accordance with the documented procedures. Microsoft develops, docu
Microsoft reports Office 365 information security events through appropriate management channels as quickly as possible. Inci
Microsoft requires employees and contractors using the organization’s Office 365 information systems and services to note and
Microsoft responds to Office 365 information security incidents in accordance with the documented procedures. Microsoft deve
Microsoft responds to Office 365 information security incidents in accordance with the documented procedures. Microsoft deve
Microsoft uses knowledge gained from analyzing and resolving information security incidents to reduce the likelihood or impac
Microsoft defines and applies procedures for the identification, collection, acquisition and preservation of information, which ca
Microsoft determines its requirements for information security and the continuity of information security management in adver
Microsoft establishes, documents, implements and maintains processes, procedures and controls to ensure the required level o
Microsoft regularly reviews established and implemented information security continuity controls in order to ensure that they a
Microsoft implements information processing facilities with redundancy sufficient to meet availability requirements. Microsoft d
Microsoft explicitly identifies, documents, and keeps up to date relevant legislative statutory, regulatory, contractual requiremen
Microsoft implements appropriate procedures to ensure compliance with legislative, regulatory, and contractual requirements r
Microsoft protects records from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance wit
Microsoft ensures the protection and privacy of personally identifiable information as required in relevant legislation and regula
Microsoft uses cryptographic controls in compliance with relevant agreements, legislation and regulations. Microsoft implemen
Microsoft's approach to managing information security and its implementation (e.g., control objectives, controls, policies, proce
The Office 365 management team regularly reviews the compliance of information processing and procedures within their area
Microsoft regularly reviews Office 365 information systems for compliance with Microsoft's information security policies and sta
Microsoft determines external and internal issues that are relevant to its purpose and that affect its ability to achieve the intend
Various Microsoft and Office 365 teams continuously engage with interested parties such as regulators, industry forums (includ
Microsoft determines the requirements of interested parties relevant to the Information Security Management System. Microso
Microsoft determines the boundaries and applicability of the Office 365 Information Security Management System (ISMS) to est
Microsoft establishes, implements, maintains and continually improves an Office 365 Information Security Management System
Microsoft management demonstrates leadership and commitment with respect to the Office 365 Information Security Managem
Microsoft management demonstrate leadership and commitment with respect to the Office 365 Information Security Managem
Microsoft management establishes an information security policy that is appropriate to the purpose of the organization. Micros
Microsoft management establishes an information security policy that includes information security objectives and provides the
Microsoft management establishes an information security policy that includes a commitment to satisfy applicable requirement
Microsoft management establishes an information security policy that includes a commitment to satisfy applicable requirement
Microsoft management establishes an information security policy that includes information security objectives and provides the
Microsoft management establishes and communicates an information security policy that includes information security objectiv
Microsoft's information security policy is available to interested parties, as appropriate. Microsoft develops, documents, and dis
Microsoft management assigns the responsibility and authority for ensuring that the Information Security Management System
Microsoft management assigns the responsibility and authority for reporting on the performance of the Office 365 Information
When planning for the Office 365 Information Security Management System (ISMS), Microsoft considers the issues referred to i
Microsoft develops plans of action and milestones (POAMs) in accordance risk assessments performed. The POAMs are develo
Plans of actions and milestones (POAMs) are developed and maintained by the Office 365 Risk and Remediation team. They are
Plans of actions and milestones (POAMs) are developed and maintained by the Office 365 Risk and Remediation team. They are
The Office 365 Risk Management Program facilitates risk management (information security, compliance, and privacy) for Micro
The Office 365 Risk Management Program facilitates risk management (information security, compliance, and privacy) for Micro
Microsoft defines and applies an information security risk assessment process that ensures that repeated information security ri
Microsoft applies the information security risk assessment process to identify risks associated with the loss of confidentiality, int
Microsoft defines and applies an information security risk assessment process that identifies the information security risks and a
Microsoft defines and applies an information security risk assessment process that identifies the information security risks: dete
Microsoft defines and applies an information security risk treatment process to select the appropriate information security risk t
Microsoft defines and applies an information security risk treatment process to determine the controls that are necessary to imp
Microsoft defines and applies an information security risk treatment process to compare the controls determined as part of imp
Microsoft defines and applies an information security risk treatment process to produce a statement of applicability that contain
Microsoft defines and applies an information security risk treatment process to formulate an information security risk treatment
Microsoft defines and applies an information security risk treatment process to obtain risk owners’ approval of the information
Microsoft establishes information security objectives at relevant functions and levels. The information security objectives are con
Microsoft establishes information security objectives at relevant functions and levels and ensures that these objectives are meas
Microsoft establishes information security objectives at relevant functions and levels and ensures that these objectives take into
Microsoft establishes information security objectives at relevant functions and levels and ensures that these objectives are comm
Microsoft establishes information security objectives at relevant functions and levels and ensures that these objectives are upda
Microsoft retains documented information on information security objectives. When planning how to achieve its information se
Microsoft retains documented information on information security objectives. When planning how to achieve its Office 365 info
Microsoft determines and provides the resources needed for the establishment, implementation, maintenance and continual im
Microsoft determines the necessary competence of person(s) doing work under its control that affects its information security p
Microsoft ensures that these persons are competent on the basis of appropriate education, training, or experience. Office 365 p
Microsoft determines the necessary competence of person(s) doing work under its control that affect its information security pe
Microsoft retains appropriate documented information as evidence of competence. Microsoft provides employees of the organ
Persons doing work under Office 365 control shall be aware of the information security policy. Microsoft provides role-based se
Persons doing work under Microsoft's control are aware of their contribution to the effectiveness of the Office 365 Information
Persons doing work under Microsoft's control are aware of the implications of not conforming with the Office 365 Information S
