Professional Documents
Culture Documents
Assessment Report
Table of contents
Executive Summary....................................................................................................................................................... 4
Changes in the organization since last assessment ...................................................................................................... 4
NCR summary graphs .................................................................................................................................................... 5
Your next steps ............................................................................................................................................................. 5
Page 1 of 21
Assessment Report.
Page 2 of 21
Assessment Report.
"We at BSI have formulated a methodology to assess your organization based on certain set of guidelines which
gives an impression on the maturity level of the Information Security Management System on a continual basis.
This methodology could help you improving the processes and would add value proposition through
assessment. This approach has no bearing whatsoever on the decision making process of your certification
Page 3 of 21
Assessment Report.
however it will aid you to focus on the right process which may be improved further on depending on your
needs and requirements"
Executive Summary
The organization is expanding the scope of the certification and is adding more processes and sites to the existing
certificate scope. There is a heightened focus on data privacy and the organization has implemented GDPR / privacy
frameworks and Data Protection Framework for ESD. There have been a slew of tools and process changes
implemented to ensure that every step of every process has information security ingrained in it. The team has
increased its focus on vendor security requirements and the output from the vendor audits and reviews is shared
with the top management.
No change in relation to the audited organization’s activities, products or services covered by the scope of
certification was identified.
There was no change to the reference or normative documents which is related to the scope of certification.
Page 4 of 21
Assessment Report.
Page 5 of 21
Assessment Report.
A nonconformity requiring attention was identified. This, along with other findings, is contained within subsequent
sections of the report.
A nonconformity relates to a single identified lapse, which in itself would not indicate a breakdown in the
management system's ability to effectively control the processes for which it was intended. It is necessary to
investigate the underlying cause of any issue to determine corrective action. The proposed action will be reviewed
for effective implementation at the next assessment.
Please refer to Assessment Conclusion and Recommendation section for the required submission and the defined
timeline.
The scope of the assessment is the documented management system with relation to the requirements of ISO
27001:2013 standard and the defined assessment plan provided in terms of locations and areas of the system and
organisation to be assessed.
ISO 27001:2013
Microsoft's own documented policies and procedures
Client requirements
Legal & Regulatory requirements
Assessment Participants
Opening Meeting Closing Meeting Interviewed
Name Position
(processes)
Rahul Aggarwal HR Manager X
Sourabh Mishra Architect Manager X
Delivery Project
Lakshmi Kammula X
Manager
Delivery Project
Gaurav Srivastava X
Manager
Rajesh Nair Architect X
Punniyamoorthy
Assc Architect X X X
Vaduganathan
Pratik Shah Sr Consultant X X X
Technical
Sivananda Sagar X
Consultant
Manish Phalgunan Regional Security X
Page 6 of 21
Assessment Report.
Business Program
Nicoleta Stoica X
Manager
Service Practice
Kundan Prakash X
Leader
Business Program
Attila Kalmar X
Manager
Sr. Project Manager
Sylwester Banas X X X
Prasad Nelabhotla Architect Cyber X X X
Tarun Matai Architect Cyber X X X
Ravi Piduri CISA X X X
Page 7 of 21
Assessment Report.
Assessment conclusion
BSI assessment team
Name Position
Ajit Daniel Team Leader
The audit objectives have been achieved and the certificate scope remains appropriate. The audit team concludes
based on the results of this audit that the organization does fulfil the standards and audit criteria identified within
the audit report and it is deemed that the management system continues to achieve its intended outcomes.
RECOMMENDED - Corrective Action Plan Required ('Minor' findings only): The audited organization may be
recommended for certification, based upon the acceptance of a satisfactory corrective action plan for all 'Minor'
Page 8 of 21
Assessment Report.
findings as shown in this report. Effective implementation of corrective actions will be reviewed during the next
surveillance audit.
Please submit a plan to BSI detailing the nonconformity, the cause, correction and your proposed corrective action,
with responsibilities and timescales allocated. The plan is to be submitted no later than 30/11/2018 by e-mail or
fax to the correspondence address below, referencing the report number, or through the BSI Assurance Portal if
this is enabled for your account.
The use of the BSI certification documents and mark / logo is effectively controlled.
