How do you implement A.7.6 in Microsoft 365?

A.7.6 Working in Secure Areas can be implemented in Microsoft 365 using Microsoft Purview compliance portal (compliance.microsoft.com) > Information protection > Labels. Contact Global Micro Solutions for a detailed implementation guide.

What does an auditor check for A.7.6?

Auditors verify that A.7.6 Working in Secure Areas is properly implemented by reviewing evidence from your M365 tenant, checking configuration against ISO 27001 requirements, and validating compliance documentation.

ISO 27001 A.7.6: Working in Secure Areas — M365 Implementation Guide | Global Micro Solutions

What is this control?

ISO 27001:2022 Annex A 7.6 requires organisations to design and apply security procedures for personnel working in designated secure areas. For cloud-native organisations, secure areas are defined in two categories: Physical Secure Zones (server rooms, comms cabinets housing critical infrastructure) and General Operational Areas (open-plan offices where confidential work is conducted). Additionally, Microsoft Purview Sensitivity Labels create Digital Secure Areas - SharePoint sites and Teams tagged as “Highly Confidential” function as logical secure rooms with enforced restrictions regardless of physical location.

This control ensures staff behaviour in secure areas aligns with security requirements through both physical protocols and technical enforcement.

How to implement in Microsoft 365

Implementing ISO 27001:2022 A.7.6 involves three layers. For Physical Secure Zones, restrict access to authorised IT/Facilities personnel only, prohibit unescorted visitors, ban photography/recording devices unless authorised, prohibit food/drink, and ensure doors are locked immediately upon exit. For General Operational Areas, require privacy filters or screen positioning for confidential work, mandate enclosed meeting rooms for sensitive discussions, and enforce A.7.7 clean desk policy.

For Digital Secure Areas, configure Microsoft Purview Sensitivity Labels (Confidential, Highly Confidential) with container protection for SharePoint/Teams, apply restrictions (no print, no USB copy, no unmanaged device access). Deploy Intune device restriction policies to block cameras and removable storage on high-risk role devices.

What an auditor looks for

Auditors will verify Intune device configuration profiles enforce screen lock timeout (≤5 minutes recommended per CIS benchmarks). They will check device restriction policies blocking camera and USB storage on administrator or high-risk devices. Auditors will request secure zone access logs showing entry/exit times and escort records for third parties.

They will verify photography/recording prohibition signage and policy awareness. Auditors will inspect open-plan areas for privacy filter deployment and screen positioning. They will review meeting room booking policies for sensitive discussions.

Cross-reference with A.7.7 for clean desk compliance and A.5.12/A.5.13 for data classification.

[A.5.12 (Classification of information)](/controls/a-5-12 (classification of information)/)
[A.5.13 (Labelling of information)](/controls/a-5-13 (labelling of information)/)
[A.7.1 (Physical security perimeters)](/controls/a-7-1 (physical security perimeters)/)
[A.7.3 (Securing offices](/controls/a-7-3 (securing offices/)
[rooms and facilities)](/controls/rooms and facilities)/)
[A.7.7 (Clear desk and clear screen)](/controls/a-7-7 (clear desk and clear screen)/)
[A.8.12 (Data leakage prevention)](/controls/a-8-12 (data leakage prevention)/)

What is this control?

How to implement in Microsoft 365

What an auditor looks for

Related controls