Microsoft determines the need for internal and external communications relevant to the Office 365 Information Security Manag
The Office 365 Information Security Management System (ISMS) includes documented information required by this internationa
The Office 365 Information Security Management System (ISMS) includes documented information determined by Microsoft as
When creating and updating documented information, Microsoft ensures that appropriate identification and descriptions (e.g.,
When creating and updating documented information, Microsoft ensures that appropriate identification and descriptions (e.g.,
When creating and updating documented information, Microsoft ensures that appropriate reviews occur and that documents a
Documented information required by the Office 365 Information Security Management System (ISMS) and by this international
Documented information required by the Office 365 Information Security Management System (ISMS) and by this international
For the control of documented information, Microsoft addresses the following activities, as applicable: distribution, access, retrie
For the control of documented information, Microsoft addresses the following activities, as applicable: storage and preservation
For the control of documented information, Microsoft addresses the following activities, as applicable: control of changes (e.g.,
For the control of documented information, Microsoft addresses the following activities, as applicable: retention and disposition
Microsoft plans, implements and controls the processes needed to meet information security requirements, and to implement t
Microsoft keeps documented information to the extent necessary to have confidence that processes have been carried out as p
Microsoft has change management programs in place to evaluate proposed changes to security and privacy requirements befo
Microsoft ensures that outsourced processes are determined and controlled. Microsoft requires third parties (external informati
Microsoft implements an information security risk treatment plan. Microsoft retains documented information of the results of t
Microsoft implements an information security risk treatment plan. Microsoft retains documented information of the results of th
Microsoft evaluates the information security performance and the effectiveness of the Office 365 Information Security Managem
Microsoft conducts various audits at planned intervals to provide information on whether the Office 365 Information Security M
Microsoft conducts various audits of Office 365 at planned intervals to provide information on whether the Office 365 Informati
Microsoft conducts internal audits of Office 365 at planned intervals to provide information on whether the Office 365 Informat
Microsoft plans, establishes, implements and maintains an audit program(s) for Office 365, including the frequency, methods, re
Microsoft defines the audit criteria and scope for each audit. A Security Assessment Plan (SAP) for Office 365 is developed by an
Microsoft retains documented information as evidence of the audit programs and the audit results. Audit programs and audit r
Microsoft management reviews the Office 365 Information Security Management System (ISMS) at planned intervals to ensure
Microsoft management reviews the Office 365 Information Security Management System at planned intervals to ensure its cont
When a non-conformity is identified, either through internal continuous monitoring or through a third-party independent audit
When a non-conformity is identified, either through internal continuous monitoring or through a third-party independent audit
When a non-conformity is identified, either through internal continuous monitoring or a third-party independent auditor assess
Based on risk management, audit activities, and new compliance requirements, Microsoft continually improves the suitability, ad
Testing Details
Examined the Microsoft and Office 365 information security policies and determined that Office 365 developed and documente
Examined Office 365 policies and associated procedures and confirmed that documentation was tracked using SharePoint docu
Examined the Office 365 information security policy and determined that this document addressed purpose, scope, roles and re
Examined account management procedures to confirm that account management entitlement groups were the method used fo
Validated that Office 365 has defined the organization(s) that provide information security alerts to the service, and that these a
Interviewed an Office 365 Principle Program Manager Lead and Office 365 Program Manager to determine that Office 365 estab
Examined the SDL documentation and validated that a determination of information security requirements was included in the
Validated that Office 365 documentation, including the Office 365 security plan, affirms that mobile devices were not allowed w
Examined Office 365 access control policy and procedures addressing remote access to the information system for the usage re
Examined the Office 365 system security plan and determined that Microsoft screens individuals prior to authorizing access to t
Examined Microsoft's Employee Handbook and interviewed an Office 365 Principle Program Manager Lead and an Office 365 S
Interviewed an Office 365 Principle Program Manager Lead and an Office 365 Senior Program Manager and determined that th
Examined the Office 365 system security plan, the Office 365 information security policy, the Office 365 security training policy,
Examined the Office 365 system security plan and determined that Microsoft uses a formal sanctions process for personnel that
Examined the Office 365 system security plan as well as Microsoft's Employee Handbook and determined that Microsoft's Huma
Interviewed Office 365 Service team and Office 365 Trust team Leads to understand the end-to-end inventory workflow and the
Examined a sample of Office 365 inventory and change records of information system components and confirmed that the info
Examined Microsoft's Employee Handbook as well as Interviewed an Office 365 Principal Program Manager Lead and an Office
Reviewed the Office 365 security plan and determined that Human Resources assistants or managers collect employee badges d
Reviewed Microsoft's Office 365 asset classification and data handling standards and determined that the organization has docu
Reviewed Microsoft's asset classification and data handling standards and determined that the organization has documented h
Reviewed Microsoft's asset classification and data handling standards and determined that the organization has documented h
Examined the Office 365 system security plan and determined that Office 365 relies on the Microsoft Cloud Infrastructure & Op
Reviewed and validated that the Microsoft Security Policy and Office 365 security policies exist and that these policies describe
Reviewed the Office 365 system security plan and confirmed that Office 365 teams use the concept of least privilege, allowing o
Reviewed Office 365 system security plan and account management procedures and confirmed that the Office 365 teams have
Reviewed the Office 365 system security policy and account management procedures and confirmed that the Office 365 team's
Interviewed senior security and engineering personnel and members of the Office 365 Trust team with regard to the definition o
Reviewed the Office 365 system security plan and determined that Microsoft’s Global Security Account Management (GSAM) te
Examined records within the account management tools and confirmed that system account reviews are performed at least qua
Examined samples of account creation, account modification, and account disabling actions within account management logs a
Examined and tested security baselines applied to Office 365 team devices and determined that the devices are configured corr
Examined samples of entitlement groups as defined in the account management tools used to define logical access. Confirmed
Interviewed Office 365 security personnel and determined that access authorization to the Office 365 environment is managed
Reviewed the Office 365 security plan and determined that Office 365 uses Active Directory and Group Policy to enforce the min
