Skip to main content
Audit Agent Compliance evidence & audit prep Operations Agent M365 operations & CIS benchmarks Cloud Adoption Agent Azure migration & CAF delivery CyberAware Training Security awareness & phishing sims Remote Support Start a secure support session Helpdesk & SLAs +353 1 578 9175 · response times by plan All Customer Tools Portals, admin consoles & more
Preview Your Audit
Preview Your Audit
people Preventive Protect High Priority

A.6.1 Screening

M365 Admin Path: Microsoft Entra admin center > Identity governance > Access reviews; PIM; Conditional Access

Evidence Source: Microsoft Graph (Entra ID), HR Records

What is A.6.1 Screening?

Pre-employment screening failures are among the most common audit findings. If you cannot demonstrate that personnel with access to sensitive systems were appropriately vetted, your ISO 27001 certification is at risk. ISO 27001 control A.6.1 Screening ensures that background verification checks on all candidates for employment are carried out prior to joining the organisation and on an ongoing basis, taking into account applicable laws, regulations, ethics, and proportionality to business requirements.

The organisation uses Microsoft Entra ID Access Reviews for automated verification of external user access and Privileged Identity Management for just-in-time access to administrative roles.

How to implement A.6.1 in Microsoft 365

Implement A.6.1 by configuring Microsoft Entra ID Access

Implement A.6.1 by configuring Microsoft Entra ID Access Reviews targeting external and guest user accounts with recurring review cycles at minimum quarterly. Enable Privileged Identity Management for high-privilege roles, eliminating permanent assignments except for approved exclusion categories including PIM groups, service accounts, and break-glass accounts.

Set up a Conditional Access policy targeting the

Set up a Conditional Access policy targeting the Limited Access group to restrict resource access for users pending screening completion. Maintain HR screening records documenting identity verification, right to work confirmation, reference checks, and background checks.

Document enhanced screening equivalent to BPSS for all

Document enhanced screening equivalent to BPSS for all privileged role holders with annual re-verification.

What an auditor checks for A.6.1

  • Auditors will verify configured access reviews with external user targeting and designated reviewers.
  • They will check the complete inventory of guest and external users with inactive users over 90 days identified.
  • Auditors will verify PIM is enabled with documented just-in-time access configuration and no permanent high-privilege assignments outside approved categories.
  • They will review Conditional Access policies implementing limited access restrictions for unverified users.
  • Auditors will check HR screening records demonstrating identity verification, references, background checks, and screening dates.

What your auditor expects for A.6.1

  • personnel screening controls including external user access reviews
  • Privileged Identity Management configuration
  • provisional access controls

Evidence we surface for A.6.1

Screening evidence for A.6.1 splits between Microsoft Entra Identity Governance (access-review definitions and instance completion for any user with elevated rights) and your HR system records. The reviews show external and high-risk users are re-examined; HR holds the screening evidence itself. Together they bracket the lifecycle, from background checks at hire through periodic re-examination thereafter.

See how your organisation scores against A.6.1 and all 93 ISO 27001 controls.

Get Your Free Assessment

M365 capabilities that implement this control

Joiner Entitlement Packages Info Gov

Identity Governance lifecycle workflows for new starters

Lifecycle Workflows Info Gov

Entra ID Governance lifecycle workflows for pre-hire, joiner, mover, and leaver identity lifecycle automation

Related insights