ISO 27001:2022 Annex A Control 5.15

Access Control

Book a demo

cropped,image,of,professional,businesswoman,working,at,her,office,via

Annex A 5.15 of ISO 27001:2022; Your step-by-step guide to understanding and meeting it.

Annex A 5.15 is concerned with access control procedures. The objective of Annex A.9 is to safeguard access to information and ensure that employees only have access to the information they require to perform their duties.

It is one of the essential elements of an information security management system (ISMS), especially if you are planning to achieve ISO 27001 certification.

Getting this part right is a critical component of ISO 27001 certification and one where many companies require assistance. To better understand these requirements, let’s take a closer look at what they entail.

Access Control Policy

To manage access to assets within the scope of an organisation, an access control policy must be developed, documented, and periodically reviewed.

Access control governs how human and non-human entities on a network access data, IT resources, and applications.

Information security risks associated with the information and the organisation’s appetite for managing them should be reflected in the rules, rights and restrictions and the depth of controls used. It is simply a matter of deciding who has access to what, how much, and who does not.

It is possible to set up digital, and physical access controls, such as limiting user account permissions or restricting access to specific physical locations (aligned with Annex A.7 Physical and Environment Security). The policy should take into consideration the following considerations:

  • It is essential to align the security requirements of business applications with the information classification scheme in use per Annex A 5.9, 5.10, 5.11, 5.12, 5.13 & 7.10 relating to Asset Management.
  • Identify who requires access to, knowledge of, and the use of information – accompanied by clearly defined procedures and responsibilities.
  • Ensure that access rights and privilege access rights (more power – see below) are managed effectively, including the addition of changes in life (e.g. controls for super users/administrators) and periodic reviews (e.g. periodic internal audits per requirement Annex A 5.15, 5.16, 5.17, 5.18 & 8.2).
  • A formal procedure and defined responsibilities should support the access control rules.

It is vital to review access control as roles change, especially during exits, to comply with Annex A.7 Human Resource Security.

Networking and Network Services Are Available to Users

A general approach to protection is that of least access rather than unlimited access and superuser rights without careful consideration.

Consequently, users should only be provided access to networks and network services required to fulfil their responsibilities. The policy needs to address; The networks and network services in scope for access; Authorisation procedures for showing who (role-based) is permitted access to what and when; and Management controls and procedures to prevent access and monitor it in the event of an incident.

On-boarding and off-boarding should also take into consideration this issue, which is closely related to the access control policy.

Purpose of ISO 27001:2022 Annex A 5.15

As a preventative control, Annex A 5.15 improves an organisation’s underlying ability to control access to data and assets.

A concrete set of commercial and informational security needs must be met before access to resources can be granted and amended under Annex A Control 5.15.

ISO 27001 Annex A 5.15 provides guidelines for facilitating secure access to data and minimising the risk of unauthorised access to physical and virtual networks.

Ownership of Annex A 5.15

As shown in Annex A 5.15, management staff across various parts of an organisation must maintain a thorough understanding of which resources need to be accessed (e.g. In addition to HR informing employees about their job roles, which dictate their RBAC parameters, access rights are ultimately a maintenance function controlled by network administrators.

An organisation’s Annex A 5.15 ownership should rest with a member of senior management who has overarching technical authority over the company’s domains, subdomains, applications, resources, and assets. This could be the head of IT.

General Guidance on ISO 27001:2022 Annex 5.15

A topic-specific approach to Access Control is required for compliance with ISO 27001:2022 Annex A Control 5.15 (more commonly known as an issue-specific approach).

Rather than adhering to a blanket Access Control policy that applies to resource and data access across the organisation, topic-specific approaches encourage organisations to create Access Control policies targeted at individual business functions.

Across all topic-specific areas, Annex A Control 5.15 requires policies regarding Access Control to consider the 11 points below. Some of these guidelines overlap with other policies.

As a guideline, organisations should consult the accompanying Controls for further information on a case-by-case basis:

  • Identify which entities require access to certain assets and information.
  • Maintaining a record of job roles and data access requirements in accordance with the organisational structure of your organisation is the easiest way to ensure compliance.
  • Security and integrity of all relevant applications (linked to Control 8.2).
  • A formal risk assessment could be conducted to assess the security characteristics of individual applications.
  • The control of physical access to a site (links with Controls 7.2, 7.3, and 7.4).
  • As part of your compliance program, your organisation must demonstrate a robust set of building and room access controls, including managed entry systems, security perimeters, and visitor procedures, where appropriate.
  • When it comes to the distribution, security, and categorisation of information, the “need to know” principle should be applied throughout the organisation (linked to 5.10, 5.12, and 5.13).
  • Companies should adhere to strict best-practice policies that do not provide blanket access to data across an organisation’s hierarchy.
  • Ensure that privileged access rights are restricted (related to 8.2).
  • The access privileges of users given access to data above and beyond that of a standard user must be monitored and audited.
  • Ensure compliance with any prevailing legislation, sector-specific regulatory guidelines, or contractual obligations relating to data access (see 5.31, 5.32, 5.33, 5.34, and 8.3).
  • An organisation’s Access Control policies are customised according to external obligations regarding data access, assets, and resources.
  • Keeping an eye on potential conflicts of interest.
  • The policies should include controls to prevent an individual from compromising a broader Access Control function based on their access levels (i.e. an employee who can request, authorise and implement changes to a network).
  • An Access Control Policy should address the three main functions – requests, authorisations, and administration – independently.
  • A policy for Access Control must acknowledge that, despite its self-contained nature, it comprises several individual steps, each containing its requirements.
  • To ensure compliance with the requirements of 5.16 and 5.18, access requests should be conducted in a structured, formal manner.
  • Organisations should implement formal authorisation processes that require formal, documented approval from the appropriate personnel.
  • Managing access rights on an ongoing basis (linked to 5.18).
  • To maintain data integrity and security perimeters, periodic audits, HR oversight (leavers, etc.) and job-specific changes (e.g. departmental moves and changes to roles) are required.
  • Maintaining adequate logs and controlling access to them Compliance – Organisations should collect and store data on access events (e.g. file activity), safeguard against unauthorised access to security event logs, and follow a comprehensive incident management strategy.

