Access Control (ISO 27001)

Access control comprises the measures that ensure only the right people have access to the right information and systems, to the right extent and at the right time. It is one of the most important and comprehensive control areas in ISO 27001.

Back to Dictionary

What is access control in ISO 27001?

Access control governs who can access what within your organisation. It covers both logical access (to systems, files and data) and physical access (to premises and equipment). The objective is to ensure confidentiality and integrity by limiting access to those with a legitimate need. It builds upon the broader concept of access control as a security measure.

Fundamental principles

Effective access control rests on three core concepts:

Need-to-know: Users are granted access only to the information they require to carry out their duties.
Least privilege: Users are given the minimum privilege level necessary.
Separation of duties: Critical tasks are divided between multiple individuals to reduce the risk of errors and fraud.

Access control in ISO 27001

In ISO 27001:2022, access control is primarily covered by controls 5.15–5.18 (organisational) and 8.2–8.6 (technological). These are part of the broader set of Annex A controls:

5.15: Access control policy
5.16: Identity management
5.17: Authentication information
5.18: Access rights
8.2: Privileged access rights
8.5: Secure authentication

Review regularly: Access rights must be reviewed on a regular basis. It is critical to remove or modify access when employees change roles, leave or take on different responsibilities. Failure to do so is one of the most common security gaps.

Access control in practice

Practical implementation of access control typically includes role-based access control (RBAC), strong authentication via MFA, ongoing review of access rights, and a formal onboarding and offboarding process that handles access provisioning and deprovisioning. These controls should be documented in your Statement of Applicability.

Frequently Asked Questions about Access Control in ISO 27001

Which ISO 27001 controls cover access control?

Access control is primarily covered by controls 5.15–5.18 (organisational) and 8.2–8.6 (technological) in ISO 27001:2022. These address access policy, identity management, authentication and privileged access.

What is the need-to-know principle?

The need-to-know principle means users are only granted access to the information they specifically require to perform their job duties — nothing more. It is a core principle of access control in ISO 27001.

How often should access rights be reviewed?

ISO 27001 requires regular reviews of access rights. Best practice is to conduct reviews at least quarterly, and always when an employee changes role, department or leaves the organisation.

What is separation of duties?

Separation of duties is a control principle where critical tasks are divided between multiple people so that no single individual has end-to-end control over a sensitive process. This reduces the risk of fraud and errors.

Do I need to document my access control policy?

Yes. ISO 27001 control 5.15 specifically requires an access control policy that is documented, communicated to relevant parties and reviewed at planned intervals.