Re-Certification and Extension of Scope

Assessment Report

Microsoft Global Services

Center(India) Private Limited
Assessment dates 01/10/2018 to 21/11/2018 (Please refer to Appendix for details)
Assessment Location(s) Hyderabad, Telangana (000), Hebbal, Bengaluru (001), Charlotte (003), Warszawa
(002), Bucharest (004)
Report Author Ajit Daniel
Assessment Standard(s) ISO/IEC 27001:2013

Table of contents

Executive Summary....................................................................................................................................................... 4
Changes in the organization since last assessment ...................................................................................................... 4
NCR summary graphs .................................................................................................................................................... 5
Your next steps ............................................................................................................................................................. 5

Page 1 of 21
 Assessment Report.

NCR close out process .............................................................................................................................................. 5

Assessment objective, scope and criteria ..................................................................................................................... 6
Assessment Participants ............................................................................................................................................... 6
Assessment conclusion ................................................................................................................................................. 8
Findings from this assessment ...................................................................................................................................... 9
Noteworthy Efforts: .................................................................................................................................................. 9
ISMS Framework: 4 - 10:........................................................................................................................................... 9
Labs: ........................................................................................................................................................................ 10
Human Resource Security & Training: A.7: ............................................................................................................ 10
Asset management: A.8:......................................................................................................................................... 11
Physical & Environmental Security: A.11:............................................................................................................... 11
Information Security Incident Management: A.16: ................................................................................................ 11
Information security aspects of Business Continuity Management: A.17: ............................................................ 11
Compliance: A.18: ................................................................................................................................................... 11
Processes: ............................................................................................................................................................... 12
Next visit objectives, scope and criteria ..................................................................................................................... 12
Next Visit Plan ............................................................................................................................................................. 13
Appendix: Your certification structure & ongoing assessment programme .............................................................. 13
Scope of Certification ............................................................................................................................................. 13
Assessed location(s)................................................................................................................................................ 13
Certification assessment program .......................................................................................................................... 16
Mandatory requirements – re-certification ........................................................................................................... 19
Definitions of findings:............................................................................................................................................ 19
How to contact BSI ................................................................................................................................................. 20
Notes....................................................................................................................................................................... 20
Regulatory compliance ........................................................................................................................................... 21

Page 2 of 21
 Assessment Report.

"We at BSI have formulated a methodology to assess your organization based on certain set of guidelines which
gives an impression on the maturity level of the Information Security Management System on a continual basis.
This methodology could help you improving the processes and would add value proposition through
assessment. This approach has no bearing whatsoever on the decision making process of your certification

Page 3 of 21
 Assessment Report.

however it will aid you to focus on the right process which may be improved further on depending on your
needs and requirements"
Executive Summary
The organization is expanding the scope of the certification and is adding more processes and sites to the existing
certificate scope. There is a heightened focus on data privacy and the organization has implemented GDPR / privacy
frameworks and Data Protection Framework for ESD. There have been a slew of tools and process changes
implemented to ensure that every step of every process has information security ingrained in it. The team has
increased its focus on vendor security requirements and the output from the vendor audits and reviews is shared
with the top management.

Changes in the organization since last assessment

There is no significant change of the organization structure and key personnel involved in the audited management
system.

No change in relation to the audited organization’s activities, products or services covered by the scope of
certification was identified.

There was no change to the reference or normative documents which is related to the scope of certification.

Page 4 of 21
 Assessment Report.

NCR summary graphs

Which standard(s) BSI recorded findings against

Where BSI recorded findings

Your next steps

NCR close out process

There were no outstanding nonconformities to review from previous assessments.

Page 5 of 21
 Assessment Report.

A nonconformity requiring attention was identified. This, along with other findings, is contained within subsequent
sections of the report.

A nonconformity relates to a single identified lapse, which in itself would not indicate a breakdown in the
management system's ability to effectively control the processes for which it was intended. It is necessary to
investigate the underlying cause of any issue to determine corrective action. The proposed action will be reviewed
for effective implementation at the next assessment.

Please refer to Assessment Conclusion and Recommendation section for the required submission and the defined
timeline.