Supplementary Guidance on Annex 5.15

According to the supplementary guidance, ISO 27001:2022 Annex A Control 5.15 mentions (without limiting itself to) four different types of access control, which can be broadly classified as follows:

  • Mandatory Access Control (MAC) – Access is managed centrally by a single security authority.
  • An alternative to MAC is discretionary access control (DAC), in which the owner of the object can grant others privileges within the object.
  • An access control system based on predefined job functions and privileges is called Role-based Access Control (RBAC).
  • Using Attribute-Based Access Control (ABAC), user access rights are granted based on policies combining attributes.

Guidelines for Implementing Access Control Rules

We have discussed Access Control rules as being granted to various entities (human and non-human) operating within a network, which are assigned roles defining their overall function.

In defining and enacting your organisation’s Access Control policies, Annex A 5.15 asks you to consider the following four factors:

  1. Consistency must be maintained between the data to which the access right applies and the kind of access right.
  2. It is essential to ensure consistency between your organisation’s access rights and physical security requirements (perimeters, etc).
  3. Access rights in a distributed computing environment (such as a cloud-based environment) consider the implications of data residing across a broad spectrum of networks.
  4. Consider the implications of dynamic access controls (a granular method of accessing a detailed set of variables implemented by a system administrator).

Defining Responsibilities and Documenting the Process

According to ISO 27001:2022 Annex A Control 5.15, organisations must develop and maintain a structured list of responsibilities and documentation. There are numerous similarities among ISO 27001:2022’s entire list of controls, with Annex A 5.15 containing the most relevant requirements:

Documentation

  • ISO 27001:2022 Annex A 5.16
  • ISO 27001:2022 Annex A 5.17
  • ISO 27001:2022 Annex A 5.18
  • ISO 27001:2022 Annex A 8.2
  • ISO 27001:2022 Annex A 8.3
  • ISO 27001:2022 Annex A 8.4
  • ISO 27001:2022 Annex A 8.5
  • ISO 27001:2022 Annex A 8.18

Responsibilities

  • ISO 27001:2022 Annex A 5.2
  • ISO 27001:2022 Annex A 5.17

Granularity

Control 5.15 of Annex A provides organisations with significant freedom in specifying the granularity of their Access Control policies.

Generally, ISO advises companies to use their judgement regarding how detailed a given set of rules should be on an employee-by-employee basis and how many variables should be applied to a given piece of information.

Specifically, Annex A 5.15 acknowledges that the more detailed a company’s Access Control policies are, the greater the cost and the more challenging the concept of Access Control becomes across multiple locations, network types, and application variables.

Access Control, unless carefully managed, can get out of hand very quickly. It is wise to simplify access control rules to ensure they are easier to manage and more cost-effective.

What Are the Changes From ISO 27001:2013?

Annex A 5.15 in 27001:2022 is an amalgamation of two similar controls in 27001:2013 – Annex A 9.1.1 (Access control policy) and Annex A 9.1.2 (Access to networks and network services).

The underlying themes of A.9.1.1 and A.9.1.2 are similar to those in Annex A 5.15, except for some subtle operational differences.

As in 2022, both controls relate to administering access to information, assets and resources and operate on the principle of “need to know,” in which corporate data is treated as a commodity that requires careful management and protection.

There are 11 governing guidelines in 27001:2013 Annex A 9.1.1, all of which follow the same general principles as 27001:2022 Annex A Control 5.15 with a slightly greater emphasis on perimeter security and physical security.

There are generally the same implementation guidelines for Access Control, but the 2022 control provides much more concise and practical guidance across its four implementation guidelines.

Types of Access Controls Used in ISO 27001:2013 Annex A 9.1.1 Have Changed

As stated in ISO 27001 Annex A 5.15, various forms of access control have emerged over the last nine years (MAC, DAC, ABAC), whereas in 27001:2013 Annex A Control 9.1.1, the primary method of commercial access control at that time was RBAC.

Level of Granularity

The 2013 controls need to contain meaningful guidelines for how an organisation should approach granular access controls in light of technological changes that provide organisations with enhanced control over their data.

In contrast, Annex A 5.15 of 27001:2022 provides organisations with considerable flexibility.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

How Can ISMS.online Help?

Annex A 5.15 of ISO 27001:2022 is probably the most talked about clause within Annex A, and some argue it is the most significant.

Your Information Security Management System (ISMS) aims to ensure that the appropriate people have access to the correct information at the right time. One of the keys to success is getting that right, but doing it wrong can adversely affect your business.

Consider the scenario where you accidentally revealed confidential employee information to the wrong people, such as what everyone in the organisation is paid.

If you are not careful, the consequences of getting this part wrong can be serious. Therefore, it is imperative to take the time to carefully consider all the aspects before proceeding.

In this regard, our platform can be a real asset. This is because it follows the entire structure of ISO 27001 and allows you to adopt, adapt and enrich the content we provide for you, giving you a considerable head start.

Get a free demo from ISMS.online today.

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo

Say hello to ISO 27001 success

Get 81% of the work done for you and get certified faster with ISMS.online

Book your demo
img

Streamline your workflow with our new Jira integration! Learn more here.