Information Security control and revision over third parties

Answer: For verifying the compliance of an outsourced service like Office 365 you should use as reference the terms of service for the provision of the service. In this term of service you should look for clauses referring to which and how information controls will be implemented and how the provider will demonstrate to the customer that the controls are implemented and working properly.

From this point you can ask for evidences of how the controls are implemented and how they are being verified and evaluated either by the provider (e.g. by means of an internal or external audit of the provider's premises) and by the organization (e.g. through a review of audit reports sent by the provider to the person responsible by the service in your organization).

In case big providers do not provide enough security, then you should consider switching to smaller providers with you can specify the security clauses they need to comply to.

This article will provide you further explanation about handling suppliers:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

This article will provide you further explanation about internal audit:
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

This material will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/