Assessment objective, scope and criteria

The objective of the assessment was to conduct a re-assessment of the existing certification to ensure the
elements of the proposed scope of registration and the requirements of the management standard are effectively
addressed by the organisation's management system.

The scope of the assessment is the documented management system with relation to the requirements of ISO
27001:2013 standard and the defined assessment plan provided in terms of locations and areas of the system and
organisation to be assessed.

ISO 27001:2013
Microsoft's own documented policies and procedures
Client requirements
Legal & Regulatory requirements

Assessment Participants
Opening Meeting Closing Meeting Interviewed
Name Position
(processes)
Rahul Aggarwal HR Manager X
Sourabh Mishra Architect Manager X
Delivery Project
Lakshmi Kammula X
Manager
Delivery Project
Gaurav Srivastava X
Manager
Rajesh Nair Architect X
Punniyamoorthy
Assc Architect X X X
Vaduganathan
Pratik Shah Sr Consultant X X X
Technical
Sivananda Sagar X
Consultant
Manish Phalgunan Regional Security X

Page 6 of 21
 Assessment Report.

Srinivas Rao N.H. Regional Security X

Johnson Motru Manager EHS X
Sr Project
Arvind Chandramohan X
Manager
Sr Project
Prashant Kumar X
Manager
Sr Business
Bharat Kumar X
Program Manager
Business Program
Subhash Iyer X
Manager
Business Program
Santosh Mettupalli X
Manager
Tomasz Terka Sr TAM X
Tatiana Varlakova HR Manager X
Iga Radziejowska HR Manager X
Agnieszka Lobodzinska
Facilities manager X
Piotr Bralski Sr Field IT Manager X
Marzena Zero Facilities manager X
Dan Tabacaru Facilities manager X
Emi Baragan PFE X
Aurelia Dobre Facilities manager X
EDP Health & Safety
Karel Chlan X
Consultant
Alexandra Socea HR Manager X
Leona Seberova HR Manager X
Sr. Hr Service Analyst
Katerina Novakova X
Madalina Stoica HR Manager X
Roxana Milas HR Lead Romania X
Andreea Mihai Service Practice X
Leader

Business Program
Nicoleta Stoica X
Manager
Service Practice
Kundan Prakash X
Leader
Business Program
Attila Kalmar X
Manager
Sr. Project Manager
Sylwester Banas X X X
Prasad Nelabhotla Architect Cyber X X X
Tarun Matai Architect Cyber X X X
Ravi Piduri CISA X X X

Page 7 of 21
 Assessment Report.

Rohit G Facilities manager X

Nagaraj Shetty Facilities manager X
Sabari Sayiraman Assc Architect X
Deepak Kumar Mishra consultant X
Ujwal Chowdavaram Architect X
Rangarajan Subramani
Architect X
Sr. Project Manager
Karthikeyan Erode X
Rudra Pratap
consultant X
Chakrabarty
Sr. Project Manager
Shrirang Desai X
Dinesh Sabnani Project manager X
Pratima Mangena consultant X
Dileep Kumar Sr. Project Manager
X
Chencherian Veettil
Adarsh Kumar consultant X
Avinash Ravikumar consultant X
Sr. Project
Arvind Chandramohan Manager X

Assessment conclusion
BSI assessment team

Name Position
Ajit Daniel Team Leader

Assessment conclusion and recommendation

The audit objectives have been achieved and the certificate scope remains appropriate. The audit team concludes
based on the results of this audit that the organization does fulfil the standards and audit criteria identified within
the audit report and it is deemed that the management system continues to achieve its intended outcomes.

RECOMMENDED - Corrective Action Plan Required ('Minor' findings only): The audited organization may be
recommended for certification, based upon the acceptance of a satisfactory corrective action plan for all 'Minor'

Page 8 of 21
 Assessment Report.

findings as shown in this report. Effective implementation of corrective actions will be reviewed during the next
surveillance audit.

Please submit a plan to BSI detailing the nonconformity, the cause, correction and your proposed corrective action,
with responsibilities and timescales allocated. The plan is to be submitted no later than 30/11/2018 by e-mail or
fax to the correspondence address below, referencing the report number, or through the BSI Assurance Portal if
this is enabled for your account.

