ISO 27001:2022 Annex A Control 5.15: Access Control

The role of Annex A 5.15 is to safeguard access to information and make sure that employees only have access to the information they need to perform their duties. An access control policy must be created to manage access to assets across an organisation. This policy must be developed, documented and regularly reviewed in order for it to remain relevant and robust.

Access control refers to the way humans and non-human entities on a network access data, resources and applications. Information security risks associated with data should be reflected in the rules and restrictions put in place.

Annex A Control 5.15 Considerations

An access control policy must take into account the following considerations:

• Aligning business security requirements with the information classification scheme highlighted in Annex A 5.9, 5.10, 5.11, 5.12, 5.13 and 7.10.
• Identifying who requires access to, use of, and knowledge of information.
• Ensuring that access rights are managed effectively, including periodic reviews and changes for circumstances like promotion or leaving.
• A formal procedure and defined responsibilities should be outlined to support access control rules.

Network services

Users should only be given access to networks and network services required to fulfil their responsibilities. Policies must address the networks and network services needed, authorisation procedures, and management controls to prevent access.

Networks should also be considered when on-boarding and off-boarding, which is a vital factor in any access control policy.

Why is Annex A 5.15 important?

Annex 5.15 improves an organisation’s ability to control access to data and assets, meeting commercial and informational security needs. Annex A 5.15 provides guidelines for facilitating secure access to data and minimising the risk of unauthorised access to both virtual and physical networks.

Staff across all parts of an organisation must have a thorough understanding of which resources need to be accessed. Rather than complying with a blanket access control policy, topic-specific approaches must be used to meet unique business demands.

Guidelines for implementing Annex A 5.15

There are certain guidelines that every organisation’s access control policy must consider. These include:

• Identifying which entities require access to information.
• Maintaining a record of roles and data access requirements.
• Security of all relevant applications.
• A formal risk assessment to assess security characteristics of individual applications.
• Control of physical access to a business site.
• A robust set of building and room access controls.
• A need-to-know principle should be applied throughout the organisation.
• Strict best practice policies that do not provide blanket data access.
• Privileged access rights should be restricted and monitored.
• Policies must be customised according to external obligations in data access, assets, and resources.
• Reviewing potential conflicts of interest.
• Policies should address requests, authorisations, and administration separately.
• Policies must acknowledge that they comprise several individual steps.
• Access requests should be conducted in a structured, formal way.
• Implement formal authorisation processes with documented approval.
• Mandatory Access Control (MAC): Access is managed centrally by a single security authority.
• Discretionary Access Control (DAC): An alternative to MAC through which the owner of data can grant others privileges.
• Role-based Access Control (RBAC): An access control system based on predefined job functions and privileges.
• Attribute-Based Access Control (ABAC): User access rights are granted based on policies combining attributes.

Further guidance

Consistency must be maintained between the data to which the access right applies and the kind of access right, in order to ensure everyone in the team understands the rules. It is vital to ensure there is also consistency between an organisation’s access rights and physical security requirements.

Access rights in a distributed computing environment like the cloud should consider the implications of data being stored across a spectrum of networks.

Annex A 5.15 gives organisations freedom with regard to specifying the granularity of their Access Control policies. Organisations are encouraged to use their judgement on a case-by-case basis.

What has changed since ISO 27001:2013?

The underlying themes of the older and newer controls are very similar, but the 2022 version provides much more concise and practical guidance across the various implementation guidelines.

In 2013, the primary method of commercial access control was RBAC, but in the past decade, more forms of access controls have emerged, including MAC, DAC, and ABAC.

The 2022 version also grants organisations more flexibility with regard to their granular access controls.