ISO 27001:2022 Annex A 5.15 – Access Control

Access Control Policy

To manage access to assets within the scope of an organisation, an access control policy must be developed, documented, and periodically reviewed.

Access control governs how human and non-human entities on a network access data, IT resources, and applications.

Information security risks associated with the information and the organisation’s appetite for managing them should be reflected in the rules, rights and restrictions and the depth of controls used. It is simply a matter of deciding who has access to what, how much, and who does not.

It is possible to set up digital, and physical access controls, such as limiting user account permissions or restricting access to specific physical locations (aligned with Annex A.7 Physical and Environment Security). The policy should take into consideration the following considerations:

• It is essential to align the security requirements of business applications with the information classification scheme in use per Annex A 5.9, 5.10, 5.11, 5.12, 5.13 & 7.10 relating to Asset Management.
• Identify who requires access to, knowledge of, and the use of information – accompanied by clearly defined procedures and responsibilities.
• Ensure that access rights and privilege access rights (more power – see below) are managed effectively, including the addition of changes in life (e.g. controls for super users/administrators) and periodic reviews (e.g. periodic internal audits per requirement Annex A 5.15, 5.16, 5.17, 5.18 & 8.2).
• A formal procedure and defined responsibilities should support the access control rules.

It is vital to review access control as roles change, especially during exits, to comply with Annex A.7 Human Resource Security.

Networking and Network Services Are Available to Users

A general approach to protection is that of least access rather than unlimited access and superuser rights without careful consideration.

Consequently, users should only be provided access to networks and network services required to fulfil their responsibilities. The policy needs to address; The networks and network services in scope for access; Authorisation procedures for showing who (role-based) is permitted access to what and when; and Management controls and procedures to prevent access and monitor it in the event of an incident.

On-boarding and off-boarding should also take into consideration this issue, which is closely related to the access control policy.

Purpose of ISO 27001:2022 Annex A 5.15

As a preventative control, Annex A 5.15 improves an organisation’s underlying ability to control access to data and assets.

A concrete set of commercial and informational security needs must be met before access to resources can be granted and amended under Annex A Control 5.15.

ISO 27001 Annex A 5.15 provides guidelines for facilitating secure access to data and minimising the risk of unauthorised access to physical and virtual networks.

Ownership of Annex A 5.15

As shown in Annex A 5.15, management staff across various parts of an organisation must maintain a thorough understanding of which resources need to be accessed (e.g. In addition to HR informing employees about their job roles, which dictate their RBAC parameters, access rights are ultimately a maintenance function controlled by network administrators.

An organisation’s Annex A 5.15 ownership should rest with a member of senior management who has overarching technical authority over the company’s domains, subdomains, applications, resources, and assets. This could be the head of IT.

General Guidance on ISO 27001:2022 Annex 5.15

A topic-specific approach to Access Control is required for compliance with ISO 27001:2022 Annex A Control 5.15 (more commonly known as an issue-specific approach).

Rather than adhering to a blanket Access Control policy that applies to resource and data access across the organisation, topic-specific approaches encourage organisations to create Access Control policies targeted at individual business functions.

Across all topic-specific areas, Annex A Control 5.15 requires policies regarding Access Control to consider the 11 points below. Some of these guidelines overlap with other policies.

As a guideline, organisations should consult the accompanying Controls for further information on a case-by-case basis:

• Identify which entities require access to certain assets and information.
• Maintaining a record of job roles and data access requirements in accordance with the organisational structure of your organisation is the easiest way to ensure compliance.
• Security and integrity of all relevant applications (linked to Control 8.2).
• A formal risk assessment could be conducted to assess the security characteristics of individual applications.
• The control of physical access to a site (links with Controls 7.2, 7.3, and 7.4).
• As part of your compliance program, your organisation must demonstrate a robust set of building and room access controls, including managed entry systems, security perimeters, and visitor procedures, where appropriate.
• When it comes to the distribution, security, and categorisation of information, the “need to know” principle should be applied throughout the organisation (linked to 5.10, 5.12, and 5.13).
• Companies should adhere to strict best-practice policies that do not provide blanket access to data across an organisation’s hierarchy.
• Ensure that privileged access rights are restricted (related to 8.2).
• The access privileges of users given access to data above and beyond that of a standard user must be monitored and audited.
• Ensure compliance with any prevailing legislation, sector-specific regulatory guidelines, or contractual obligations relating to data access (see 5.31, 5.32, 5.33, 5.34, and 8.3).
• An organisation’s Access Control policies are customised according to external obligations regarding data access, assets, and resources.
• Keeping an eye on potential conflicts of interest.
• The policies should include controls to prevent an individual from compromising a broader Access Control function based on their access levels (i.e. an employee who can request, authorise and implement changes to a network).
• An Access Control Policy should address the three main functions – requests, authorisations, and administration – independently.
• A policy for Access Control must acknowledge that, despite its self-contained nature, it comprises several individual steps, each containing its requirements.
• To ensure compliance with the requirements of 5.16 and 5.18, access requests should be conducted in a structured, formal manner.
• Organisations should implement formal authorisation processes that require formal, documented approval from the appropriate personnel.
• Managing access rights on an ongoing basis (linked to 5.18).
• To maintain data integrity and security perimeters, periodic audits, HR oversight (leavers, etc.) and job-specific changes (e.g. departmental moves and changes to roles) are required.
• Maintaining adequate logs and controlling access to them Compliance – Organisations should collect and store data on access events (e.g. file activity), safeguard against unauthorised access to security event logs, and follow a comprehensive incident management strategy.

