Audit of outsourced service

Answer: For auditing an outsourced service like Office 365 you should use as reference the terms of service for the provision of the service. In this term of service you should look for clauses referring to how the access control to the service (in this case, the email service) will be implemented and how the provider will demonstrate to the customer that the control is implemented and working properly.

From this point you can ask for evidences of how the access control is implemented and how it is being verified and evaluated either by the provider (e.g., by means of an internal or external audit of the provider's premises) and by the organization (e.g., through a review of audit reports sent by the provider to the person responsible by the service in your organization.

You should also note that your company still needs to audit its own process for access control and assess whether the activities are compliant with your organziation's own Access control policy.

This article will provide you further explanation about access control policy:
- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/

This article will provide you further explanation about internal audit:
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

This material will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/