A.6.1 Screening

What is this control?

ISO 27001 control A.6.1 Screening ensures that background verification checks on all candidates for employment are carried out prior to joining the organisation and on an ongoing basis, taking into account applicable laws, regulations, ethics, and proportionality to business requirements. The organisation uses Microsoft Entra ID Access Reviews for automated verification of external user access and Privileged Identity Management for just-in-time access to administrative roles.

How to implement in Microsoft 365

Implement A.6.1 by configuring Microsoft Entra ID Access Reviews targeting external and guest user accounts with recurring review cycles at minimum quarterly. Enable Privileged Identity Management for high-privilege roles, eliminating permanent assignments except for approved exclusion categories including PIM groups, service accounts, and break-glass accounts. Set up a Conditional Access policy targeting the Limited Access group to restrict resource access for users pending screening completion.

Maintain HR screening records documenting identity verification, right to work confirmation, reference checks, and background checks. Document enhanced screening equivalent to BPSS for all privileged role holders with annual re-verification.

What an auditor looks for

Auditors will verify configured access reviews with external user targeting and designated reviewers. They will check the complete inventory of guest and external users with inactive users over 90 days identified. Auditors will verify PIM is enabled with documented just-in-time access configuration and no permanent high-privilege assignments outside approved categories.

They will review Conditional Access policies implementing limited access restrictions for unverified users. Auditors will check HR screening records demonstrating identity verification, references, background checks, and screening dates.

Related controls

• A.5.16
• A.6.2
• A.6.4
• A.6.6