How do you implement A.5.4 in Microsoft 365?

A.5.4 Management Responsibilities can be implemented in Microsoft 365 using Microsoft Entra admin centre > Identity Governance > Terms of use. Contact Global Micro Solutions for a detailed implementation guide.

What does an auditor check for A.5.4?

Auditors verify that A.5.4 Management Responsibilities is properly implemented by reviewing evidence from your M365 tenant, checking configuration against ISO 27001 requirements, and validating compliance documentation.

ISO 27001 A.5.4: Management Responsibilities — M365 Implementation Guide | Global Micro Solutions

What is this control?

ISO 27001 control A.5.4 Management Responsibilities ensures management demonstrates active commitment to the organisation’s Information Security Management System (ISMS) and that all personnel understand and fulfil their information security responsibilities. Management acts as role models, formally briefs personnel on roles and responsibilities, mandates policy compliance, and ensures adequate resourcing for security implementation. For Microsoft 365 environments, this is implemented through Microsoft Entra Terms of Use policies requiring formal acceptance of Security Induction materials as a condition of access.

How to implement in Microsoft 365

Implement A.5.4 by configuring Microsoft Entra Terms of Use policies for mandatory Security Induction acceptance. Establish a structured onboarding process documenting formal role and responsibility assignment before access is granted. Publish all ISMS policies via a SharePoint documentation library as the single source of truth.

Enforce policy acceptance via Entra Terms of Use as a technical access condition through Conditional Access. Maintain a confidential reporting channel documented in Security Induction materials. Exclude non-human accounts (Teams Rooms, Shared Mailboxes, Service Accounts) from compliance assessment based on display name and UPN patterns.

Conduct regular management reviews to verify resource adequacy.

What an auditor looks for

Auditors will verify that a Security Induction Terms of Use policy is configured and active in Microsoft Entra ID. They will check that the acceptance rate from eligible user accounts meets or exceeds the 95% threshold. Auditors will review the documented confidential reporting process with contact details and verify that onboarding documentation shows formal role assignment prior to access being granted.

They will confirm that resource account exclusion criteria are applied consistently and review Management Review Board accountability records demonstrating ongoing commitment to security resourcing and policy enforcement.

A.5.1
A.6.3

What is this control?

How to implement in Microsoft 365

What an auditor looks for

Related controls