ISO 27701, Clause 6.6 – Access Control

ISO 27701 Controls and Clauses Explained

Book a demo

close,up,on,hands,of,diverce,group,of,students,sitting

Access control governs the ways in which human and non-human entities are granted access to data, IT resources and applications – and in the case of ISO 27701 6.6, PII and privacy-related material.

Access control is a complex and multi-faceted ICT function that draws in numerous other business functions, such as change management, asset security, topic-specific authorisation, physical security controls and technical concepts such as RBAC, MAC and DAC. As such, ISO 27701 6.6 contains a great deal of supporting guidance from similar privacy and information protection controls contained in the ISO 27002 standard.

Getting access control right is one of the foremost functions of a well-oiled privacy protection operation, particularly within the context of safeguarding PII.

What’s Covered in ISO 27701 Clause 6.6

ISO 27701 6.6 contains two sub-clauses that contextualise information provided in ISO 27002 5.15 (Access Control) within the sphere of PII and privacy protection, with numerous supporting clauses provided that deal with various other aspects of information security (see above):

  • ISO 27701 6.6.1.1 – Access control policy (References ISO 27002 Control 5.15)
  • ISO 27701 6.6.1.2 – Access to networks and network services (References ISO 27002 Control 5.15)

Neither clause contains any PIMS-specific guidance, nor do they bear any relevance to UK GDPR legislation.

Achieve ISO 27701 Success

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

ISO 27701 Clause 6.6.1.1 – Access Control Policy

References ISO 27002 Control 5.15

Owners of assets containing PII, and the data itself, should develop privacy-based access requirements on both a general and topic-specific basis, and clearly communicate access control policies to all relevant personnel.

Access Control Policies

General requirements and topic-specific policies should:

  • Establish who requires access to specific assets and data, and manage such rights accordingly (see ISO 27002 5.18).
  • Consider the unique security requirements of applications that use PII (see ISO 27002 5.16, 5.18 and 8.26).
  • Control physical access to PII data (see ISO 27002 7.2, 7.3 and 7.4).
  • Disseminate PII and authorise documented access requests on a ‘need to know’ basis (see ISO 27002 5.10, 5.12 and 5.13).
  • Place limitations on ‘privileged’ access to PII’ (see ISO 27701 8.2).
  • Segregate duties, to limit the possibility of individuals and groups being the sole authority on elements (see ISO 27002 5.3).
  • Take into account the organisation’s obligations towards any privacy protection legislation, regulatory guidelines or contractual requirements (see ISO 27002 5.31, 5.32, 5.33, 5.34 and 8.3).
  • Ensure that accurate and up-to-date logs are maintained, that detail access to PII across the organisation (see ISO 27002 8.15).

Defining Access Control Entities and Associated Rules

ISO classifies an ‘entity’ as a physical, human and/or logical item which has the ability to access data.

Entities should be assigned specific roles, relating to their function and the data they require access to.

When implementing Access Control rules for the various entities it has defined, organisations should:

  • Ensure that entities are granted access to PII consistently, in accordance with their specific role and/or function.
  • Keep in mind physical security needs, when administering access to PII.
  • In the case of multi-faceted cloud-based and/or distributed environments, entities are only granted access to the PII data categories that they are authorised to used (rather than providing blanket access.

Additional Guidance

Access control can often be a complex and tough-to-manage element of an organisation’s ICT operation.

Here are a few general principles to adhere by:

  • Operate within a ‘need to know’ and ‘need to use’ framework – i.e. only provide access to PII if the entity requires it to carry out their job role, and no less.
  • Organisations should adhere to the concept of ‘least privilege’. ISO defines this as ‘everything is generally forbidden, unless expressly permitted’. In other words, access control should be closely administered, rather than trusting employees with broad levels of access across multiple applications, storage devices and file servers.
  • Changes to access permissions should be considered in two ways – changes initiated by system administrators, and those that are initiated by ICT systems and applications themselves – including when to review approvals.
  • For the purposes of access PII, ISO outlines four main access control types that organisations should consider, based on their unique requirements:
    • Mandatory Access Control (MAC) – Access is centrally managed by a sole security authority.
    • Discretionary Access Control (DAC) – The opposite method to MAC, where object owners are able to pass on privileges to other users.
    • Role-based Access Control (RBAC) – The most common type of commercial access control, based around predefined job functions and privileges.
    • Attribute-based Access Control (ABAC) – Access rights are granted to users through the use of policies which combine attributes together.

Relevant ISO 27002 Controls

See how we can help you

Book a tailored hands-on session
based on your needs and goals
Book your demo

  • ISO 27002 5.3
  • ISO 27002 5.10
  • ISO 27002 5.12
  • ISO 27002 5.13
  • ISO 27002 5.16
  • ISO 27002 5.18
  • ISO 27002 5.31
  • ISO 27002 5.32
  • ISO 27002 5.33
  • ISO 27002 5.34
  • ISO 27002 7.2
  • ISO 27002 7.3
  • ISO 27002 7.4
  • ISO 27002 8.2
  • ISO 27002 8.3
  • ISO 27002 8.26

We’re cost-effective and quick

Discover how easy ISO 27701 is with ISMS.online
Get your quote

ISO 27701 Clause 6.6.1.2 – Access to Networks and Network Services

References ISO 27002 Control 5.15

See ISO 27701 Clause 6.6.1.1

Supporting Controls From ISO 27002 and GDPR

ISO 27701 Clause IdentifierISO 27701 Clause NameISO 27002 ControlAssociated GDPR Articles
6.6.1.1Access Control Policy5.15 – Access Control for ISO 27002None
6.6.1.2Access to Networks and Network Services5.15 – Access Control for ISO 27002None

How ISMS.online Helps

How do we help?

ISO 27701 shows you how to build a Privacy Information Management System that complies with most privacy regulations, including the EU’s GDPR, BS 10012 and South Africa’s POPIA.

Our simplified, secure, sustainable software helps you easily follow the approach outlined by the internationally recognised standard.

Our all-in-one-platform ensures your privacy work aligns with and meets the needs of each section of the ISO 27701 standard.

And because it’s regulation agnostic, you can map it onto any regulation you need to.

Find out more by booking a hands on demo.

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo

We can’t think of any company whose service can hold a candle to ISMS.online.
Vivian Kroner
ISO 27001, 27701 and GDPR lead implementer Aperian Global
100% of our users pass certification first time
Book your demo

Streamline your workflow with our new Jira integration! Learn more here.