Use of certification documents, mark / logo or report

The use of the BSI certification documents and mark / logo is effectively controlled.

Findings from this assessment

Noteworthy Efforts:
• Implemented Data Privacy, Security and Regulatory compliance controls as part of services GRC
• GDPR / InfoSec / Ethics frameworks and process steps across L2O and O2C
• Implemented Application and Infrastructure monitoring tools for security compliance of all the servers (virtual
and physical)
• Integrated credential scanning, static code analysis, dynamic code scanning / fuzzing tools as part of
SecDevOps process
• Enhanced governance and reporting of security controls across services
• Enhanced guidance for GDPR/InfoSec/Ethics in SDM Plus
• Aligned Security engineering steps with Process Step Framework (Virtuoso)
• Conducted multiple awareness sessions for all domain teams on GDPR/InfoSec and other Compliance related
topics
• Romania, Poland – Consolidation of the business support functions (HR, GSOC, REF) in Europe

ISMS Framework: 4 - 10:

ISMS was last reviewed in September 2018. The Information Security Policy has been reviewed. Securities
Objectives and Security Policy statement have been reviewed. The organization has demonstrated continued
compliance to the Standard and generally a very good level of security awareness is generated through training and
awareness activities. The controls selected through risk analysis and subsequent treatment plan have been
identified and implemented within the organization. Efficient monitoring of all information security controls was
witnessed during assessment.

The annual risk assessment exercise was carried out as planned. Referred ISMS Implementation guide. The controls
implemented to treat risks of the process were reviewed and found to have been effectively implemented. The
Statement of Applicability (SOA) has been reviewed.

Internal audit report for the last internal audit was evidenced. Internal audit program was made and communicated.
Most of the findings of the same have been closed while work is in progress for balance findings. Evidenced minutes
of meeting for the last MRM. All the input points as required by the standard were covered in the review.

Page 9 of 21
 Assessment Report.

Corrective actions have been identified, as appropriate to the effect of the nonconformities encountered. A tracker
with the nature of the nonconformities, subsequent actions taken, and the results of any corrective actions were
being maintained and the same was reviewed. New tools have been introduced into the processes. The organization
is adding the Bucharest site into the scope of the existing ISMS certificate.
Finding Certificate Reference
1714380-201811-I1 IS 595239
Reference
Certificate Standard
ISO/IEC 27001:2013 Clause
Category Opportunity for Improvement
Area/Process: ISMS Framework: 4 - 10
The document control on the employee handbook is not adequate - Bucharest.
Details

Labs:
The Labs team handles the data centres. The team monitors the performance of all the equipment in the data
centers. All the policies and procedures are governed by MSIT. Duties and areas of responsibilities have been clearly
segregated to reduce the opportunities for unauthorized or unintentional modification of the organizations assets.
Projections for future capacity requirements have been reviewed and the same is monitored frequently. Physical
access logs of the Lab are monitored on a monthly basis, review records of the same have been checked. Policies
to protect the information in networks and protection of the supporting equipment are implemented by the MSIT
team.

Human Resource Security & Training: A.7:

Security roles and responsibilities of employees, contractors and third party users have been defined and
documented in accordance with the organization’s information security policy. Background verification is done for
all employees. The agreement with the background verification agency has been reviewed. A few of the
organizations new joinee, existing employee and exit employee personnel files have been reviewed. The
background verification file and signed terms and conditions of employment were evident in the same.

Finding Certificate Reference

1714380-201811-I2 IS 595239
Reference
Certificate Standard
ISO/IEC 27001:2013 Clause
Category Opportunity for Improvement
Area/Process: Human Resource Security & Training: A.7
Details Awareness of staff at reception is not adequate - Bucharest

Finding Certificate Reference

1714380-201811-I3 IS 595239
Reference
Certificate Standard
ISO/IEC 27001:2013 Clause
Category Opportunity for Improvement

Page 10 of 21
 Assessment Report.

Area/Process: Human Resource Security & Training: A.7

The coverage of breach of information security in the disciplinary action
Details procedure is not adequate - Bucharest.