The annual risk assessment exercise was carried out as planned. Referred ISMS Implementation guide. The controls
implemented to treat risks of the process were reviewed and found to have been effectively implemented. The
Statement of Applicability (SOA) has been reviewed.
Internal audit report for the last internal audit was evidenced. Internal audit program was made and communicated.
Most of the findings of the same have been closed while work is in progress for balance findings. Evidenced minutes
of meeting for the last MRM. All the input points as required by the standard were covered in the review.
Page 9 of 21
Assessment Report.
Corrective actions have been identified, as appropriate to the effect of the nonconformities encountered. A tracker
with the nature of the nonconformities, subsequent actions taken, and the results of any corrective actions were
being maintained and the same was reviewed. New tools have been introduced into the processes. The organization
is adding the Bucharest site into the scope of the existing ISMS certificate.
Finding Certificate Reference
1714380-201811-I1 IS 595239
Reference
Certificate Standard
ISO/IEC 27001:2013 Clause
Category Opportunity for Improvement
Area/Process: ISMS Framework: 4 - 10
The document control on the employee handbook is not adequate - Bucharest.
Details
Labs:
The Labs team handles the data centres. The team monitors the performance of all the equipment in the data
centers. All the policies and procedures are governed by MSIT. Duties and areas of responsibilities have been clearly
segregated to reduce the opportunities for unauthorized or unintentional modification of the organizations assets.
Projections for future capacity requirements have been reviewed and the same is monitored frequently. Physical
access logs of the Lab are monitored on a monthly basis, review records of the same have been checked. Policies
to protect the information in networks and protection of the supporting equipment are implemented by the MSIT
team.
Page 10 of 21
Assessment Report.
All prominent places are protected by access control, some critical areas like labs have additional security guards
posted at the entry points. The REF (Real Estate & Facilities) team handles all the facilities management of the
organization. The services for the same have been outsourced. All procedures defined were found to have been
adhered to. The last fire drill reports at all the sites were reviewed. All identified ISMS controls are implemented
effectively. The team understanding of ISMS was good.
The controls at the new site at Bucharest were found to be in line with those at the existing sites.
Compliance: A.18:
All relevant legislative statutory, regulatory, contractual requirements are being tracked effectively. A few of them
are:
Page 11 of 21
Assessment Report.
• Certificate of Incorporation • Professional Tax • IT Act • Companies Act • GDPR. Some of the records for
compliance of the same have been verified.
Processes:
The following processes were also reviewed as part of this assessment:
• Modern Applications • Secure Infrastructure(Including ENMO) • Business Productivity (including Fast Track) •
Data Insights • Dynamics • Enhanced Application Service (EAS) & Business Excellence and Operations (including
SQA , Vendor Management, Operations, Delivery Excellence Services –DevOps, Tools, Methodologies, Labs).
The risk assessment sheets for the processes were reviewed along with specific customer specified information
security requirements. A few SOWs were sampled during the assessment as well. All the processes assessed were
found to be adhering to the above requirements. The access rights for all the team members are being reviewed
regularly and the records for the same have been verified. Segregation of duties and areas of responsibilities was
evident. The internal audit findings related to the above processes were reviewed and most of the findings were
found to have been closed appropriately.
Page 12 of 21
Assessment Report.
the achievement of statutory, regulatory and contractual requirements and the organisations specified objectives,
as applicable with regard to the scope of the management standard, and to confirm the on-going achievement and
applicability of the forward strategic plan.
The scope of the assessment is the documented management system with relation to the requirements of ISO
27001:2013 standard and the defined assessment plan provided in terms of locations and areas of the system and
organization to be assessed.
ISO 27001:2013
Microsoft's own documented policies and procedures
Client requirements
Legal & Regulatory requirements
Please note that BSI reserves the right to apply a charge equivalent to the full daily rate for cancellation of the visit
by the organisation within 30 days of an agreed visit date.
