Skip to main content
Audit Agent Compliance evidence & audit prep Operations Agent M365 operations & CIS benchmarks Cloud Adoption Agent Azure migration & CAF delivery CyberAware Training Security awareness & phishing sims Remote Support Start a secure support session Helpdesk & SLAs +353 1 578 9175 · response times by plan All Customer Tools Portals, admin consoles & more
Preview Your Audit
Preview Your Audit
people Preventive Protect High Priority

A.6.2 Terms and Conditions of Employment

M365 Admin Path: Microsoft Entra admin center > Identity governance > Terms of use

Evidence Source: Microsoft Graph (Entra ID ToU)

What is A.6.2 Terms and Conditions of Employment?

ISO 27001 control A.6.2 Terms and Conditions of Employment ensures that all personnel, contractors, and third-party users formally accept Terms and Conditions of Employment prior to being granted access to organisational assets, data, or information systems. The organisation implements Microsoft Entra Terms of Use policies with Conditional Access to enforce mandatory acceptance on first sign-in with re-attestation required when terms are materially updated.

How to implement A.6.2 in Microsoft 365

Implement A.6.2 by creating a comprehensive Terms and

Implement A.6.2 by creating a comprehensive Terms and Conditions document detailing information security responsibilities, confidentiality obligations, data protection requirements, and acceptable use policies. Configure a Microsoft Entra Terms of Use policy linked to a Conditional Access policy that blocks access to all resources until acceptance.

Integrate ToU acceptance into the joiner process ensuring

Integrate ToU acceptance into the joiner process ensuring acceptance occurs before full system access is granted after screening completion per A.6.1. Monitor T&C acceptance rates and identify users who have not yet accepted terms. When T&C documents are materially updated, update the ToU policy to trigger re-attestation for all users.

What an auditor checks for A.6.2

  • Auditors will verify an active Terms of Use policy with current T&C document linked.
  • They will check Conditional Access policy enforcing ToU acceptance as a prerequisite for resource access.
  • Auditors will review user acceptance records showing timestamp and acceptance date for audit trail.
  • They will verify coverage rate of T&C acceptance meets the organisational threshold of 95% or higher.
  • Auditors will check for users without current acceptance identified and flagged for follow-up.
  • They will review T&C document version control and update history showing material change management.

What your auditor expects for A.6.2

  • Terms and Conditions enforcement including ToU policies
  • CA policy linkage
  • acceptance records
  • compensating technical controls

Evidence we surface for A.6.2

A.6.2 employment-terms evidence is centred on the Acceptance Coverage metrics from your security Terms-of-Use in Microsoft Entra. We surface the per-population coverage percentage and cross-reference compensating controls (A.8.12 DLP, A.8.23 web filtering, A.8.1 endpoint) that operationalise what the contract obligates. An auditor reading this control wants both: the contract and the controls that enforce it.

See how your organisation scores against A.6.2 and all 93 ISO 27001 controls.

Get Your Free Assessment