Examined Office 365 system security plan as well as configuration of access & identity control mechanisms to determine that O
Examined Office 365 system security plan as well as the configuration of various Active Directory forests to determine that Offic
Reviewed the Office 365 information security policy and determined that Microsoft has developed and implemented a policy on
Examined the Office 365 secrets management playbook and determined that Microsoft has developed procedural documentati
Examined the Office 365 security plan and determined that Office 365 relies on Microsoft Cloud Infrastructure & Operations (M
Examined the Office 365 security plan and determined that Office 365 relies on the MCIO team for the implementation of this c
Examined the Active Directory Group Policy Objects configuration for the Terminal Service Gateways to confirm that an automa
Examined online repositories containing the user documentation for the Office 365 information system. The repository was dem
Examined the Office 365 security plan and determined that Office 365 software developers are required to follow the Office 365
Examined the Office 365 security plan and determined that each Office 365 team includes capacity planning as a key feature of
Determined that Office 365 employs separation between development, testing, and production environment via change manag
Examined the Office 365 information security policy and determined that the use of antivirus and anti-malware software is a pri
Examined Office 365 replication architecture and standard operating procedures to determine that Office 365 uses datacenter r
Interviewed Office 365 engineers about Office 365 auditing and logging functions and determined that event logs recording Of
Examined data within audit storage to determine that collected audit events were uploaded to a centralized auditing system us
Examined the Office 365 information security policy and audit and accountability procedures and determined that the Office 36
Tested through the examination of the system time configuration data and associated timestamp data within system logs for m
Examined the Office 365 information security policy and change management plan and determined that all changes to operatio
Interviewed Office 365 Program Managers and Risk Managers and determined that the Microsoft has effectively implemented d
Examined the Office 365 information security policy and change management plan and determined that all changes to operatio
Examined the Office 365 security plan, the Office 365 Information Security Policy, Office 365 framework controls, and associated
Interviewed security and compliance personnel and determined that Office 365 connects to external networks or information sy
Examined the MMVA and determined that suppliers must comply with physical and information security policies set out in the S
Interviewed security and compliance team personnel and determined that Office 365 connects to external networks or informat
Examined samples of Office 365 firewall rules and ACLs in place to implement the exception information flow policy used at Off
Interviewed senior service engineers and a program manager and determined that Office 365 used encryption to protect the in
Examined the Office 365 System Security Plan and Resource Access Agreement and determined that all Office 365 staff are requ
Reviewed the Office 365 security plan and the SDL summary, which provide a detailed outline of the processes followed by eng
Interviewed Senior Service Engineers and a Program Manager and determined that Office 365 uses encryption to protect the in
Determined through examination of development changes and on-site testing of secure development processes that each Offic
Reviewed Office 365 active framework controls and associated standard operating procedures and confirmed that roles have be
Examined multiple artifacts relating to the change control process from multiple Office 365 teams and determined that the mea
Examined multiple artifacts relating to the change control process from multiple Office 365 teams and determined that the mea
Determined through examination of development changes and on-site testing of secure development processes that each Offic
Examined the Office 365 system security plan and determined that Office 365 teams test potential software and firmware chang
Microsoft does not rely on outsourced development. Thus this control is not applicable to Office 365.
Examined the SDL site and determined that the entire purpose for the SDL is to ensure that system development included infor
Interviewed Office 365 Program Managers and determined that the SDL process ensures that developers and integrators work,
Examined the SDL site and determined that the SDL is purposefully designed to ensure that system development includes inform
Interviewed Office 365 Program Managers and determined that ISAs are reviewed annually and that the data flow diagram has
Interviewed Office 365 Trust team personnel and determined that suppliers are subject to the MMVA and to non-disclosure agr
Interviewed Office 365 Program Managers and determined that ISAs are reviewed annually and the data flow diagram contains
Examined the Microsoft Office 365 information security policy, Office 365 framework controls and Office 365 security incident re
Examined the standard operating procedures (SOPs) for Office 365 breach response, Office 365 security incident response SOPs
Examined Office 365 team penetration test reports which are identified as containing Red Team post-mortem reports and a sam
Examined test documentation and related evidence to determine that Office 365 has implemented information security continu
Examined test documentation and related evidence to determine that Office 365 has implemented information security continu
Examined historical copies of the Office 365 baseline configurations using a combination of artifacts and determined that config
Examined each Office 365 team's contingency plans, and determined that alternate sites exist for every component of Office 36
Examined the Office 365 system security plan, Office 365 control framework, Office 365 risk management Standard Operating P
Examined the Office 365 Information Security Policy, the associated configuration management standard operating procedures
Reviewed the Office 365 data handling standard and determined that Microsoft documents how all data (information within the
Interviewed Office 365 team leads and Office 365 Trust team leads and confirmed that Office 365 does not process PII under a d
Examined the Office 365 secrets management playbook and determined that Office 365 has developed procedural documentat
Examined output of various independent Office 365 audits performed by third-party independent examiners, Microsoft internal
Interviewed Office 365 Trust team members and determined that plan of action and milestone progress tracking is conducted, a
Examined the Office 365 security plan, the Office 365 information security policy and Office 365 framework controls and associa
Examined Office 365 information security policies and standard operating procedures (SOPs) and determined that Microsoft's in
Examined various meeting minutes, agenda documents, presentations, and other supporting documents and determined that v
Examined various meeting minutes, agenda documents, presentations and other supporting documents and determined that v
Examined the Office 365 security plan and determined that this document serves as the system security plan and defines the bo
Examined Office 365 information security policies and standard operating procedures (SOPs) and determined that Microsoft's in
Reviewed and validated that the following policies exist and confirmed that the documents demonstrate leadership and commi
Reviewed and validated that the information security policies exist and confirmed that the documents demonstrate leadership a
Examined the capital programming and budgeting documentation, including the security compliance budget, and validated the
Examined monthly service review documentation such as meeting agenda, meeting minutes, and dashboards to determine that
