Audit Agent Compliance evidence & audit prep Operations Agent M365 operations & CIS benchmarks CyberAware Training Security awareness & phishing sims Remote Support Start a secure support session All Customer Tools Portals, admin consoles & more
Preview Your Audit
Preview Your Audit
people Preventive Protect High Priority

A.6.1 Screening

M365 Admin Path: Microsoft Entra admin center > Identity governance > Access reviews; PIM; Conditional Access

Evidence Source: Microsoft Graph (Entra ID), HR Records

What is A.6.1 Screening?

Pre-employment screening failures are among the most common audit findings. If you cannot demonstrate that personnel with access to sensitive systems were appropriately vetted, your ISO 27001 certification is at risk. ISO 27001 control A.6.1 Screening ensures that background verification checks on all candidates for employment are carried out prior to joining the organisation and on an ongoing basis, taking into account applicable laws, regulations, ethics, and proportionality to business requirements.

The organisation uses Microsoft Entra ID Access Reviews for automated verification of external user access and Privileged Identity Management for just-in-time access to administrative roles.

How to implement A.6.1 in Microsoft 365

Implement A.6.1 by configuring Microsoft Entra ID Access

Implement A.6.1 by configuring Microsoft Entra ID Access Reviews targeting external and guest user accounts with recurring review cycles at minimum quarterly. Enable Privileged Identity Management for high-privilege roles, eliminating permanent assignments except for approved exclusion categories including PIM groups, service accounts, and break-glass accounts.

Set up a Conditional Access policy targeting the

Set up a Conditional Access policy targeting the Limited Access group to restrict resource access for users pending screening completion. Maintain HR screening records documenting identity verification, right to work confirmation, reference checks, and background checks.

Document enhanced screening equivalent to BPSS for all

Document enhanced screening equivalent to BPSS for all privileged role holders with annual re-verification.

What an auditor checks for A.6.1

  • Auditors will verify configured access reviews with external user targeting and designated reviewers.
  • They will check the complete inventory of guest and external users with inactive users over 90 days identified.
  • Auditors will verify PIM is enabled with documented just-in-time access configuration and no permanent high-privilege assignments outside approved categories.
  • They will review Conditional Access policies implementing limited access restrictions for unverified users.
  • Auditors will check HR screening records demonstrating identity verification, references, background checks, and screening dates.

What your auditor expects for A.6.1

  • personnel screening controls including external user access reviews
  • Privileged Identity Management configuration
  • provisional access controls

See how your organisation scores against A.6.1 and all 93 ISO 27001 controls.

Get Your Free Assessment

M365 capabilities that implement this control

Awareness Register & Compliance Evidence Endpoint

Automated awareness tracking in the Audit Agent — per-learner completion (due, completed, overdue, failed), risk scoring with trend analysis (improving/worsening/stable), engagement flags (never engaged, low, good), campaign history, and overdue alerts. Cross-references CyberAware data via UPN matching. Feeds directly into ISO 27001 A.6.3 evidence — when the auditor asks, the register is already there.

Joiner Entitlement Packages Info Gov

Identity Governance lifecycle workflows for new starters

Lifecycle Workflows Info Gov

Entra ID Governance lifecycle workflows for pre-hire, joiner, mover, and leaver identity lifecycle automation