Audit Agent Compliance evidence & audit prep Operations Agent M365 operations & CIS benchmarks CyberAware Training Security awareness & phishing sims Remote Support Start a secure support session All Customer Tools Portals, admin consoles & more
Preview Your Audit
Preview Your Audit
organisational Preventive Identify High Priority

A.5.2 Information Security Roles and Responsibilities

M365 Admin Path: Microsoft Entra admin center > Identity governance > Privileged Identity Management > Microsoft Entra roles

Evidence Source: Microsoft Graph (Entra ID PIM, RBAC, Directory Roles)

What is A.5.2 Information Security Roles and Responsibilities?

ISO 27001 control A.5.2 Information Security Roles and Responsibilities requires organisations to clearly define, document, and allocate information security responsibilities across all relevant personnel. This control ensures accountability for ISMS implementation by establishing specific security roles, documenting responsibilities in job descriptions, and enforcing least-privilege access through technical controls. For Microsoft 365 environments, privileged access is managed through Microsoft Entra Privileged Identity Management (PIM), requiring Just-in-Time (JIT) activation with MFA and justification for all administrative tasks rather than standing privileged access.

How to implement A.5.2 in Microsoft 365

Implement A.5.2 by defining specific security roles

Implement A.5.2 by defining specific security roles (CISO, IT Security Team, System Administrators, Data Owners, Asset Owners) with documented responsibilities. Integrate security responsibilities into job descriptions and employment contracts.

Configure Microsoft Entra Privileged Identity Management

Configure Microsoft Entra Privileged Identity Management (PIM) for all privileged directory roles, requiring JIT activation with MFA, justification, and time-bound access. Limit Global Administrators to maximum 4 non-break-glass accounts per CIS 1.1.12 recommendations. Manage role assignments through security groups rather than direct user assignment (target 50%+ group-based).

Create maximum 2 break-glass emergency access accounts with

Create maximum 2 break-glass emergency access accounts with standing Global Admin access, excluded from Conditional Access, with credentials stored securely offline. Document segregation of duties matrix identifying conflicting role pairs and compensating controls.

What an auditor checks for A.5.2

  • Auditors will verify that all privileged roles are assigned via PIM eligible assignments rather than standing access, with exceptions only for documented break-glass accounts and Microsoft first-party service principals.
  • They will count Global Administrators to confirm no more than 4 non-break-glass accounts exist.
  • Auditors will check that role assignments are primarily group-based (at least 50%) rather than direct user assignment.
  • They will review job descriptions to confirm security responsibilities are documented for relevant roles.
  • Auditors will examine the segregation of duties matrix and verify compensating controls are in place for any conflicts identified.

What your auditor expects for A.5.2

  • Evidence of role definitions including PIM eligible assignments
  • Global Administrator counts
  • RBAC group-based assignment rates
  • role segregation documentation

See how your organisation scores against A.5.2 and all 93 ISO 27001 controls.

Get Your Free Assessment