Scope of Certification
IS 595239 (ISO/IEC 27001:2013)
The information security management system describes the provision of trusted and managed Information security
services – Modern Applications, Secure Infrastructure, Business Productivity (including Fast Track) , Data Insights,
Dynamics, Enhanced Application Service (EAS) and Business Excellence and Operations (including Vendor
Management, Operations, Delivery Excellence Services, SQA) for Microsoft Services from its Hyderabad, Bangalore,
Warsaw, Charlotte and Bucharest locations. This is in accordance with the latest ISMS Statement of Application
v1.9 dated 03/09/2018.
Assessed location(s)
The audit has been performed at Central Office, Permanent Locations.
Hyderabad / IS 595239 (ISO/IEC 27001:2013)
Location reference 0047462947-000
Address Microsoft Global Services Center(India)
Private Limited
1st, 2nd & 3rd Floor, Building # 1
Microsoft Campus,
Gachibowli,
Hyderabad, Telangana
500 032
India
Visit type Re-certification Audit (RA Opt 2)
Page 13 of 21
Assessment Report.
Page 14 of 21
Assessment Report.
Page 15 of 21
Assessment Report.
Scope of activities at the site Enhanced application service (EAS); Business Support Functions:
Human Resources, REF, GSOC.
Assessment duration 3 day(s)
Page 16 of 21
Assessment Report.
Dynamics X X X X
Cross domain capabilities X X X X
Vendor Management X X X X
ES DevOps X X X X
Tools & Labs X X X X
Human Resources Security X X X X
Leadership and Commitment X X X X
Legal & Statutory Requirements X X X X
Re-Certification audit X X
Page 17 of 21
Assessment Report.
Secure Infrastructure X X X
Vendor Management X X X
ES DevOps X X X
Tools & Labs X X X
Human Resources Security X X X
Legal & Statutory Requirements X X X X
Re-Certification audit X X
Page 18 of 21
Assessment Report.
Review of assessment finding regarding conformity, effectiveness and relevance of the management system:
The organization does meet the requirements of the standard.
Major nonconformity:
Nonconformity that affects the capability of the management system to achieve the intended results.
Nonconformities could be classified as major in the following circumstances:
• If there is a significant doubt that effective process control is in place, or that products or services will meet
specified requirements;
• A number of minor nonconformities associated with the same requirement or issue could demonstrate a
systemic failure and thus constitute a major nonconformity.
Minor nonconformity:
Nonconformity that does not affect the capability of the management system to achieve the intended results.
Page 19 of 21
Assessment Report.
nonconformity in the future. We may provide generic information about industrial best practices but no specific
solution shall be provided as a part of an opportunity for improvement.
Observation:
It is ONLY applicable for those schemes which prohibit the certification body to issue an opportunity for
improvement.
It is a statement of fact made by the assessor referring to a weakness or potential deficiency in a management
system which, if not improved, may lead to a nonconformity in the future.
Notes
This report and related documents are prepared for and only for BSI’s client and for no other purpose. As
such, BSI does not accept or assume any responsibility (legal or otherwise) or accept any liability for or in
connection with any other purpose for which the Report may be used, or to any other person to whom the
Report is shown or in to whose hands it may come, and no other persons shall be entitled to rely on the
Report. If you wish to distribute copies of this report external to your organisation, then all pages must be
included.
BSI, its staff and agents shall keep confidential all information relating to your organisation and shall not
disclose any such information to any third party, except that in the public domain or required by law or
relevant accreditation bodies. BSI staff, agents and accreditation bodies have signed individual confidentiality
undertakings and will only receive confidential information on a 'need to know' basis.
This audit was conducted on-site through document reviews, interviews and observation of activities. The audit
method used was based on sampling the organization’s activities and it was aimed to evaluate the fulfilment of
the audited requirements of the relevant management system standard or other normative document and
confirm the conformity and effectiveness of the management system and its continued relevance and
applicability for the scope of certification.
As this audit was based on a sample of the organization’s activities, the findings reported do not imply to include
all issues within the system.
Page 20 of 21
Assessment Report.
Regulatory compliance
BSI requires to be informed of all relevant regulatory non-compliance or incidents that require notification to
any regulatory authority. Acceptance of this report by the client signifies that all such issues have been disclosed
as part of the assessment process and agreement that any such noncompliance or incidents occurring after this
visit will be notified to BSI as soon as practical after the event.
Page 21 of 21