Asset management: A.8:

Reviewed the overall asset register, all assets have been clearly identified and the inventory of all important assets
has been reviewed. Appropriate owners, users and custodians have been assigned to all the assets. The acceptable
use policy was also reviewed. The assets are classified as per the defined classification guidelines. Most important
assets of the organization have been labelled as per the defined procedure.

Physical & Environmental Security: A.11:

All the five facilities are well managed. Fire safety measures like fire extinguishers, smoke detectors, fire alarms and
water sprinklers are in place and are being checked regularly. Excellent Physical security is maintained. Perimeter
security was found to be effective. Multi-layer physical security is maintained round the clock by security guards
whose services are outsourced. Visitors need to register with the security team with prior appointment, declaring
all the materials they are carrying. No visitor is allowed onto the premises without an official escort.

All prominent places are protected by access control, some critical areas like labs have additional security guards
posted at the entry points. The REF (Real Estate & Facilities) team handles all the facilities management of the
organization. The services for the same have been outsourced. All procedures defined were found to have been
adhered to. The last fire drill reports at all the sites were reviewed. All identified ISMS controls are implemented
effectively. The team understanding of ISMS was good.

The controls at the new site at Bucharest were found to be in line with those at the existing sites.

Information Security Incident Management: A.16:

Referred procedure for Incident Management. The channels for reporting information security incidents have been
clearly defined. Details of the reporting channels are provided to all employees and randomly interviewed
employees were aware of the same. Roles and responsibilities are clearly defined in the procedure document.

Information security aspects of Business Continuity Management: A.17:

A framework to manage business continuity throughout the unit has been developed and maintained. Referred
Business Continuity Plan. Roles and responsibilities have been clearly defined. The criteria for activation of the BCP
is clearly defined and this varies based on the area of impact. The BCP test calendar has been reviewed, tests were
found to be conducted as scheduled. The last BCP test report was also reviewed. The organization has ensured that
appropriate information security controls are implemented even in Business Continuity events.

Compliance: A.18:
All relevant legislative statutory, regulatory, contractual requirements are being tracked effectively. A few of them
are:

Page 11 of 21
 Assessment Report.

• Certificate of Incorporation • Professional Tax • IT Act • Companies Act • GDPR. Some of the records for
compliance of the same have been verified.

Processes:
The following processes were also reviewed as part of this assessment:
• Modern Applications • Secure Infrastructure(Including ENMO) • Business Productivity (including Fast Track) •
Data Insights • Dynamics • Enhanced Application Service (EAS) & Business Excellence and Operations (including
SQA , Vendor Management, Operations, Delivery Excellence Services –DevOps, Tools, Methodologies, Labs).

The risk assessment sheets for the processes were reviewed along with specific customer specified information
security requirements. A few SOWs were sampled during the assessment as well. All the processes assessed were
found to be adhering to the above requirements. The access rights for all the team members are being reviewed
regularly and the records for the same have been verified. Segregation of duties and areas of responsibilities was
evident. The internal audit findings related to the above processes were reviewed and most of the findings were
found to have been closed appropriately.

Minor (1) nonconformities arising from this assessment.

Finding Certificate Reference
1714380-201811-N1 IS 595239
Reference
Certificate Standard
ISO/IEC 27001:2013 Clause A11.1.3
Category Minor
Area/Process: Physical & Environmental Security: A.11
Statement of non
There is no system in place to track return of visitor ID cards - Bucharest and
conformance:
Warsaw.
Clause Physical security for offices, rooms and facilities shall be designed and applied.
requirements
Objective evidence
Visitor records at both the offices.
Cause
Correction /
containment
Corrective action

Next visit objectives, scope and criteria

The objective of the assessment is to conduct a surveillance assessment and look for positive evidence to ensure
the elements of the scope of certification and the requirements of the management standard are effectively
addressed by the organisation's management system and that the system is demonstrating the ability to support

Page 12 of 21
 Assessment Report.

the achievement of statutory, regulatory and contractual requirements and the organisations specified objectives,
as applicable with regard to the scope of the management standard, and to confirm the on-going achievement and
applicability of the forward strategic plan.
The scope of the assessment is the documented management system with relation to the requirements of ISO
27001:2013 standard and the defined assessment plan provided in terms of locations and areas of the system and
organization to be assessed.