Examined monthly service review documentation such as meeting agendas, meeting minutes, and dashboards and determined
Examined SDL documentation, and validated that Office 365 developmental and operational activities are resourced appropriat
Examined trending of KPIs around security over the year as well as decisions documented within meeting minutes, and determi
Examined the Office 365 Information Security Policy, aligned security standard operating procedures, meeting minutes, decision
Examined Office 365 information security policies and standard operating procedures, and determined that Microsoft's informa
Reviewed and validated that the information security policies exist and determined that Office 365 management established an
Reviewed and validated that the information security policies exist and determined that Office 365 management establishes an
Reviewed and validated that the information security policies exist and determined that Office 365 management establishes an
Reviewed and validated that the information security policies exist and determined that Microsoft management established an
Reviewed and validated that the information security policies exist and determined that Office 365 management established an
Examined information security policies and interviewed an Office 365 Trust team lead as well as a Senior Program Manager to d
Examined the Office 365 Information Security Policy, aligned security standard operating procedures, meeting minutes, decision
Examined monthly service review documentation such as meeting agenda, meeting minutes, and dashboards to determine that
Examined Office 365 risk management SOPs and multiple risk assessments conducted by Microsoft to determine that when plan
Examined Office 365 risk management standard operating procedures and multiple risk assessments conducted by Microsoft to
Examined Office 365 risk management standard operating procedures and multiple risk assessments conducted by Microsoft to
Examined the Office 365 security plan, the Office 365 information security policy, the Office 365 framework controls, associated
Examined the Office 365 security plan, the Office 365 information security policy, the Office 365 controls framework and associa
Examined the Office 365 security plan, the Office 365 information security policy, the Office 365 controls framework and associa
Examined the Office 365 information security policy, Office 365 framework controls, and associated SOPs, and confirmed that ri
Examined the Office 365 information security policy, Office 365 framework controls, and associated SOPs, and confirmed that ri
Examined the Office 365 information security policy, Office 365 framework controls, and associated standard operating procedu
Examined the Office 365 information security policy, Office 365 framework controls and associated standard operating procedu
Examined the Office 365 Information Security Policy, the Office 365 System Security Plan, the Office 365 Statement of Applicabi
Examined the Office 365 System Security Plan, the Office 365 Information Security Policy, the Office 365 framework controls, an
Examined the Office 365 system security plan, the Office 365 information security policy, and the Office 365 controls framework
Examined Microsoft and Office 365 information security policies, the Office 365 System Security Plan, Office 365 information sec
Examined the Office 365 information security policy, aligned security standard operating procedures, meeting minutes, decision
Examined selection of job descriptions (including information security job descriptions), sample accountabilities (including infor
Examined the Office 365 security plan, the Office 365 Information security policy, and the Office 365 security training policy, and
Examined a selection of sample accountabilities (including information security accountabilities), new hire fulfillment, organizati
Examined the Office 365 security plan, the Office 365 Information Security Policy, Office 365 framework controls, and the Office
Examined the Office 365 security plan, the Office 365 Information Security Policy, and the Office 365 Security Training Policy, an
Examined the Office 365 security plan, the Office 365 Information Security Policy, and the Office 365 Security Training Policy, an
Interviewed Office 365 Trust team Lead and a Senior Program Manager and determined that through various security awarenes
Examined a selection of communications, which included presentations, meeting minutes, blogs, and roadmaps from the follow
Examined access controls and integrity protections of the internal SharePoint site and the Office 365 TMR tool site by means of
Examined access controls and integrity protections of the internal SharePoint site and the Office 365 TMR tool site by means of
Examined the Office 365 system security plan, the Office 365 Information Security Policy, the Office 365 controls framework and
Examined the Office 365 system security plan, the Office 365 information security policy, the Office 365 controls framework and
Examined the Office 365 system security plan and determined that all Office 365 software developers are required to follow the
Examined the MMVA and determined that suppliers complied with the physical and information security policies set out in the
Examined the Office 365 system security plan, the Office 365 Information Security Policy, and the Office 365 controls framework
Examined Office 365 audit reports, risk assessments, meeting minutes, presentations, and various communications (e-mails, and
Examined Office 365 audit reports, risk assessments, the SAP, meeting minutes, presentations, and various communications (e-m
Examined Office 365 audit reports, auditor biographies, meeting minutes, MSR communications, continuous monitoring reports
Examined Office 365 audit reports, meeting minutes, monthly service review communications, continuous monitoring reports, a
Examined Office 365 audit programs, audit reports, monthly service review communications, continuous monitoring reports sto
Examined Office 365 audit reports, risk assessments, plan of actions and milestones, meeting minutes, presentations, and variou
Examined Office 365 audit reports, risk assessments, plan of actions and milestones, meeting minutes, presentations, and variou
Examined Office 365 audit reports, risk assessments, plan of actions and milestones, MSR meeting minutes, management review
Examined Office 365 audit reports, risk assessments, plan of actions and milestones, MSR meeting minutes, management review
Examined Office 365 risk management standard operating procedures and multiple risk assessments of Office 365 conducted b
Examined Office 365 risk management standard operating procedures, multiple risk assessments of Office 365 conducted by M
Examined Office 365 risk management standard operating procedures (SOPs) and multiple risk assessments conducted by Offic
Examined risk assessments, audit reports and compliance gap analysis documents and related updates to ISMS, and determined
Last Tested Tested By Control Family Id
10/19/2016 Third party independent auditor A.5.1
10/19/2016 Third party independent auditor C.4.1
Control Family Name
Office 365 - Management Direction for information Security
Office 365 - Management Direction for information Security
Organization of Office 365 Information Security - Internal Organization
Office 365 - Mobile devices and teleworking
Office 365 - Mobile devices and teleworking
Human resource security - Prior to employment
Human resource security - Prior to employment
Human resource security - During employment
Human resource security - Termination and change of employment
Asset management - Responsibility for assets
Asset management - Information classification
Asset management - Media handling
Access control - Business requirements of access control
Access control - Business requirements of access control
Access control - User access management
Access control - User responsibilities
Access control - System and application access control
Cryptography - Cryptographic controls
Cryptography - Cryptographic controls
Physical and environmental security - Secure areas
Physical and environmental security - Equipment
Operations security - Operational procedures and responsibilities
