Skip to main content
Audit Agent Compliance evidence & audit prep Operations Agent M365 operations & CIS benchmarks Cloud Adoption Agent Azure migration & CAF delivery CyberAware Training Security awareness & phishing sims Remote Support Start a secure support session Helpdesk & SLAs +27 (0)11 731 0600 · response times by plan All Customer Tools Portals, admin consoles & more
Preview Your Audit
Preview Your Audit
organisational Preventive Protect High Priority

A.5.15 Access Control

M365 Admin Path: Microsoft Entra admin centre > Protection > Conditional Access

Evidence Source: Microsoft Entra ID

What is A.5.15 Access Control?

ISO 27001 control A.5.15 Access Control ensures authorised access and prevents unauthorised access to information and assets through Zero Trust, Deny-by-Default, Least Privilege, and Role-Based Access Control principles. The control enforces identity verification via Conditional Access with MFA, device compliance, and risk checks, privileged access via PIM with Just-in-Time activation, and emergency access via break-glass accounts. All access is treated as untrusted until explicitly verified.

How to implement A.5.15 in Microsoft 365

Implement A.5.15 by deploying Microsoft Entra Conditional Access

Implement A.5.15 by deploying Microsoft Entra Conditional Access policies requiring MFA, Intune device compliance, and user risk assessment for all access. Configure PIM to deny standing admin access with all privileged roles assigned as Eligible only.

Enforce Just-in-Time role activation via PIM requiring justification

Enforce Just-in-Time role activation via PIM requiring justification and time-limited access. Configure break-glass accounts with permanent Active roles for emergency access. Exclude break-glass accounts from standard Conditional Access including MFA and device compliance to ensure access during outages. Stream all access logs to Microsoft Sentinel for centralised monitoring.

What an auditor checks for A.5.15

  • Auditors will verify that Conditional Access policies are active for MFA, device compliance, and risk assessment.
  • They will check PIM configuration showing all privileged roles are assigned as Eligible rather than Active for standard users.
  • Auditors will review break-glass account configuration with permanent active roles via PIM Groups.
  • They will verify Conditional Access exclusions for break-glass accounts.
  • Auditors will confirm Sentinel data connectors are connected for Entra ID, PIM, and FortiAnalyzer logs.
  • They will review PIM audit logs showing JIT activations with justifications.

Evidence we surface for A.5.15

For A.5.15 we collect your Microsoft Entra Conditional Access policy inventory (the gate), the PIM eligibility configuration (the time-bound elevation), and the break-glass account configuration (the controlled exception). An auditor sees access is governed by policy, elevated only when needed, and recoverable when the primary path fails — three properties they will look for explicitly.

See how your organisation scores against A.5.15 and all 93 ISO 27001 controls.

Get Your Free Assessment

M365 capabilities that implement this control

Conditional Access - Admins Foundation

Conditional Access policies for administrators (enhanced MFA, risk-based CA, session controls, location restrictions)

Conditional Access - Users Foundation

Conditional Access policies for standard users (MFA, device compliance, guest access, risk-based controls)

Entra ID CIS Hardening (Authentication) Foundation

CIS M365 v6.0.1 authentication hardening: device code flow, enrollment frequency, authenticator settings, email OTP, session controls

Conditional Access - Devices Endpoint

Conditional Access policies requiring device compliance

Workload Identity Governance Endpoint

Discover, remediate, and govern non-human identities including service principals, managed identities, and workload identity federation

Related insights