![Office 365 - ISO 22301 - 2012 - Assessment Report - 01.11.2019 [PDF]](https://pdfs.asia/img/200x200/office-365-iso-22301-2012-assessment-report-01112019.jpg)
10 0 283 KB
Assessment Report
Microsoft Office 365 Assessment dates Assessment Location(s) Report Author Assessment Standard(s)
Page 1 of 20
01/11/2019 to 01/11/2019 (Please refer to Appendix for details) Redmond (001) Leonard Glover ISO 22301:2012
Assessment Report.
Table of contents Executive Summary ............................................................................................................................................................ 3 Changes in the organization since last assessment ........................................................................................................... 4 NCR summary graphs ......................................................................................................................................................... 5 Your next steps ................................................................................................................................................................... 7 NCR close out process.................................................................................................................................................... 7 Assessment objective, scope and criteria .......................................................................................................................... 8 Assessment Participants .................................................................................................................................................... 9 Assessment conclusion .................................................................................................................................................... 10 Findings from this assessment ......................................................................................................................................... 11 ISO 22301:2012 Microsoft Enterprise Continuity Standard FY19 Microsoft Enterprise Business Continuity Management (EBCM) dated July 1, 2018. : ................................................................................................................. 11 Next visit objectives, scope and criteria........................................................................................................................... 13 Next Visit Plan .................................................................................................................................................................. 16 Appendix: Your certification structure & ongoing assessment programme.................................................................... 17 Scope of Certification................................................................................................................................................... 17 Assessed location(s) ..................................................................................................................................................... 17 Certification assessment program ............................................................................................................................... 18 Definitions of findings: ................................................................................................................................................. 18 How to contact BSI....................................................................................................................................................... 19 Notes ............................................................................................................................................................................ 19 Regulatory compliance ................................................................................................................................................ 20
Page 2 of 20
Assessment Report.
Executive Summary Microsoft continues to grow their certifications.
Page 3 of 20
Assessment Report.
Changes in the organization since last assessment There is no significant change of the organization structure and key personnel involved in the audited management system. No change in relation to the audited organization’s activities, products or services covered by the scope of certification was identified. There was no change to the reference or normative documents which is related to the scope of certification.
Page 4 of 20
Assessment Report.
NCR summary graphs Which standard(s) BSI recorded findings against
Page 5 of 20
Assessment Report. Where BSI recorded findings
Page 6 of 20
Assessment Report.
Your next steps NCR close out process There were no outstanding nonconformities to review from previous assessments. No new nonconformities were identified during the assessment. Enhanced detail relating to the overall assessment findings is contained within subsequent sections of the report. Please refer to Assessment Conclusion and Recommendation section for the required submission and the defined timeline.
Page 7 of 20
Assessment Report.
Assessment objective, scope and criteria The objective of the assessment was to determine the organization's readiness for the Stage 2 audit and to ensure its effective planning. The scope of the assessment is the documented management system with relation to the requirements of ISO 22301:2012 and the defined assessment plan provided in terms of locations and areas of the system and organization to be assessed.
ISO 22301:2012 Microsoft Enterprise Continuity Standard FY19 Microsoft Enterprise Business Continuity Management (EBCM) dated July 1, 2018.
Page 8 of 20
Assessment Report.
Assessment Participants Name
Position
Patricia Anderson
BC Lead
Page 9 of 20
Opening Meeting X
Closing Meeting X
Interviewed (processes) X
Assessment Report.
Assessment conclusion BSI assessment team Name
Position
Leonard Glover
Team Leader
Assessment conclusion and recommendation The audit objectives have been achieved and the certificate scope remains appropriate. The audit team concludes based on the results of this audit that the organization does fulfil the standards and audit criteria identified within the audit report and it is deemed that the management system continues to achieve its intended outcomes. Based on the outcome of this Stage 1 Assessment, the Assessment Team / Auditor recommends proceed to Stage 2 Assessment – No additional information is required
Use of certification documents, mark / logo or report The use of the BSI certification documents and mark / logo is effectively controlled.
Page 10 of 20
Assessment Report.
Findings from this assessment ISO 22301:2012 Microsoft Enterprise Continuity Standard FY19 Microsoft Enterprise Business Continuity Management (EBCM) dated July 1, 2018. : The audit was done in compliance with PP117 (BMS/Global/Products/ISO 22301) ISO 22301 Scheme Manual Revision 15 (January 2018) . Documented clause sections 4-10 of the Standard have been validated in the Business Continuity Manual. The continuity plan focuses on service to customers through Microsoft 365. Top management is showing great interest in the system with assuring BCMS clear objectives of the BCMS system. The following aspects were covered: • Review of the client’s BCM system documentation- SharePoint Enterprise Business Continuity Management (EBCM) site. • Evaluation of the client’s readiness for stage 2 • Good understanding of the requirements of the BCM standard. • Business impact analysis – Has been completed for services . 5. Leadership and Commitment- Enterprise level has the Policy documented. 5.3 Organizational roles, responsibilities and authorities have been documented and reviewed in Stage 1. 8 people make up the scope of the BCMS with : • • • •
BC Council Lead BC Lead 4 -BC team members (coordinators and auditors) partial leverage of bcms central resources = 2 people by percentage
Scope of Services for the BCMS: Office 365 -=-=-= 6. Planning and 6.1 Actions to address risks and opportunities 6.2 Business continuity objectives and plan to achieve them The Microsoft Office 365 Business Continuity program aligns the Enterprise Business Continuity Management which is the high level document.
