A.6.2 Terms and Conditions of Employment
What is this control?
ISO 27001 control A.6.2 Terms and Conditions of Employment ensures that all personnel, contractors, and third-party users formally accept Terms and Conditions of Employment prior to being granted access to organisational assets, data, or information systems. The organisation implements Microsoft Entra Terms of Use policies with Conditional Access to enforce mandatory acceptance on first sign-in with re-attestation required when terms are materially updated.
How to implement in Microsoft 365
Implement A.6.2 by creating a comprehensive Terms and Conditions document detailing information security responsibilities, confidentiality obligations, data protection requirements, and acceptable use policies. Configure a Microsoft Entra Terms of Use policy linked to a Conditional Access policy that blocks access to all resources until acceptance. Integrate ToU acceptance into the joiner process ensuring acceptance occurs before full system access is granted after screening completion per A.6.1.
Monitor T&C acceptance rates and identify users who have not yet accepted terms. When T&C documents are materially updated, update the ToU policy to trigger re-attestation for all users.
What an auditor looks for
Auditors will verify an active Terms of Use policy with current T&C document linked. They will check Conditional Access policy enforcing ToU acceptance as a prerequisite for resource access. Auditors will review user acceptance records showing timestamp and acceptance date for audit trail.
They will verify coverage rate of T&C acceptance meets the organisational threshold of 95% or higher. Auditors will check for users without current acceptance identified and flagged for follow-up. They will review T&C document version control and update history showing material change management.