ISO 27001 A.5.15: Access control
What This Control Requires
Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.
In Plain Language
Access control is the backbone of any security programme. If you cannot say with confidence who has access to what - and why - you have a problem that auditors will find very quickly. The goal here is a formal access control policy covering both physical and logical access. It should be rooted in least privilege: people get only the access they need to do their job, nothing more. Seniority alone is not a valid reason for broader access - there needs to be a genuine business need. The policy must cover the full spectrum - network access, system access, applications, databases, and physical entry to facilities where information is processed or stored. It also needs to define how access is granted, changed, and revoked, along with regular reviews to catch access that has gone stale.
How to Implement
Start with a clear access control policy that sets out the ground rules: least privilege, need-to-know, default deny. Cover access provisioning, approval processes, RBAC, privileged access management, remote access, and physical access. Build a role-based access control (RBAC) model. Define roles around actual job functions and map each role to the specific access rights it needs. Keep a role-access matrix and review it regularly - roles drift over time as the business changes. Set up a formal access request and approval workflow. Every access request should be documented with a business justification, approved by the information or system owner, and implemented by a separate team (segregation of duties matters here). Run this through your ITSM tool so you have an audit trail. Lock down privileged access. Admin, root, and DBA accounts need enhanced authentication, session monitoring, and time-limited access where possible. Use a PAM tool to vault credentials, control who gets access, and record sessions. Run regular access reviews. Quarterly for critical systems, semi-annually for everything else. The system or information owner should verify each user's access is still justified. Document results and fix issues promptly. If you can automate this with an identity governance tool, do it - manual reviews at scale are painful and error-prone.
Evidence Your Auditor Will Request
- Documented access control policy covering physical and logical access
- Role-based access control matrix mapping roles to access rights
- Access request and approval records showing proper authorization workflows
- Access review records showing periodic verification of user access rights
- Privileged access management controls and monitoring records
Common Mistakes
- No formal access control policy or the policy does not reflect actual practice
- Access is granted based on copying another user's profile rather than defined roles
- Access reviews are not conducted regularly or findings are not remediated
- Excessive access rights accumulate as users change roles without old access being removed
- Privileged accounts are not subject to enhanced controls or monitoring
Related Controls Across Frameworks
| Framework | Control ID | Relationship |
|---|---|---|
| SOC 2 | CC6.1 | Equivalent |
| SOC 2 | CC6.2 | Related |
| SOC 2 | CC6.3 | Related |
| GDPR | Art.32 | Related |
| NIS2 | Art.21(2)(i) | Related |
Frequently Asked Questions
What is the difference between role-based and attribute-based access control?
How often should access reviews be conducted?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment