Audit Agent Compliance evidence & audit prep Operations Agent M365 operations & CIS benchmarks CyberAware Training Security awareness & phishing sims Remote Support Start a secure support session All Customer Tools Portals, admin consoles & more
Preview Your Audit
Preview Your Audit
people Preventive Protect High Priority

A.6.2 Terms and Conditions of Employment

M365 Admin Path: Microsoft Entra admin center > Identity governance > Terms of use

Evidence Source: Microsoft Graph (Entra ID ToU)

What is A.6.2 Terms and Conditions of Employment?

ISO 27001 control A.6.2 Terms and Conditions of Employment ensures that all personnel, contractors, and third-party users formally accept Terms and Conditions of Employment prior to being granted access to organisational assets, data, or information systems. The organisation implements Microsoft Entra Terms of Use policies with Conditional Access to enforce mandatory acceptance on first sign-in with re-attestation required when terms are materially updated.

How to implement A.6.2 in Microsoft 365

Implement A.6.2 by creating a comprehensive Terms and

Implement A.6.2 by creating a comprehensive Terms and Conditions document detailing information security responsibilities, confidentiality obligations, data protection requirements, and acceptable use policies. Configure a Microsoft Entra Terms of Use policy linked to a Conditional Access policy that blocks access to all resources until acceptance.

Integrate ToU acceptance into the joiner process ensuring

Integrate ToU acceptance into the joiner process ensuring acceptance occurs before full system access is granted after screening completion per A.6.1. Monitor T&C acceptance rates and identify users who have not yet accepted terms. When T&C documents are materially updated, update the ToU policy to trigger re-attestation for all users.

What an auditor checks for A.6.2

  • Auditors will verify an active Terms of Use policy with current T&C document linked.
  • They will check Conditional Access policy enforcing ToU acceptance as a prerequisite for resource access.
  • Auditors will review user acceptance records showing timestamp and acceptance date for audit trail.
  • They will verify coverage rate of T&C acceptance meets the organisational threshold of 95% or higher.
  • Auditors will check for users without current acceptance identified and flagged for follow-up.
  • They will review T&C document version control and update history showing material change management.

What your auditor expects for A.6.2

  • Terms and Conditions enforcement including ToU policies
  • CA policy linkage
  • acceptance records
  • compensating technical controls

See how your organisation scores against A.6.2 and all 93 ISO 27001 controls.

Get Your Free Assessment

M365 capabilities that implement this control

Awareness Register & Compliance Evidence Endpoint

Automated awareness tracking in the Audit Agent — per-learner completion (due, completed, overdue, failed), risk scoring with trend analysis (improving/worsening/stable), engagement flags (never engaged, low, good), campaign history, and overdue alerts. Cross-references CyberAware data via UPN matching. Feeds directly into ISO 27001 A.6.3 evidence — when the auditor asks, the register is already there.