Operations security - Protection from malware
Operations security - Backup
Operations security - Logging and monitoring
Operations security - Control of operational software
Operations security - Technical vulnerability management
Operations security - Technical vulnerability management
Operations security - Information systems audit considerations
Communications security - Network security management
Communications security - Information transfer
System acquisition, development and maintenance - Security requirements of information systems
System acquisition, development and maintenance - Security in development and support processes
System acquisition, development and maintenance - Test data
Supplier relationships - Information security in supplier relationships
Supplier relationships - Supplier service delivery management
Supplier relationships - Supplier service delivery management
Information security incident management - Management of information security incidents and im
Information security aspects of business continuity management - Information security continuity
Information security aspects of business continuity management - Redundancies
Compliance - Compliance with legal and contractual requirements
Compliance - Information security reviews
Office 365 - Information security management system
Office 365 - Understanding needs and expectations of interested parties
Office 365 - Understanding needs and expectations of interested parties
Office 365 - Determining the scope of the information security management system
Office 365 - Establishing Information security management system
Leadership - Leadership and commitment
Leadership - Policy
Leadership - Policy
Leadership - Policy
Leadership - Policy
Leadership - Policy
Leadership - Policy
Leadership - Policy
Leadership - Organizational roles, responsibilities and authorities
Leadership - Organizational roles, responsibilities and authorities
Planning - Actions to address risks and opportunities
Planning - Information security objectives and planning to achieve them
Support - Resources
Support - Competence
Support - Awareness
Support - Awareness
Support - Awareness
Support - Communication
Support - Documented information
Operations - Operation planning and control
Operations - Information security risk assessment
Operations - Information security risk treatment
Performance evaluation - Monitoring, measurement, analysis and evaluation
Performance evaluation - Internal audit
Performance evaluation - Management review
Improvement - Nonconformity and corrective action
Improvement - Continual improvement
Understand how Office 365 management provides direction and support for information security in accordance with
Understand how Office 365 management provides direction and support for information security in accordance with
Understand how Office 365 has established a management framework to initiate and control the implementation and
Understand how Office 365 ensures the security of teleworking and use of mobile devices.
Understand how Office 365 ensures the security of teleworking and use of mobile devices.
Understand how Office 365 ensures that employees and contractors understand their responsibilities and are suitable for
Understand how Office 365 ensures that employees and contractors understand their responsibilities and are suitable for
Understand how Office 365 ensures that employees and contractors are aware of and fulfil their information security
Understand how Office 365 protects it’s interests as part of the process of changing or terminating employment.
Understand how Office 365 identifies organizational assets and defines appropriate protection responsibilities.
Understand how Office 365 ensures that information receives an appropriate level of protection in accordance with its
Understand how Microsoft prevents unauthorized disclosure, modification, removal or destruction of information stored on
Understand how Office 365 limits access to information and information processing facilities.
Understand how Office 365 limits access to information and information processing facilities.
Understand how Office 365 ensures authorized user access and prevents unauthorized access to systems and services.
Understand how Office 365 makes users accountable for safeguarding their authentication information.
Understand how Office 365 prevents unauthorized access to systems and applications.
Understand how Office 365 ensures proper and effective use of cryptography to protect the confidentiality, authenticity
Understand how Office 365 ensures proper and effective use of cryptography to protect the confidentiality, authenticity
Understand how Microsoft prevents unauthorized physical access, damage and interference to information and information
Understand how Microsoft prevent loss, damage, theft or compromise of assets and interruption to operations.
Understand how Office 365 ensures correct and secure operations of information processing facilities.
Understand how Office 365 ensures that information and information processing facilities are protected against malware.
Understand how Office 365 protects against loss of data.
Understand how Office 365 records events and generates evidence.
Understand how Office 365 ensures the integrity of operational systems.
Understand how Office 365 prevent exploitation of technical vulnerabilities.
Understand how Office 365 prevent exploitation of technical vulnerabilities.
Understand how Office 365 minimizes the impact of audit activities on operational systems.
Understand how Office 365 ensures the protection of information in networks and its supporting information processing
Understand how Office 365 maintains the security of information transferred within an organization and with any external
Understand how Office 365 ensures that information security is an integral part of information systems across the entire
Understand how Office 365 ensures that information security is designed and implemented within the development lifecycle
Understand how Office 365 ensures the protection of data used for testing.
Understand how Office 365 ensures protection of Office 365 assets that is accessible by suppliers.
Understand how Office 365 maintains an agreed level of information security and service delivery in line with supplier
Understand how Office 365 maintains an agreed level of information security and service delivery in line with supplier
Understand how Office 365 ensures a consistent and effective approach to the management of information security
Understand how information security continuity is embedded in Office 365’s business continuity management systems.
Understand how Office 365 ensures availability of information processing facilities.
Understand how Office 365 avoids breaches of legal, statutory, regulatory or contractual obligations related to information
Understand how Office 365 ensures that information security is implemented and operated in accordance with the
Understand how Office 365 determines external and internal issues that are relevant to its purpose and that affect its ability
Understand how Office 365 determines interested parties and their requirements that are relevant to information security
Understand how Office 365 determines interested parties and their requirements that are relevant to information security
Understand how Office 365 determines the boundaries and applicability of the information security management system to
Understand how Office 365 establishes, implements, maintains and continually improves an information security
Understand how Office 365 top management demonstrates leadership and commitment with respect to the information
Understand how Office 365 top management establishes an information security policy.
Understand how Office 365 top management ensures that the responsibilities and authorities for roles relevant to
Understand how Office 365 top management ensures that the responsibilities and authorities for roles relevant to
Understand how Office 365 management when planning for the information security management system, considers the
Understand how Office 365 establishes information security objectives at relevant functions and levels.
