A.6.4 Disciplinary Process
What is this control?
ISO 27001 control A.6.4 Disciplinary Process establishes a formal, fair, and consistent disciplinary process to address suspected or confirmed violations of information security and privacy policies. Technical detection via Microsoft Sentinel, Microsoft Defender, and Microsoft Purview provides objective evidence for initiating investigations. The process includes technical enforcement mechanisms including account disablement and session revocation integrated with HR procedures.
How to implement in Microsoft 365
Implement A.6.4 by enabling Unified Audit Log in Microsoft Purview to provide the forensic evidence foundation for investigations. Ensure Microsoft Entra sign-in logs are retained and directory audit logs capture user management actions. Document account disablement procedures in Entra and establish an audit trail for all disable actions.
Document session revocation procedures in Entra to immediately terminate all active user sessions. Create a Suspended Users dynamic group targeted by a Block All Conditional Access policy for suspension enforcement. Document formal HR disciplinary procedure including security violation handling, due process rights, and appeals mechanism.
What an auditor looks for
Auditors will verify Unified audit log is accessible and properly configured in Purview compliance portal. They will check evidence of account disablement capability with recent disable actions in audit logs. Auditors will verify evidence of session revocation capability with recent revocation actions in audit logs.
They will check Suspended Users dynamic group with Conditional Access policy blocking all resource access. Auditors will review HR disciplinary procedure documentation including security violation handling. They will verify Microsoft Sentinel configuration for incident reporting suitable for disciplinary evidence.