Page 11 of 20
Assessment Report. 7.3 Awareness There is documented annual awareness training required. 7.5 Documented information Microsoft Office 365 implements and operates its BCMS as described in the following documents in 2019: • BCMS Manual January 2019 • Business Continuity Management Contingency Plan • Microsoft Business Continuity Plan • Microsoft 365 Onboarding • Normative Terms January 2019 8.2Business impact analysis and risk assessment Risk is done by Microsoft Risk Management Program . Microsoft Enterprise Risk Management methodology 9.2 Internal Audit Internal Audit leverages Enterprise approach and Internal Audit program. 9.3 Management Review The Q2 FY19 Scorecard was used as evidence.
Finding Reference Certificate Standard Category
Area/Process:
Details
Page 12 of 20
1729109-201901-I1
Certificate Reference
BCMS 706252
ISO 22301:2012
Clause
9.2
Opportunity for Improvement ISO 22301:2012 Microsoft Enterprise Continuity Standard FY19 Microsoft Enterprise Business Continuity Management (EBCM) dated July 1, 2018. There is an opportunity to add the internal audit process in more detail from the Enterprise system specifically for 365.
Assessment Report.
Next visit objectives, scope and criteria The objective of the assessment is to conduct a certification assessment to ensure the elements of the proposed scope of registration and the requirements of the management standard are effectively addressed by the organization's management system and to confirm the forward strategic plan.
February 12-13, 2019
Date Time Assessor Process/Area Core Clause No’s Day 1 AM Leonard Glover Review Regulatory requirements Review of Security and business objectives Review of Risk Assessment from site visits , Risk Treatment Plan 4.1 Understanding of the organization and its context 10:00 AM Leonard Glover BCMS, Monitoring and Review Processes Monitoring and Review Procedures -Maintenance and Improvement Management Responsibilities -Management Commitment Process -Resource Management Process 4.1 Understanding of the organization/ 5.1 Leadership and commitment 12.00 noon Leonard Glover Working Lunch 1.00 PM Leonard Glover Management Review of the BCMS (Security) -Inputs -Outputs Internal Audits 6. 5 Leadership 5.1 Leadership and commitment 5.2 Management commitment 5.3 Policy 5.4 Organizational roles, responsibilities and authorities Leonard Glover 9 Performance evaluation from site visits 9.1 Monitoring, measurement, analysis and evaluation 9.2 Internal audit 9.3 Management review 10 Improvement 10.1 Nonconformity and corrective action 10.2 Continual improvement – BCMS 9 Performance evaluation 9.1 Monitoring, measurement, analysis and evaluation
Page 13 of 20
Assessment Report. 9.2 Internal audit 9.3 Management review 10 Improvement 10.1 Nonconformity and corrective action 10.2 Continual improvement 4:30 Leonard Glover Tour / Physical controls 5:30 PM Leonard Glover Debrief Date Time Assessor Process/Area Core Clause No’s Day 2 9.00AM Leonard Glover The BCMS Program Internal audit / Corrective actions 6 Planning 6.1 Actions to address risks and opportunities 10:00 AM Leonard Glover ,BCMS Plans, Exercising 11:00 AM Leonard Glover BCMS Program risk assessment 6 Planning 6.1 Actions to address risks and opportunities 11.30 AM Leonard Glover Business Impact Analysis 6.2 Business continuity objectives 12.00 AM Leonard Glover Working Lunch 1.00 PM Leonard Glover Resource Management 7.1 Resources 7.2 Competence 7.3 Awareness 7.4 Communication 1.30 PM Leonard Glover Risk Assessment – BCMS 6.1 3:30 PM Leonard Glover Audit Follow up / report writing 5.30 PM Leonard Glover Closing meeting / findings / Recommendation Exit 545pm
The scope of the assessment is the documented management system with relation to the requirements of ISO 22301:2012 and the defined assessment plan provided in terms of locations and areas of the system and organization to be assessed. ISO 22301:2012 Microsoft Enterprise Continuity Standard FY19 Microsoft Enterprise Business Continuity Management (EBCM) dated July 1, 2018. Please note that BSI reserves the right to apply a charge equivalent to the full daily rate for cancellation of the visit by the organization within 30 days of an agreed visit date. It is a condition of Registration that a deputy management representative be nominated. It is expected that the deputy would stand in should
Page 14 of 20
Assessment Report. the management representative find themselves unavailable to attend an agreed visit within 30 days of its conduct.