Understand how Office 365 determines and provides the resources needed for the establishment, implementation,
Understand how Office 365 determines, and maintains competence of person(s) who manage controls under information
Understand how Office 365 ensures that Office 365 persons are aware of information security policy, their contribution to
Understand how Office 365 determines the internal and external communication needs relevant to the information security
Understand how Office 365 creates, updates, and controls documented information in support of information security
Understand how Office 365 plans, implements, and controls the processes needed to meet information security
Understand how Office 365 performs information security risk assessments at planned intervals or when significant changes
Understand how Office 365 implements the information security risk treatment plan.
Understand how Office 365 evaluates the information security performance and the effectiveness of the information security
Understand how Office 365 conducts internal audits at planned intervals to provide information on whether the information
Understand how Office 365 reviews the organization’s information security management system at planned intervals to
Understand how Office 365 reacts, evaluates, and responds when a nonconformity occurs.
Understand how Office 365 continually improves the suitability, adequacy and effectiveness of the information security
Name:
Description:
Control Id
A.1.1
A.2.1
A.2.2
A.4.1
A.5.1
A.5.2
A.7.1
A.9.1
A.9.2
A.9.3
A.10.1
A.10.2
A.10.3
A.10.4
A.10.5
A.10.6
A.10.7
A.10.8
A.10.9
A.10.10
A.10.11
A.10.12
A.10.13
A.11.1
A.11.2
C.5.1.1.Part1
C.5.1.1.Part2
C.6.1.1
C.7.2.2
C.9.2.1
C.9.4.2
C.10.1.1
C.11.2.7
C.12.1.4.Part1
C.12.1.4.Part2
C.12.3.1.Part1
C.12.3.1.Part2
C.12.3.1.Part3
C.12.3.1.Part4
C.12.3.1.Part5
C.12.3.1.Part6
C.12.4.1.Part1
C.12.4.1.Part2
C.12.4.1.Part3
C.12.4.1.Part4
C.12.4.2.Part1
C.12.4.2.Part2
C.13.2.1.Part1
C.13.2.1.Part2
C.16.1.1
C.18.2.1
ISO 27018:2014
In line with Office 365's commitment to maintain strict privacy of your data, Office 365 has been
Control Title
PII principals’ rights to access, correct, and/or erase PII pertaining to them.
PII to be processed under a data processing contract
Express consent for data usage
Temporary files and documents
Customer notification for disclosure of PII to a law enforcement authority
Recording disclosures of PII
Disclosing the use of sub-contractors bused to process PII
Customer notification in the event of any unauthorized access to PII
Records of security policies and operating procedures
Policy for the return, transfer, and/or destruction of PII
Confidentiality obligation.
Restriction on the creation of hardcopy material displaying PII
Procedure for, data restoration efforts
Protection of data on storage media leaving the premises
Portable physical media and portable devices
Encryption of PII that is transmitted over public data-transmission networks
Destruction of hardcopy material
Distinct user ID for identification, authentication and authorization purposes.
Up-to-date record of the users
Management of de-activated or expired user IDs
Data processing contracts between customers and Office 365
Data processing contracts between Office 365 and any sub-contractors that process PII
Data visibility to customers
Countries in which PII might possibly be stored.
Controls over PII transmitted using a data-transmission network
Privacy and PII processing policies
Independently audited compliance
Privacy and PII processing responsibilities
Awareness education and training
User registration and deregistration process
Access control policy
Policy on the use of cryptographic controls
Storage media verification
Separation of development, testing, and operational environments
Risk assessment around PII handling
Backup copies of information
Capabilities with respect to backup and restoration of customer data.
Restoration of data processing operations
Backup policy for the erasure of PII contained in information held for backup purposes.
Use of sub-contractors to store replicated or backup copies of data being processed
Contractual and/or legal requirements for the erasure of PII contained in information held for back
Event logs
Logs and PII Deletion
Criteria regarding if, when and how log information can be made available to or usable by the cust
Restriction on access records that relate to a customer’s activities
Logging facilities and log information
Deletion of logged information
Transfer of information
Physical media containing PII
Office 365 management responsibilities and procedures to ensure a quick, effective, and orderly resp
Independent evidence that information security is implemented and operated in accordance with the
IP-0102, IP-0106
UL-0100, UL-0101
UL-0100, UL-0102, UL-9510
DM-0105
UL-0101
AR-0117
TR-9501
IR-0118
PM-9501
DM-0106, SE-9505, UL-0101
PL-0120
MP-0127, SC-0157
CP-9501
MP-0113, MP-0116
AC-0228
SC-0136
DM-0105
IA-0104
AC-0107, AC-0118
IA-0122
PM-9502
AR-0110
SC-0107
SE-0100, TR-9506
SC-0142
AR-0104
AR-0110
TR-0108
AR-0112
IA-0129
IA-0104, IA-0114
SC-0148
MP-0119
DM-0108
DM-0110
CP-0150
SA-0131
CP-0133
CP-0103
SA-0146
DM-0105
AU-0118
AU-0110
AU-9500
AU-9500
AU-0129
AU-0135
MP-0115
MP-0118
IR-0109
PM-9504, PM-9505
Microsoft provides Office 365 customers with the means to enable them to fulfil their obligation to facilitate the exercise of a pe
Office 365 does not process personally identifiable information (PII) under a data processing contract for any purpose independ
Office 365 does not use personally identifiable information (PII) processed under a data processing contract for the purposes of
Office 365 erases or destroys temporary files and documents within a specified and documented period. Microsoft disposes of,
The contract between Microsoft and the customer requires Microsoft to notify customers of any legally binding request for disc
Microsoft records disclosures of personally identifiable information (PII), including what PII has been disclosed, to whom, and at
Microsoft discloses to relevant customers the use of sub-contractors that process personally identifiable information (PII) before
Microsoft promptly notifies relevant customers in the event of any unauthorized access to personally identifiable information (P
