How do you implement A.7.5 in Microsoft 365?

A.7.5 Protecting Against Physical and Environmental Threats can be implemented in Microsoft 365 using Microsoft Intune admin center (intune.microsoft.com) > Devices > Configuration profiles. Contact Global Micro Solutions for a detailed implementation guide.

What does an auditor check for A.7.5?

Auditors verify that A.7.5 Protecting Against Physical and Environmental Threats is properly implemented by reviewing evidence from your M365 tenant, checking configuration against ISO 27001 requirements, and validating compliance documentation.

ISO 27001 A.7.5: Protecting Against Physical and Environmental Threats — M365 Implementation Guide | Global Micro Solutions

What is this control?

ISO 27001:2022 Annex A 7.5 requires organisations to design and implement protection against physical and environmental threats such as fire, flood, earthquake, explosion, and power failure. For cloud-native organisations, this control prioritises data availability through geo-redundancy while ensuring local infrastructure remains protected. The strategy spans three domains: Cloud Infrastructure (delegated to Microsoft with SOC 2/ISO 27001 attestation for fire suppression, climate control, and flood mitigation), On-Premises Facilities (UPS protection for critical equipment, facility provider environmental controls, hazard management), and Distributed Workforce (mandatory cloud storage via OneDrive/SharePoint ensuring data survives device destruction).

If the physical environment fails, technical controls ensure the data survives.

How to implement in Microsoft 365

Implementing ISO 27001:2022 A.7.5 involves a three-tier protection strategy. For Cloud Infrastructure, rely on Microsoft’s geo-redundant storage (GRS/ZRS) and verify environmental controls via SOC 2 Type II attestation (cross-reference A.7.1-M4). For On-Premises Facilities, connect critical equipment (firewalls, core switches, ISP modems) to UPS units, verify facility provider’s fire detection/suppression and flood monitoring during supplier onboarding, and prohibit flammable materials in Secure Zones.

For Distributed Workforce, enforce OneDrive Known Folder Move via Intune to redirect Desktop/Documents/Pictures to cloud storage, prohibit local-only data storage, and configure data retention policies. Deploy third-party backup solutions (AvePoint/Acronis) for additional data protection layer. Test UPS units quarterly and review backup success reports.

What an auditor looks for

Auditors will verify Intune configuration profiles enforce OneDrive Known Folder Move (KFM) redirecting user folders to cloud storage. They will check SharePoint/OneDrive retention policies demonstrate data resiliency. Auditors will request UPS maintenance logs showing quarterly testing and vendor servicing.

They will verify facility provider environmental controls during supplier review (fire detection, suppression, flood monitoring). Auditors will inspect Secure Zones for prohibited materials (flammables, chemicals, personal heaters). They will review backup solution success reports showing recovery capability.

Cloud attestation for Microsoft environmental controls is cross-referenced from A.7.1-M4 to avoid duplication.

[A.7.1 (Physical security perimeters)](/controls/a-7-1 (physical security perimeters)/)
[A.7.3 (Securing offices)](/controls/a-7-3 (securing offices)/)
[A.8.13 (Information backup)](/controls/a-8-13 (information backup)/)
[A.8.14 (Redundancy of information processing facilities)](/controls/a-8-14 (redundancy of information processing facilities)/)

M365 capabilities that implement this control

Microsoft-managed fire protection, water damage protection, emergency power, and environmental controls

What is this control?

How to implement in Microsoft 365

What an auditor looks for

Related controls

M365 capabilities that implement this control