ISO 27001:2013
Microsoft's own documented policies and procedures
Client requirements
Legal & Regulatory requirements
Please note that BSI reserves the right to apply a charge equivalent to the full daily rate for cancellation of the visit
by the organisation within 30 days of an agreed visit date.

Next Visit Plan

Date Auditor Time Area/Process Clause

Appendix: Your certification structure & ongoing assessment

programme

Scope of Certification
IS 595239 (ISO/IEC 27001:2013)
The information security management system describes the provision of trusted and managed Information security
services – Modern Applications, Secure Infrastructure, Business Productivity (including Fast Track) , Data Insights,
Dynamics, Enhanced Application Service (EAS) and Business Excellence and Operations (including Vendor
Management, Operations, Delivery Excellence Services, SQA) for Microsoft Services from its Hyderabad, Bangalore,
Warsaw, Charlotte and Bucharest locations. This is in accordance with the latest ISMS Statement of Application
v1.9 dated 03/09/2018.

Assessed location(s)
The audit has been performed at Central Office, Permanent Locations.
Hyderabad / IS 595239 (ISO/IEC 27001:2013)
Location reference 0047462947-000
Address Microsoft Global Services Center(India)
Private Limited
1st, 2nd & 3rd Floor, Building # 1
Microsoft Campus,
Gachibowli,
Hyderabad, Telangana
500 032
India
Visit type Re-certification Audit (RA Opt 2)

Page 13 of 21
 Assessment Report.

Assessment reference 8785476

Assessment dates 01/10/2018
Audit Plan (Revision Date) 01/10/2018
Deviation from Audit Plan No
Total number of Employees 750
Total persons doing work at this site 750

Scope of activities at the site Modern Applications, Secure Infrastructure(Including ENMO),

Business Productivity (including Fast Track) , Data Insights,
Dynamics, Enhanced Application Service (EAS) and Business
Excellence and Operations (including SQA , Vendor
Management, Operations, Delivery Excellence Services – DevOps,
Tools, Methodologies, Labs). Business Support Functions: Human
Resources, REF, GSOC.
Assessment duration 6 day(s)

Bengaluru / IS 595239 (ISO/IEC 27001:2013)

Location reference 0047462947-001
Address Microsoft GlobalServices Center (India)
Private Limited
Manyata Embassy Business Park
4th Floor, Silver Oak, Outer Ring Road
Bangalore
Nagawara, Hebbal
Karnataka
India
Visit type Re-certification Audit (RA Opt 2)
Assessment reference 8785477
Assessment dates 07/10/2018
Audit Plan (Revision Date) 01/10/2018
Deviation from Audit Plan No
Total number of Employees 250
Total persons doing work at this site 250

Scope of activities at the site Modern Applications, Secure Infrastructure(Including ENMO),

Business Productivity (including Fast Track) , Data Insights,
Dynamics, Enhanced Application Service (EAS) and Business
Excellence and Operations (including SQA , Vendor
Management, Operations, Delivery Excellence Services – DevOps,
Tools, Methodologies, Labs). Business Support Functions: Human
Resources, REF, GSOC.
Assessment duration 5 day(s)

Charlotte / IS 595239 (ISO/IEC 27001:2013)

Page 14 of 21
 Assessment Report.

Location reference 0047462947-003

Address Microsoft
8050 Microsoft Way
Charlotte
North Carolina
28273
USA
Visit type Re-certification Audit (RA Opt 2)
Assessment reference 9665332
Assessment dates 15/10/2018
Audit Plan (Revision Date) 01/10/2018
Deviation from Audit Plan No
Total number of Employees 19
Total persons doing work at this site 19

Scope of activities at the site Modern Applications, Secure Infrastructure(Including ENMO),

Business Productivity (including Fast Track) , Data Insights,
Dynamics, Enhanced Application Service (EAS) and Business
Excellence and Operations (including SQA , Vendor
Management, Operations, Delivery Excellence Services –
DevOps, Tools, Methodologies, Labs). Business Support Functions:
Human Resources, REF, GSOC
Assessment duration 1 day(s)

Warszawa / IS 595239 (ISO/IEC 27001:2013)

Location reference 0047462947-002
Address Microsoft Global Services Center
Microsoft Sp. z.o.o
1st floor,
195A Aleje Jerozolimskie
02-222, Warszawa
Poland
Visit type Re-certification Audit (RA Opt 2)
Assessment reference 8785703
Assessment dates 13/11/2018
Audit Plan (Revision Date) 23/11/2018
Deviation from Audit Plan No
Total number of Employees 31
Total persons doing work at this site 31

Page 15 of 21
 Assessment Report.