Microsoft retains records of security policies and operating procedures for a specified and documented period upon replaceme
Microsoft has a policy regarding the return, transfer and/or destruction of personally identifiable information (PII) and makes th
Individuals under Microsoft's control with access to personally identifiable information (PII) are subject to a confidentiality oblig
Microsoft restricts the creation of hardcopy material displaying personally identifiable information (PII). Microsoft personnel do
Restorations are performed based on a customer’s requests per the Service Level Agreements established for the services. The a
Microsoft protects data on storage media leaving the premises. Microsoft protects and controls data on storage media during t
Microsoft prohibits the use of portable physical media and portable devices (such as mobile devices) that do not permit encryp
Microsoft encrypts personally Identifiable information (PII) that is transmitted over public data transmission networks prior to tr
Digital media in Microsoft Online Services datacenters is required to be cleansed or purged using approved tools and in a mann
If more than one individual has access to stored personally identifiable information (PII), Microsoft then requires them to each h
Microsoft maintains an up-to-date record of the users or profiles of users who have authorized access to the information system
Microsoft does not grant de-activated or expired user IDs to other individuals. Account requests go through the standard accou
Data processing contracts between the customer and Office 365 specify the minimum technical and organizational measures to
Data processing contracts between Microsoft and any sub-contractors that process personally identifiable information (PII) spec
Microsoft ensures that whenever data storage space is assigned to a customer, any data previously residing on that storage spa
Microsoft specifies and documents the countries in which personally identifiable information (PII) might possibly be stored. Mic
Microsoft subjects personally identifiable information (PII) transmitted using a data transmission network to the appropriate con
Microsoft and Office 365 policies regarding privacy and personally identifiable information (PII) processing and make these poli
Microsoft's approach to managing information security and its implementation (e.g., control objectives, controls, policies, proce
Microsoft identifies individuals having information system security roles and responsibilities. The Microsoft Online Services priva
Microsoft provides employees of the organization and, where relevant, contractors appropriate awareness education and trainin
Microsoft implements a formal user registration and de-registration process to enable assignment of access rights. Microsoft sp
Microsoft, where required by access control policies, controls access to systems and applications by using a secure log-on proce
Microsoft has developed and implemented a policy on the use of cryptographic controls for protection of information. Encrypti
Microsoft verifies items of equipment containing storage media to ensure that any sensitive data and licensed software has bee
Microsoft separates development, testing, and operational environments to reduce the risk of unauthorized access or changes t
In accordance with the Acceptable Use Standard documented in the Microsoft Security Policy, customer personally identifiable
Microsoft regularly tests backup copies of Office 365 information, software and system images in accordance with an agreed up
Microsoft has an explicit policy regarding data handling and makes this policy available to customers in the Microsoft Online Se
Microsoft establishes, documents, implements, and maintains processes, procedures, and controls to ensure the required level o
Microsoft erases or destroys temporary files and documents within a specified and documented period. Microsoft disposes of, d
Microsoft requires third parties (external information system services) that are engaged with Office 365 to sign a Microsoft Mas
Microsoft erases or destroys temporary files and documents within a specified and documented period. Microsoft disposes of, d
Microsoft produces, keeps, and regularly reviews event logs that record user activities, exceptions, faults and information securi
Office 365 has implemented automated procedures to ensure that logged information is deleted within a specified and docume
Office 365 has in-service logs and compliance features that enable customers to directly view a subset of logs to verify who’s ac
Office 365 has in-service logs and compliance features that enable customers to directly view a subset of logs to verify who’s ac
Microsoft protects Office 365 facilities and log information against tampering and unauthorized access. Audit records are contin
Microsoft has automated controls to scrub personally identifiable information (PII) when logs are stored to a central logging sto
Microsoft has formal transfer policies, procedures and controls in place to protect the transfer of information through the use o
All media being transported from Microsoft datacenters requires accurate tracking. Tickets are created to arrange and track the
The Office 365 Security Incident Response (SIR) team is responsible for managing the investigation and resolution of security in
Office 365 undergoes various audits such as ISO 27001, ISO 27018, FedRAMP, and SOC 2 Type 2 at planned intervals throughou
Testing Details
Examined the Data Processing Terms of the Microsoft OST as well as privacy statements and the controls associated with the ha
Interviewed Office 365 team leads and Trust team leads and confirmed that Office 365 does not process PII under a data proces
Examined the Data Processing Terms of the Microsoft Online Services Terms as well as privacy statements and the controls asso
Examined Office 365 Asset Classification and Data Handling standards and validated that erasure of PII data is required within 1
Examined the Data Processing Terms of the Microsoft OST, Microsoft privacy notices, and Microsoft privacy statements, and det
Interviewed Office 365 Privacy team leads, Engineering team leads, and Trust team leads, and determined that Microsoft consid
Examined list of Office 365 subcontractors and validated that Microsoft discloses its use of sub-contractors.
