ISO 27001:2022 Annex A 8.3 – Information Access Restriction

• See ISO 27002:2022 Control 8.3 for more information.
• See ISO 27001:2013 Annex A 9.4.1 for more information.

Purpose of ISO 27001:2022 Annex A 8.3

An organisation’s information security policy relies heavily on internal and external access to information.

ISO 27001:2022 Annex A 8.3 is a preventative measure to manage risk by establishing rules and procedures to prevent unauthorised access/misuse of an organisation’s information and ICT assets.

Ownership of Annex A 8.3

ISO 27001:2022 Annex A 8.3 is concerned with an organisation’s capacity to regulate access to information. It ensures that information is only accessible by authorised personnel.

Ownership of information and data security practices should rest with the Chief Information Security Officer (or their organisational equivalent). This individual takes full responsibility for the organisation’s overall security approach.

General Guidance on ISO 27001:2022 Annex A 8.3

To maintain effective control over information and ICT assets, organisations should take a topic-specific approach to information access and support access restriction measures, such as:

1. Block anonymous access to information, including broad public access:
• Organisations should make sure that access granted to the public or third parties does not include sensitive or business-critical data.
2. Ensure proper upkeep of systems to regulate access and any associated business applications or procedures.
3. Set data access on an individual level.
4. Outline the data access rights between groups that validate operations, such as read, write, delete and execute.
5. Maintain the capacity to partition off vital processes and applications with a variety of physical and digital access limitations.

Guidance on Dynamic Access Management

ISO 27001:2022 Annex A 8.3 recommends taking a dynamic approach to information access.

Dynamic access management has many positive effects on organisational activities which involve the sharing or utilisation of internal data with external users, resulting in quicker incident resolution.

Dynamic access management techniques safeguard a variety of information types, from ordinary documents to emails and database information. Furthermore, they can be applied to individual files, allowing organisations to have a precise control over their data.

Organisations should take this into account when:

• Granular control is needed to determine what human and non-human users can access the information at any given time.
• There is a need to share data with outside entities (e.g. suppliers or government agencies).
• A “real-time” approach to data management and distribution entails monitoring and managing data utilisation as it happens.
• Protecting data against unauthorised changes, distribution, or printing.
• Monitoring access to and alterations of information, particularly when it is sensitive, is essential.

Dynamic access management is particularly beneficial for organisations requiring observation and preservation of data from inception to destruction, including:

• A use-case or series of use-cases can be outlined to apply data access rules based on the variables below:
• Location
• Application
• Identity
• Device
• Outline a process including data operation and monitoring, as well as establishing a comprehensive reporting system based on a reliable technical infrastructure.

All attempts to create an effective system of access control should result in data being safeguarded by:

1. Ensuring data access is the result of a successful authentication.
2. A degree of restricted access, dependent on the type of data and its ability to affect business continuity, must be put in place.
3. Printing permissions.
4. Encryption.
5. Comprehensive audit logs that record who accesses data, and the purpose of the data’s use, must be kept.
6. A procedure for alerts which flags any improper usage of data, including (though not restricted to) unauthorised access, distribution and attempts to delete.

Changes and Differences from ISO 27001:2013

ISO 27001:2022 Annex A 8.3 replaces ISO 27001:2013 Annex A 9.4.1 (Information Access Restriction), representing a major shift in how ISO considers information access management.

This dynamic approach, which wasn’t mentioned in ISO 27001:2013 Annex A 9.4.1, takes into account the evolving nature of information security.

ISO 27001:2022 Annex 8.3 provides a wealth of guidance notes on dynamic access management not found in the ISO 27001:2013 edition. Consequently, organisations should look over these suggestions topic-by-topic when seeking certification.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

How ISMS.online Help

ISMS.Online is the foremost ISO 27001 management system software that aids compliance with ISO 27001 and enables companies to align their security policies and procedures with the standard.

This cloud-based platform furnishes organisations with a full suite of tools to help them build an Information Security Management System (ISMS) compliant with ISO 27001:2022.

We have constructed our platform from the ground up, collaborating with international information security specialists. We have designed it to be intuitive and straightforward for users who lack technical expertise in Information Security Management Systems (ISMS).

Contact us now to arrange a demonstration.