Supplementary Guidance on Annex 5.15

According to the supplementary guidance, ISO 27001:2022 Annex A Control 5.15 mentions (without limiting itself to) four different types of access control, which can be broadly classified as follows:

• Mandatory Access Control (MAC) – Access is managed centrally by a single security authority.
• An alternative to MAC is discretionary access control (DAC), in which the owner of the object can grant others privileges within the object.
• An access control system based on predefined job functions and privileges is called Role-based Access Control (RBAC).
• Using Attribute-Based Access Control (ABAC), user access rights are granted based on policies combining attributes.

Guidelines for Implementing Access Control Rules

We have discussed Access Control rules as being granted to various entities (human and non-human) operating within a network, which are assigned roles defining their overall function.

In defining and enacting your organisation’s Access Control policies, Annex A 5.15 asks you to consider the following four factors:

1. Consistency must be maintained between the data to which the access right applies and the kind of access right.
2. It is essential to ensure consistency between your organisation’s access rights and physical security requirements (perimeters, etc).
3. Access rights in a distributed computing environment (such as a cloud-based environment) consider the implications of data residing across a broad spectrum of networks.
4. Consider the implications of dynamic access controls (a granular method of accessing a detailed set of variables implemented by a system administrator).

Defining Responsibilities and Documenting the Process

According to ISO 27001:2022 Annex A Control 5.15, organisations must develop and maintain a structured list of responsibilities and documentation. There are numerous similarities among ISO 27001:2022’s entire list of controls, with Annex A 5.15 containing the most relevant requirements:

Documentation

• ISO 27001:2022 Annex A 5.16
• ISO 27001:2022 Annex A 5.17
• ISO 27001:2022 Annex A 5.18
• ISO 27001:2022 Annex A 8.2
• ISO 27001:2022 Annex A 8.3
• ISO 27001:2022 Annex A 8.4
• ISO 27001:2022 Annex A 8.5
• ISO 27001:2022 Annex A 8.18

Responsibilities

• ISO 27001:2022 Annex A 5.2
• ISO 27001:2022 Annex A 5.17

Granularity

Control 5.15 of Annex A provides organisations with significant freedom in specifying the granularity of their Access Control policies.

Generally, ISO advises companies to use their judgement regarding how detailed a given set of rules should be on an employee-by-employee basis and how many variables should be applied to a given piece of information.

Specifically, Annex A 5.15 acknowledges that the more detailed a company’s Access Control policies are, the greater the cost and the more challenging the concept of Access Control becomes across multiple locations, network types, and application variables.

Access Control, unless carefully managed, can get out of hand very quickly. It is wise to simplify access control rules to ensure they are easier to manage and more cost-effective.

Case Studies

MIRACL turns trust into a competitive advantage with ISO 27001 certification

Read Case Study

Case Studies

Xergy’s tool Proteus generates growth through ISO 27001 compliance using ISMS.online

Read Case Study

← →

What Are the Changes From ISO 27001:2013?

Annex A 5.15 in 27001:2022 is an amalgamation of two similar controls in 27001:2013 – Annex A 9.1.1 (Access control policy) and Annex A 9.1.2 (Access to networks and network services).

The underlying themes of A.9.1.1 and A.9.1.2 are similar to those in Annex A 5.15, except for some subtle operational differences.

As in 2022, both controls relate to administering access to information, assets and resources and operate on the principle of “need to know,” in which corporate data is treated as a commodity that requires careful management and protection.

There are 11 governing guidelines in 27001:2013 Annex A 9.1.1, all of which follow the same general principles as 27001:2022 Annex A Control 5.15 with a slightly greater emphasis on perimeter security and physical security.

There are generally the same implementation guidelines for Access Control, but the 2022 control provides much more concise and practical guidance across its four implementation guidelines.

Types of Access Controls Used in ISO 27001:2013 Annex A 9.1.1 Have Changed

As stated in ISO 27001 Annex A 5.15, various forms of access control have emerged over the last nine years (MAC, DAC, ABAC), whereas in 27001:2013 Annex A Control 9.1.1, the primary method of commercial access control at that time was RBAC.

Level of Granularity

The 2013 controls need to contain meaningful guidelines for how an organisation should approach granular access controls in light of technological changes that provide organisations with enhanced control over their data.

In contrast, Annex A 5.15 of 27001:2022 provides organisations with considerable flexibility.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

How Can ISMS.online Help?

Annex A 5.15 of ISO 27001:2022 is probably the most talked about clause within Annex A, and some argue it is the most significant.

Your Information Security Management System (ISMS) aims to ensure that the appropriate people have access to the correct information at the right time. One of the keys to success is getting that right, but doing it wrong can adversely affect your business.

Consider the scenario where you accidentally revealed confidential employee information to the wrong people, such as what everyone in the organisation is paid.

If you are not careful, the consequences of getting this part wrong can be serious. Therefore, it is imperative to take the time to carefully consider all the aspects before proceeding.

In this regard, our platform can be a real asset. This is because it follows the entire structure of ISO 27001 and allows you to adopt, adapt and enrich the content we provide for you, giving you a considerable head start.

Get a free demo from ISMS.online today.