Interviewed Office 365 Engineering, Privacy, and Trust team leads and determined that Microsoft considers unauthorized access
Reviewed and validated that the following security policies exist and confirmed that the documents address purpose, scope, rol
Examined Office 365 Asset Classification and Data Handling standards and validated that it requires erasure of PII data within 18
Examined the Office 365 system security plan and resource access agreement and determined that all Office 365 staff are requir
Examined sample of account creation, account modification and account disabling actions within account management logs an
Obtained and inspected evidence for a selection of restorations and ascertained that data backup restorations occur as request
Examined the Office 365 security plan and determined that Office 365 relies on the Microsoft Cloud Infrastructure & Operations
Validated that the Office 365 documentation, including the Office 365 security plan, affirms that mobile devices are not allowed
Interviewed Office 365 security personnel and determined that if more than one individual has access to stored PII, Microsoft th
Reviewed the Office 365 Information Security Policy and account management procedures and confirmed that Office 365 maint
Examined sample of account disabling actions within account management logs and confirmed that terminated users are remo
Examined the list of Office 365 subcontractors available, as well as data protection capabilities information available through Of
Examined the MMVA as well as the Data Processing Terms of the OST and determined that data processing contracts between
Examined the location of customer data at rest policies in the Data Processing Terms of the OST and determine that Microsoft s
Interviewed Senior Service Engineers and a Program Manager and determined that Microsoft uses encryption to protect the int
Examined the Microsoft OST, the Microsoft privacy portal and Office 365 Data Handling standards and determined that Microso
Examined the Office 365 security plan, the Office 365 information security policy and the Office 365 controls framework and as
Examined the Office 365 information security policy and the Microsoft Online Services privacy statement, and determined that O
Examined the Office 365 system security plan, information security policy, and security training policy, and determined that Mic
Reviewed the Office 365 Information Security Policy and account management procedures and confirmed that Office 365 teams
Examined the Office 365 access control policy for evidence that the policy addresses, purpose, scope, roles and responsibilities,
Reviewed the Office 365 Information Security Policy and confirmed that it is an effective system communications protection pol
Microsoft employs separation between development, testing, and production Office 365 environments using the change manag
Examined Office 365 replication standard operating procedures to determine that Office 365 uses datacenter replication solutio
Examined Office 365 replication standard operating procedures to determine that Office 365 uses datacenter replication solutio
Examined the Office 365 system and service restoration plan, and determined that Microsoft maintains its recovery and reconst
Examined Office 365 Asset Classification and Data Handling standards to validate that it requires erasure of PII data within 180 d
Examined Office 365 Asset Classification and Data Handling standards to validate that it requires erasure of PII data within 180 d
Interviewed Office 365 engineers regarding auditing and logging functions and determined that the Office 365 Incident Respon
Examined Office 365 Asset Classification and data handling standards to validate that it requires erasure of personally identifiab
Examined the Office 365 Security & Compliance Center and the Office 365 admin center as well as various sample reports to de
Examined the Office 365 Security & Compliance Center and the Office 365 admin center as well as various sample reports to de
Examined data within audit storage to determine that collected audit events are sent up to the centralized auditing system, usin
Examined the configuration and output from scrubbing controls put in place by Microsoft to determine that Microsoft has auto
Examined samples of Office 365 firewall rules and ACLs in place to implement the deny-all-permit-by-exception information flo
Examined the Office 365 incident response policy, procedures addressing incident response testing and exercises, incident resp
Examined SOC, FedRAMP, and ISO audit reports and the Security & Compliance Center and the Cloud Service Trust Portal to de
Last Tested Tested By Control Family Id
10/19/2016 Third party independent auditor A.1
10/19/2016 Third party independent auditor C.5
Control Family Name
Office 365 - Obligation to co-operate regarding Personally Identifiable Information (PII)
Office 365 - Purpose and commercial use
Office 365 - Purpose and commercial use
Data minimization - Secure erasure of temporary files
Office 365 - PII disclosure notification and recording of PII disclosures
Office 365 - PII disclosure notification and recording of PII disclosures
Office 365 - Disclosure of sub-contracted PII processing
Office 365 - Accountability for PII data
Office 365 - Information security
Office 365 - Privacy compliance
Office 365 - Privacy compliance
Information security policies - Privacy and PII processing
Information security policies - Privacy and PII processing
Internal organization - Information security roles and responsibilities
Office 365 - Human resource security
Access control - User access management and secure log-on procedures
Access control - User access management and secure log-on procedures
Cryptography - Policy on the use of cryptographic controls
Equipment - Secure disposal or re-use of equipment
Office 365 - Operations security
Office 365 - Network security management
Office 365 - Network security management
Office 365 - Information security incident management
Compliance - Independent review of information security
Understand how Office 365 fulfills it's obligation regarding (PII) principal's rights.
Understand how Office 365 ensures that PII to be processed under a contract should not be processed for any purpose
Understand how Office 365 ensures that PII to be processed under a contract should not be processed for any purpose
Understand how Office 365 ensures that temporary files and documents are erased or destroyed within a specified,
Understand how Office 365 notifies the cloud service customer, in accordance with any procedure and time periods agreed
Understand how Office 365 notifies the cloud service customer, in accordance with any procedure and time periods agreed
Understand how Office 365 discloses the use of sub-contractors.
Understand how Office 365 notifies the relevant cloud service customer in the event of any unauthorized access to PII or
Understand how Office 365 implements security controls to safeguard PII.
Understand how Office 365 specifies and documents the countries in which PII might possibly be stored. Also understand
Understand how Office 365 specifies and documents the countries in which PII might possibly be stored. Also understand
Understand how Office 365 top management establishes the information security policies in the context of privacy and PII
Understand how Office 365 top management establishes the information security policies in the context of privacy and PII
Understand how Office 365 defines responsibilities around privacy and PII processing.
Understand how Office 365 has put measures in place to make relevant staff aware of the possible consequences on Office
Understand how where appropriate, Office 365 enables the customer to manage access by cloud service users under the
Understand how where appropriate, Office 365 enables the customer to manage access by cloud service users under the
Understand how Office 365 provides information to customer regarding the circumstances in which it uses cryptography to
Understand how Office 365 for the purposes of secure disposal or re-use, equipment containing storage media that may
Understand how Office 365 will undertake a risk assessment where the use of PII for testing purposes cannot be avoided
Understand how Microsoft implements safeguard to protect physical media in transit that my may contain PII.
Understand how Microsoft implements safeguard to protect physical media in transit that my may contain PII.
Understand how Office 365 reviews any information security incident as part of its information security incident

ULB O365 AuditedControls

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ULB O365 AuditedControls

Uploaded by

Copyright:

Available Formats

Audited Controls Information

What is in this spreadsheet?

Columns within each of the other tabs:

Control identification number as established by the regulation or standard

You might also like