How do you implement A.5.2 in Microsoft 365?

A.5.2 Information Security Roles and Responsibilities can be implemented in Microsoft 365 using Microsoft Entra admin center > Identity governance > Privileged Identity Management > Microsoft Entra roles. Contact Global Micro Solutions for a detailed implementation guide.

What does an auditor check for A.5.2?

Auditors verify that A.5.2 Information Security Roles and Responsibilities is properly implemented by reviewing evidence from your M365 tenant, checking configuration against ISO 27001 requirements, and validating compliance documentation.

ISO 27001 A.5.2: Information Security Roles and Responsibilities — M365 Implementation Guide | Global Micro Solutions

What is this control?

ISO 27001 control A.5.2 Information Security Roles and Responsibilities requires organisations to clearly define, document, and allocate information security responsibilities across all relevant personnel. This control ensures accountability for ISMS implementation by establishing specific security roles, documenting responsibilities in job descriptions, and enforcing least-privilege access through technical controls. For Microsoft 365 environments, privileged access is managed through Microsoft Entra Privileged Identity Management (PIM), requiring Just-in-Time (JIT) activation with MFA and justification for all administrative tasks rather than standing privileged access.

How to implement in Microsoft 365

Implement A.5.2 by defining specific security roles (CISO, IT Security Team, System Administrators, Data Owners, Asset Owners) with documented responsibilities. Integrate security responsibilities into job descriptions and employment contracts. Configure Microsoft Entra Privileged Identity Management (PIM) for all privileged directory roles, requiring JIT activation with MFA, justification, and time-bound access.

Limit Global Administrators to maximum 4 non-break-glass accounts per CIS 1.1.12 recommendations. Manage role assignments through security groups rather than direct user assignment (target 50%+ group-based). Create maximum 2 break-glass emergency access accounts with standing Global Admin access, excluded from Conditional Access, with credentials stored securely offline.

Document segregation of duties matrix identifying conflicting role pairs and compensating controls.

What an auditor looks for

Auditors will verify that all privileged roles are assigned via PIM eligible assignments rather than standing access, with exceptions only for documented break-glass accounts and Microsoft first-party service principals. They will count Global Administrators to confirm no more than 4 non-break-glass accounts exist. Auditors will check that role assignments are primarily group-based (at least 50%) rather than direct user assignment.

They will review job descriptions to confirm security responsibilities are documented for relevant roles. Auditors will examine the segregation of duties matrix and verify compensating controls are in place for any conflicts identified.

What is this control?

How to implement in Microsoft 365

What an auditor looks for

Related controls