Page 15 of 20
Assessment Report.
Next Visit Plan Date
Auditor
Page 16 of 20
Time
Area/Process
Clause
Assessment Report.
Appendix: Your certification structure & ongoing assessment programme Scope of Certification BCMS 706252 (ISO 22301:2012) The business continuity management system in relation to the availability of Microsoft Office 365 services.
Assessed location(s) The audit has been performed at Permanent Locations. Redmond / BCMS 706252 (ISO 22301:2012) Location reference 0047358928-001 Address Microsoft Office 365 1 Microsoft Way Redmond Washington 98052-8300 USA Visit type Assessment reference Assessment dates Deviation from Audit Plan
Stage 1 Audit 9716326 01/11/2019 No
Total number of Employees Effective number of Employees Scope of activities at the site Assessment duration
7 7 development, operations and support 1 Day(s)
Page 17 of 20
Assessment Report.
Certification assessment program Certificate Number - BCMS 706252 Location reference - 0047358928-001 Audit1 Business area/Location
Date (mm/yy):
Audit2
01/19
02/19
1
2
Scope and Policy
X
X
Organisational context
X
X
Leadership and Commitment
X
X
Duration (days):
Management System Support
X
Planning and Resources
X
Human Resource Management
X
Control of Documents and Records
X
X
Objectives / Performance Monitoring & Measurement
X
X
Management Review
X
X
Supply Chain
X
Internal Audits
X
Actions / Non-Conformity / Incidents / Complaints
X
Risk Management / Prevention
X
Legal and Other Requirements
X
Improvement
Definitions of findings: Nonconformity: Non-fulfilment of a requirement. Major nonconformity:
Page 18 of 20
X
X
Assessment Report. Nonconformity that affects the capability of the management system to achieve the intended results. Nonconformities could be classified as major in the following circumstances: • If there is a significant doubt that effective process control is in place, or that products or services will meet specified requirements; • A number of minor nonconformities associated with the same requirement or issue could demonstrate a systemic failure and thus constitute a major nonconformity. Minor nonconformity: Nonconformity that does not affect the capability of the management system to achieve the intended results. Opportunity for improvement: It is a statement of fact made by an assessor during an assessment, and substantiated by objective evidence, referring to a weakness or potential deficiency in a management system which if not improved may lead to nonconformity in the future. We may provide generic information about industrial best practices but no specific solution shall be provided as a part of an opportunity for improvement. Observation: It is ONLY applicable for those schemes which prohibit the certification body to issue an opportunity for improvement. It is a statement of fact made by the assessor referring to a weakness or potential deficiency in a management system which, if not improved, may lead to a nonconformity in the future.
How to contact BSI 'Just for Customers' is the website that we are pleased to offer our clients following successful registration, designed to support you in maximizing the benefits of your BSI registration - please go to www.bsigroup.com/j4c to register. When registering for the first time you will need your client reference number and your certificate number Should you wish to speak with BSI in relation to your registration, please contact our Operations Support Team: BSI Management Systems 12950 Worldgate Drive Suite 800 Herndon VA 20170 Tel: +1 (800) 862 4977 Fax: +1 (703) 437 9001
Notes Page 19 of 20
Assessment Report. This report and related documents are prepared for and only for BSI’s client and for no other purpose. As such, BSI does not accept or assume any responsibility (legal or otherwise) or accept any liability for or in connection with any other purpose for which the Report may be used, or to any other person to whom the Report is shown or in to whose hands it may come, and no other persons shall be entitled to rely on the Report. If you wish to distribute copies of this report external to your organization, then all pages must be included. BSI, its staff and agents shall keep confidential all information relating to your organization and shall not disclose any such information to any third party, except that in the public domain or required by law or relevant accreditation bodies. BSI staff, agents and accreditation bodies have signed individual confidentiality undertakings and will only receive confidential information on a 'need to know' basis. This audit was conducted on-site through document reviews, interviews and observation of activities. The audit method used was based on sampling the organization’s activities and it was aimed to evaluate the fulfilment of the audited requirements of the relevant management system standard or other normative document and confirm the conformity and effectiveness of the management system and its continued relevance and applicability for the scope of certification. As this audit was based on a sample of the organization’s activities, the findings reported do not imply to include all issues within the system.
Regulatory compliance BSI conditions of contract for this visit require that BSI be informed of all relevant regulatory noncompliance or incidents that require notification to any regulatory authority. Acceptance of this report by the client signifies that all such issues have been disclosed as part of the assessment process and agreement that any such non-compliance or incidents occurring after this visit will be notified to the BSI client manager as soon as practical after the event.
Page 20 of 20