Scope of activities at the site Modern Applications, Secure Infrastructure(Including ENMO),

Business Productivity (including Fast Track) , Data Insights,
Dynamics, Enhanced Application Service (EAS) and Business
Excellence and Operations (including SQA , Vendor
Management, Operations, Delivery Excellence Services – DevOps,
Tools, Methodologies, Labs). Business Support Functions: Human
Resources, REF, GSOC.
Assessment duration 1 day(s)

Bucharest / IS 595239 (ISO/IEC 27001:2013)

Location reference 0047462947-004
Address Microsoft GlobalServices Center
Pia?a Presei Libere nr. 3-5
City Gate Building, South Tower
Bucure?ti, Sector 1
Romania
Visit type Extension to Scope
Assessment reference 9665331
Assessment dates 14/11/2018
Audit Plan (Revision Date) 13/11/2018
Deviation from Audit Plan No
Total number of Employees 10
Total persons doing work at this site 10

Scope of activities at the site Enhanced application service (EAS); Business Support Functions:
Human Resources, REF, GSOC.
Assessment duration 3 day(s)

Certification assessment program

Certificate Number - IS 595239
Location reference - 0047462947-000
Audit1 Audit2 Audit3 Audit4
Business area/Location Date (mm/yy): 10/18 10/19 10/20 10/21
Duration (days): 6 3 3
ISMS Framework X X X X
Physical & Environmental Security X X X X
Modern Applications X X X X
Secure Infrastructure X X X X
Business Productivity X X X X
Data Insights X X X X

Page 16 of 21
 Assessment Report.

Dynamics X X X X
Cross domain capabilities X X X X
Vendor Management X X X X
ES DevOps X X X X
Tools & Labs X X X X
Human Resources Security X X X X
Leadership and Commitment X X X X
Legal & Statutory Requirements X X X X
Re-Certification audit X X

Certificate Number - IS 595239

Location reference - 0047462947-001
Audit1 Audit2 Audit3 Audit4
Business area/Location Date (mm/yy): 10/18 10/19 10/20 10/21
Duration (days): 5 2 2
Physical & Environmental Security X X X X
Modern Applications X X X
Secure Infrastructure X X X
Business Productivity X X X
Data Insights X X X
Dynamics X X X
Cross domain capabilities X X X
Vendor Management X X X
ES DevOps X X X
Tools & Labs X X X
Legal & Statutory Requirements X X X X
Re-Certification audit X X

Certificate Number - IS 595239

Location reference - 0047462947-003
Audit1 Audit2 Audit3 Audit4
Business area/Location Date (mm/yy): 10/18 10/19 10/20 10/21
Duration (days): 1 1 1
Physical & Environmental Security X X X X

Page 17 of 21
 Assessment Report.

Secure Infrastructure X X X
Vendor Management X X X
ES DevOps X X X
Tools & Labs X X X
Human Resources Security X X X
Legal & Statutory Requirements X X X X
Re-Certification audit X X

Certificate Number - IS 595239

Location reference - 0047462947-002

Audit1 Audit2 Audit3 Audit4

Business Date (mm/yy): 10/18 10/19 10/20 10/21
area/Location
Duration (days): 1 1 1
Physical & Environmental Security X X X X
Secure Infrastructure X X X
Vendor Management X X X
ES DevOps X X X
Tools & Labs X X X
Human Resources Security X X X
Legal & Statutory Requirements X X X X
Re-Certification audit X X
Certificate Number - IS 595239
Location reference - 0047462947-004

Audit1 Audit2 Audit3 Audit4

Business Date (mm/yy): 10/18 10/19 10/20 10/21
area/Location
Duration (days): 3 1 1
Physical & Environmental Security X X X X
Secure Infrastructure X X X
Vendor Management X X X
ES DevOps X X X
Tools & Labs X X X
Human Resources Security X X X

Page 18 of 21
 Assessment Report.

