Audit Agent Compliance evidence & audit prep Operations Agent M365 operations & CIS benchmarks CyberAware Training Security awareness & phishing sims Remote Support Start a secure support session All Customer Tools Portals, admin consoles & more
Preview Your Audit
Preview Your Audit
organisational Preventive Identify High Priority

A.5.1 Policies for Information Security

M365 Admin Path: Microsoft Entra admin center > Protection > Conditional Access > Terms of use

Evidence Source: Microsoft Graph (Terms of Use, Conditional Access, User Attestations)

What is A.5.1 Policies for Information Security?

Without a documented, management-approved information security policy, every other control in your ISMS lacks a foundation. This is typically the first control your auditor reviews. ISO 27001 control A.5.1 Policies for Information Security requires organisations to establish a management-approved framework of information security policies that provides direction and support for information security.

This control ensures that all policies are formally approved, published to a central repository, communicated to relevant personnel with acknowledgement captured, and reviewed at planned intervals. For Microsoft 365 environments, policy attestation is enforced through Microsoft Entra Terms of Use integrated with Conditional Access, requiring users to formally accept policies before accessing organisational resources.

How to implement A.5.1 in Microsoft 365

Implement A.5.1 by establishing a policy governance framework

Implement A.5.1 by establishing a policy governance framework with clear ownership and approval processes. Publish all ISMS policies to a version-controlled SharePoint Online site as the single source of truth.

Configure Microsoft Entra Terms of Use to require

Configure Microsoft Entra Terms of Use to require formal acceptance of key policies, then create Conditional Access policies that enforce Terms of Use acceptance as a grant control. Enable audit logging to capture user acceptance with timestamp and device information.

Configure re-acceptance frequency

Configure re-acceptance frequency (recommend annually or upon policy update). Maintain a policy register in the ISMS policy register.

Review all policies annually or when significant changes

Review all policies annually or when significant changes occur to business operations, technology, or regulatory requirements.

What an auditor checks for A.5.1

  • Auditors will verify that a formal policy governance framework exists with documented ownership for each policy.
  • They will check that at least one Terms of Use policy is configured in Microsoft Entra ID and enforced via Conditional Access.
  • They will review user attestation records to confirm at least 95% acceptance rate, identifying any users who have not accepted.
  • Auditors will examine the policy register to verify all policies have been reviewed within the last 12 months, have documented approvers, and show version history.
  • They will also verify that CIS Benchmark assessments are configured in Microsoft Purview Compliance Manager for M365, Azure, and Intune configurations.

What your auditor expects for A.5.1

  • Evidence of policy governance including Terms of Use configuration
  • CA enforcement
  • user attestation rates
  • ISMS policy register
  • CIS benchmark alignment tracking

See how your organisation scores against A.5.1 and all 93 ISO 27001 controls.

Get Your Free Assessment

M365 capabilities that implement this control

SharePoint CIS Fundamentals Foundation

CIS Microsoft 365 Foundations benchmark settings for SharePoint Online

Teams CIS Fundamentals Foundation

CIS Microsoft 365 Foundations benchmark settings for Microsoft Teams

OneDrive CIS Fundamentals Foundation

CIS Microsoft 365 Foundations benchmark settings for OneDrive for Business