Introduction
Below, are common frequently asked questions (FAQs) ask by ISVs (Independent Software Vendors) when starting the Microsoft 365 Certification. If there are any queries that you have which are not covered here, then contact the Microsoft 365 App Certification team via AppCert@Microsoft.com. This document is aimed at ISVs, general information about the Microsoft 365 Security and Compliance program can be found under the Microsoft 365 App Compliance program page.
I have not passed an audit against an industry recognized framework such as PCI DSS, SOC 2 or ISO 27001. Does this mean I am unable to apply for the Microsoft 365 Certification?
No, obtaining one of these industry recognized frameworks is not a requirement of the Microsoft 365 Certification.
I have already passed an external audit against an industry recognized framework. Can this count towards the Microsoft 365 Certification?
The short answer is Yes. Currently the Microsoft 365 Certification specification accepts evidence of PCI DSS, SOC 2 and ISO27001 external frameworks. The Microsoft 365 Certification Submissions Guide has mapped where these existing external frameworks align; however, we have found in some instances that the existing standard/framework has not adequately aligned. For this reason, the Microsoft 365 Certification team will conduct a review of the supplied standards/framework evidence, marking which controls within the Microsoft 365 Certification are met.
How do we demonstrate GDPR compliance if we have not had an external GDPR assessment?
Microsoft does not require an independent review of GDPR conformance for the Microsoft 365 Certification, as this is an either/or scenario where we will accept self-attestation's which we can independently verify when no external review has taken place. As this is more of an assessment than an audit, and with respect to the evidence for us to collect during our processes - reviewing privacy policies and internal processes is how we have approached GDPR control. For the purposes of what we are looking for in the GDPR control, it mostly involves reviewing privacy policies to ensure they meet basic GDPR requirements; e.g. what personal data is being processed, what the lawfulness of processing is, pointing out data subject rights, how a subject access request (SAR) will be performed by a user, how the ISV will undertake SARs, the ISVs company details and data retention details.
We have undergone a penetration test; however, we do not have a “clean” penetration test as we have not undertaken a penetration retest. Do we need to undertake a retest and have a clean report?
The Microsoft 365 Certification specification does not require ISVs to undertake penetration testing retests, providing adequate remediation evidence can be provided to demonstrate that issues identified within the penetration testing report are remediated.
Some of the documentation and evidence requested is sensitive, are there non-disclosure agreements (NDAs) in place?
Yes, some of the information you submit will be public information and some may be confidential information. If you have an existing NDA in place with Microsoft, the terms of that NDA will apply to the confidential information you submit. If you do not have an NDA with Microsoft, the confidentiality terms of the Publisher Agreement that you signed within Partner Center will apply to that confidential information.
How do we securely transfer sensitive documentation and evidence as part of the Microsoft 365 Certification assessment?
Currently, Microsoft does not have a platform for sharing this information securely. The recommendation is for you to share this information through whatever secure mechanisms you already have in place. Many ISVs will utilize OneDrive and share an authenticated link to the Microsoft 365 Certification team.
We have just implemented some additional security processes to meet some of the Microsoft 365 Certification controls, does this mean we have to wait 12 months before we are able to certify?
No, Microsoft acknowledges that you may need to develop additional security processes to bridge gaps between existing security processes and what is expected from the Microsoft 365 Certification. The Microsoft 365 Certification team will review newly developed documented processes and will review evidence that the process has been carried out at least once. Additional, historic evidence will not be required as this will not be available for these newly developed processes. After twelve months, a sample of historic evidence will then start to be assessed during the annual assessment.
What am I responsible for providing?
During the assessment, certification analysts will review supplied document and evidence to assess your conformance to the Microsoft 365 Certification controls. As part of this work, the Microsoft 365 Certification team will request information which will include architectural details, diagrams, data storage details, App design details, policy and process documents, configuration files and screenshots. On some occasions, or if it is easier for you, a screensharing session can be arranged to show the certification analysts evidence. If, existing compliance frameworks are to be used to support the assessment activities, adequate documentation will be required demonstrating what the external auditor/assessor has assessed and confirmed as being in place. Where the supporting documentation is unable to provide the necessary narrative to demonstrate exactly how controls within the external security framework have been met, the Microsoft 365 Certification team will be unable to utilize the external security framework in support of the Microsoft 365 Certification assessment.
