Understanding ISO 27701 Clause 6.6: Access Control Best Practices

Access control governs the ways in which human and non-human entities are granted access to data, IT resources and applications – and in the case of ISO 27701 6.6, PII and privacy-related material.

Access control is a complex and multi-faceted ICT function that draws in numerous other business functions, such as change management, asset security, topic-specific authorisation, physical security controls and technical concepts such as RBAC, MAC and DAC. As such, ISO 27701 6.6 contains a great deal of supporting guidance from similar privacy and information protection controls contained in the ISO 27002 standard.

Getting access control right is one of the foremost functions of a well-oiled privacy protection operation, particularly within the context of safeguarding PII.

What’s Covered in ISO 27701 Clause 6.6

ISO 27701 6.6 contains two sub-clauses that contextualise information provided in ISO 27002 5.15 (Access Control) within the sphere of PII and privacy protection, with numerous supporting clauses provided that deal with various other aspects of information security (see above):

  • ISO 27701 6.6.1.1 – Access control policy (References ISO 27002 Control 5.15)
  • ISO 27701 6.6.1.2 – Access to networks and network services (References ISO 27002 Control 5.15)

Neither clause contains any PIMS-specific guidance, nor do they bear any relevance to UK GDPR legislation.




Manage all your compliance in one place

ISMS.online supports over 100 standards
and regulations, giving you a single
platform for all your compliance needs.

Book a demo



ISO 27701 Clause 6.6.1.1 – Access Control Policy

References ISO 27002 Control 5.15

Owners of assets containing PII, and the data itself, should develop privacy-based access requirements on both a general and topic-specific basis, and clearly communicate access control policies to all relevant personnel.

Access Control Policies

General requirements and topic-specific policies should:

  • Establish who requires access to specific assets and data, and manage such rights accordingly (see ISO 27002 5.18).
  • Consider the unique security requirements of applications that use PII (see ISO 27002 5.16, 5.18 and 8.26).
  • Control physical access to PII data (see ISO 27002 7.2, 7.3 and 7.4).
  • Disseminate PII and authorise documented access requests on a ‘need to know’ basis (see ISO 27002 5.10, 5.12 and 5.13).
  • Place limitations on ‘privileged’ access to PII’ (see ISO 27701 8.2).
  • Segregate duties, to limit the possibility of individuals and groups being the sole authority on elements (see ISO 27002 5.3).
  • Take into account the organisation’s obligations towards any privacy protection legislation, regulatory guidelines or contractual requirements (see ISO 27002 5.31, 5.32, 5.33, 5.34 and 8.3).
  • Ensure that accurate and up-to-date logs are maintained, that detail access to PII across the organisation (see ISO 27002 8.15).

Defining Access Control Entities and Associated Rules

ISO classifies an ‘entity’ as a physical, human and/or logical item which has the ability to access data.

Entities should be assigned specific roles, relating to their function and the data they require access to.

When implementing Access Control rules for the various entities it has defined, organisations should:

  • Ensure that entities are granted access to PII consistently, in accordance with their specific role and/or function.
  • Keep in mind physical security needs, when administering access to PII.
  • In the case of multi-faceted cloud-based and/or distributed environments, entities are only granted access to the PII data categories that they are authorised to used (rather than providing blanket access.

Additional Guidance

Access control can often be a complex and tough-to-manage element of an organisation’s ICT operation.

Here are a few general principles to adhere by:

  • Operate within a ‘need to know’ and ‘need to use’ framework – i.e. only provide access to PII if the entity requires it to carry out their job role, and no less.
  • Organisations should adhere to the concept of ‘least privilege’. ISO defines this as ‘everything is generally forbidden, unless expressly permitted’. In other words, access control should be closely administered, rather than trusting employees with broad levels of access across multiple applications, storage devices and file servers.
  • Changes to access permissions should be considered in two ways – changes initiated by system administrators, and those that are initiated by ICT systems and applications themselves – including when to review approvals.
  • For the purposes of access PII, ISO outlines four main access control types that organisations should consider, based on their unique requirements:
    • Mandatory Access Control (MAC) – Access is centrally managed by a sole security authority.
    • Discretionary Access Control (DAC) – The opposite method to MAC, where object owners are able to pass on privileges to other users.
    • Role-based Access Control (RBAC) – The most common type of commercial access control, based around predefined job functions and privileges.
    • Attribute-based Access Control (ABAC) – Access rights are granted to users through the use of policies which combine attributes together.

Relevant ISO 27002 Controls

  • ISO 27002 5.3
  • ISO 27002 5.10
  • ISO 27002 5.12
  • ISO 27002 5.13
  • ISO 27002 5.16
  • ISO 27002 5.18
  • ISO 27002 5.31
  • ISO 27002 5.32
  • ISO 27002 5.33
  • ISO 27002 5.34
  • ISO 27002 7.2
  • ISO 27002 7.3
  • ISO 27002 7.4
  • ISO 27002 8.2
  • ISO 27002 8.3
  • ISO 27002 8.26



Compliance doesn't have to be complicated.

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo



ISO 27701 Clause 6.6.1.2 – Access to Networks and Network Services

References ISO 27002 Control 5.15

See ISO 27701 Clause 6.6.1.1

Supporting Controls From ISO 27002 and GDPR

ISO 27701 Clause Identifier ISO 27701 Clause Name ISO 27002 Requirement Associated GDPR Articles
6.6.1.1 Access Control Policy
5.15 – Access Control for ISO 27002
None
6.6.1.2 Access to Networks and Network Services
5.15 – Access Control for ISO 27002
None

How ISMS.online Helps

How do we help?

ISO 27701 shows you how to build a Privacy Information Management System that complies with most privacy regulations, including the EU’s GDPR, BS 10012 and South Africa’s POPIA.

Our simplified, secure, sustainable software helps you easily follow the approach outlined by the internationally recognised standard.

Our all-in-one-platform ensures your privacy work aligns with and meets the needs of each section of the ISO 27701 standard.

And because it’s regulation agnostic, you can map it onto any regulation you need to.

Find out more by booking a hands on demo.


Jump to topic

Max Edwards

Max works as part of the ISMS.online marketing team and ensures that our website is updated with useful content and information about all things ISO 27001, 27002 and compliance.

ISMS Platform Tour

Interested in an ISMS.online platform tour?

Start your free 2-minute interactive demo now and experience the magic of ISMS.online in action!

Try it for free

We’re a Leader in our Field

Users Love Us
Leader Winter 2025
Leader Winter 2025 United Kingdom
Best ROI Winter 2025
Fastest Implementation Winter 2025
Most Implementable Winter 2025

"ISMS.Online, Outstanding tool for Regulatory Compliance"

-Jim M.

"Makes external audits a breeze and links all aspects of your ISMS together seamlessly"

-Karen C.

"Innovative solution to managing ISO and other accreditations"

-Ben H.

DORA is here! Supercharge your digital resilience today with our powerful new solution!