Audit Agent Compliance evidence & audit prep Operations Agent M365 operations & CIS benchmarks CyberAware Training Security awareness & phishing sims Remote Support Start a secure support session All Customer Tools Portals, admin consoles & more
Preview Your Audit
Preview Your Audit
people Preventive Protect High Priority

A.6.7 Remote Working

M365 Admin Path: Microsoft Entra admin center > Protection > Conditional Access > Policies; Intune admin center > Devices > Configuration profiles

Evidence Source: Microsoft Graph (Conditional Access, Intune Configuration, Device Management)

What is A.6.7 Remote Working?

ISO 27001 control A.6.7 Remote Working establishes security measures for remote working based on Zero Trust architecture where security is enforced through continuous identity verification and device posture assessment on every access attempt rather than relying on physical location or network perimeter. The organisation implements Conditional Access policies requiring both MFA and Intune device compliance, Microsoft Entra Global Secure Access for traffic inspection, and device encryption.

How to implement A.6.7 in Microsoft 365

Implement A.6.7 by configuring a Zero Trust Conditional

Implement A.6.7 by configuring a Zero Trust Conditional Access policy requiring both multi-factor authentication and Intune device compliance with grant operator set to require all controls for all remote access. Devices that are not Intune-compliant are either blocked or routed to a Limited Access session with reduced permissions.

Deploy Microsoft Entra Global Secure Access client on

Deploy Microsoft Entra Global Secure Access client on all managed endpoints to route all traffic through the organisation’s Secure Service Edge for inspection. Enforce full disk encryption via BitLocker for Windows and FileVault for macOS via Intune compliance policy.

Configure screen lock timeout after 5 minutes of

Configure screen lock timeout after 5 minutes of inactivity.

What an auditor checks for A.6.7

  • Auditors will verify Conditional Access policy enforcing Zero Trust with both MFA and device compliance requirements.
  • They will check Conditional Access policy configuration showing Require all the selected controls for grant operator.
  • Auditors will review Microsoft Entra Global Secure Access deployment evidence with active client status.
  • They will verify Intune device compliance policies requiring BitLocker and FileVault encryption.
  • Auditors will check Intune configuration profiles enforcing screen lock timeout of 300 seconds or less.
  • They will verify device compliance status showing 95% or higher encryption coverage.

What your auditor expects for A.6.7

  • Evidence of Zero Trust remote working controls including Conditional Access policies requiring compliant device and MFA
  • Global Secure Access deployment
  • screen lock configuration profiles
  • device encryption compliance rates
  • remote wipe capability

See how your organisation scores against A.6.7 and all 93 ISO 27001 controls.

Get Your Free Assessment