Will attaining the certification require me to make changes to my current infrastructure?
It is unlikely that significant changes to the infrastructure will be required to meet the Microsoft 365 Certification. The controls are based on industry security best practices and will most likely be already implemented. We have seen in most cases; ISVs have had to update internal processes to bridge gaps between current working practices and what is required within the Microsoft 365 Certification. If this is a concern, Microsoft recommends that you review the latest Microsoft 365 Certification controls which can be found on the Microsoft 365 Certification Submissions Guide to ensure that your currently deployed environment and working practices meet the controls defined.
Does Microsoft have recommendations about specific components/infrastructure/software that should be used to satisfy the certification requirements?
Microsoft does not provide specific recommendation on solutions to meet Microsoft 365 Certification controls. Any commercial or open source offerings can be used, providing they are actively supported and maintained.
How long does it take to complete the assessment?
Typically, an assessment can take on average 30 days to complete, however this can depend upon many variables. The length of time to complete can vary depending upon: the size of the hosting environment used to support the App/Add-in, the type of hosting environment supporting the App/Add-in, and how prompt ISVs are at responding to evidence requests.
How much of my time will I need to allocate to this process?
Most of the work is simply gathering the documentation and evidence in a timely manner. After which it should not require more than a few hours a week complete the assessment process. Some variables which can impact the time required are: the size of the environment will have an impact upon the amount of time required to collect evidence requested, and if there are any external security frameworks that can be leveraged to support the assessment. Where external security frameworks are in place, and adequate supporting documentation can be provided, certification analysts can use these external assessments to satisfy a subset of Microsoft 365 controls, without you needing to supply additional evidence.
Why is there a fixed 60-day timeframe for the assessment?
We have set a limit on the length of time an assessment can be carried out for since evidence already collected can become stale the longer an assessment takes. This is a point in time assessment and therefore there needs to be a suitable period allocated for completion. After you submit your initial document submission, we will respond with a request for evidence. The 60-day period begins when you receive the request for evidence. The Microsoft 365 Certification Submissions Guide should be read and you should be confident that all controls can be met prior to submitting your Initial Evidence Submission.
What happens if the assessment is not complete within the 60-day timeframe?
Unfortunately, if the assessment is not completed during the 60-day timeframe, Microsoft will mark a fail against the assessment. This mark is only for internal statistics and will never be published. You will be able to immediately restart the assessment process, however you will be requested to resend NEW evidence to support the new application.
How much will the Microsoft 365 Certification cost me?
Currently, it is FREE for you to complete the Microsoft 365 Certification.
What is the cost of Penetration Testing under this program?
If your app must undergo penetration testing, where this is not part of your security activities, penetration testing can be completed under the Microsoft 365 Certification and is FREE. The scope of penetration testing is limited to the App and the supporting infrastructure that is in scope for the Microsoft 365 Certification.
Do you have marketing materials that can be used to advertise the fact that our app has been certified?
Upon completion, ISVs receive a free digital marketing kit to promote their app as Microsoft 365 Certified.
What level of evidence are you looking for when performing the assessment?
Evidence supplied during the Microsoft 365 Certification assessment must be able to provide enough assurance that you are meeting the specific Microsoft 365 Certification controls being assessed. Evidence can be in the form of configuration files, screenshots of settings or evidence, policy/procedure documentation or screensharing sessions to demonstrate evidence to the certification analyst. Below are two examples:
Assessment Activity: “Demonstrate that anti-virus software is running across all sampled system components.” – For this control, you can provide a screenshot from every device in the sample that supports anti-virus which shows the anti-virus process running, or if you have a centralized management console for anti-virus, you may be able to demonstrate it from that management console.
Assessment Activity: “Demonstrate how new security vulnerabilities are identified.” – This control is from the Patch Management section. The intent is that you have a formally documented process for how you identify new security vulnerabilities. This may be within your source code but also needs to be within the support environment, for example, Windows vulnerabilities, vulnerabilities within web dependencies (e.g. AngularJS, JQuery, etc.). You should have a documented process that you follow to identify new security vulnerabilities so should provide the documented process document. In addition to the documentation, you’d need to provide evidence that the process is being followed; for example, if you are utilizing something like npm audit to check dependencies for vulnerabilities, then supplying a sample of reports will provide evidence. If you are utilizing multiple processes, i.e. for different system components, then evidence of all the processes will need to be provided.