Legal & Statutory Requirements X X X X

Re-Certification audit X X

Mandatory requirements – re-certification.

Review of assessment finding regarding conformity, effectiveness and relevance of the management system:
The organization does meet the requirements of the standard.

Management system strategy and objectives:

Organization has demonstrated continual improvements as aligned with Organization objectives and strategy.

Review of progress in relation to the organisation's objectives: All defined

objectives are being monitored and tracked to achievement.

Review of assessment progress and the re-certification plan:

The scope of certification is as mentioned and the assessment durations are based on the current number of
employees as per the scheme manual.

BSI Client Management Impartiality and Surveillance Strategy:

The Client manager is appropriate and the customer is comfortable with the interface provided for
certification.
Continue with the current Total assessment days / Cycle.
Definitions of findings:
Non-conformity:
Non-fulfilment of a requirement.

Major nonconformity:
Nonconformity that affects the capability of the management system to achieve the intended results.
Nonconformities could be classified as major in the following circumstances:
• If there is a significant doubt that effective process control is in place, or that products or services will meet
specified requirements;
• A number of minor nonconformities associated with the same requirement or issue could demonstrate a
systemic failure and thus constitute a major nonconformity.

Minor nonconformity:
Nonconformity that does not affect the capability of the management system to achieve the intended results.

Opportunity for improvement:

It is a statement of fact made by an assessor during an assessment, and substantiated by objective evidence,
referring to a weakness or potential deficiency in a management system which if not improved may lead to

Page 19 of 21
 Assessment Report.

nonconformity in the future. We may provide generic information about industrial best practices but no specific
solution shall be provided as a part of an opportunity for improvement.

Observation:
It is ONLY applicable for those schemes which prohibit the certification body to issue an opportunity for
improvement.
It is a statement of fact made by the assessor referring to a weakness or potential deficiency in a management
system which, if not improved, may lead to a nonconformity in the future.

How to contact BSI

Should you wish to speak with BSI in relation to your registration, please contact your customer service officer.

BSI GROUP INDIA PRIVATE LIMITED

303, Ashoka Vishnu Capitol,
Road No. 02, Banjara Hills,
Hyderabad – 500 034, Telangana,
India
Tel: +91 40 4020 1004 Telefax: +91 40 4020 1005
E-mail (for corrective action plans): bsi.hyderabad@bsigroup.com

Notes
This report and related documents are prepared for and only for BSI’s client and for no other purpose. As
such, BSI does not accept or assume any responsibility (legal or otherwise) or accept any liability for or in
connection with any other purpose for which the Report may be used, or to any other person to whom the
Report is shown or in to whose hands it may come, and no other persons shall be entitled to rely on the
Report. If you wish to distribute copies of this report external to your organisation, then all pages must be
included.

BSI, its staff and agents shall keep confidential all information relating to your organisation and shall not
disclose any such information to any third party, except that in the public domain or required by law or
relevant accreditation bodies. BSI staff, agents and accreditation bodies have signed individual confidentiality
undertakings and will only receive confidential information on a 'need to know' basis.

This audit was conducted on-site through document reviews, interviews and observation of activities. The audit
method used was based on sampling the organization’s activities and it was aimed to evaluate the fulfilment of
the audited requirements of the relevant management system standard or other normative document and
confirm the conformity and effectiveness of the management system and its continued relevance and
applicability for the scope of certification.

As this audit was based on a sample of the organization’s activities, the findings reported do not imply to include
all issues within the system.

Page 20 of 21
 Assessment Report.

Regulatory compliance

BSI requires to be informed of all relevant regulatory non-compliance or incidents that require notification to
any regulatory authority. Acceptance of this report by the client signifies that all such issues have been disclosed
as part of the assessment process and agreement that any such noncompliance or incidents occurring after this
visit will be notified to BSI as soon as practical after the event.

Page 21 of 21