Skip to content
AuditFront
Art.21.2i NIS2

NIS2 Art.21.2i: Human Resources Security and Access Control Policies

What This Control Requires

The measures referred to in paragraph 1 shall include at least the following: (i) human resources security, access control policies and asset management.

In Plain Language

People join, change roles, and leave - and every transition is a moment where access rights can go wrong. This control ties together three interconnected domains: HR security, access control, and asset management, all aimed at ensuring the right people have the right access to the right assets. HR security spans the full employment lifecycle. Before someone starts, you screen them appropriately. While they are with you, they understand their security responsibilities and follow your policies. When they leave, access is revoked immediately and assets are recovered. Insider threats remain one of the most significant cybersecurity risks, and solid HR security processes are your primary defence. Access control must follow the principle of least privilege - users get only the permissions they need to do their job, nothing more. This covers identity management, authentication (including MFA), authorisation frameworks, and regular access reviews. Asset management underpins everything else: you cannot protect what you do not know you have.

How to Implement

Build an HR security programme that covers the full employment lifecycle. Before employment: define screening requirements proportionate to each role's sensitivity and include cybersecurity responsibilities in contracts. During employment: deliver security awareness training, enforce acceptable use policies, and review access whenever someone changes role. After employment: revoke access immediately, recover all assets, and handle knowledge transfer. Implement an access control framework grounded in least privilege. Your IAM policy should cover user registration and deregistration, role-based access control (RBAC) with clearly defined roles and permissions, MFA for all remote access and privileged accounts, privileged access management (PAM) with enhanced controls for admin accounts, and password policies aligned with current best practice. Run regular access reviews - quarterly for privileged accounts, semi-annually for standard accounts at a minimum. Each review should verify that access rights match the user's current role and strip out anything unnecessary. Maintain a comprehensive asset inventory covering hardware, software, data assets, cloud resources, and intellectual property. Every asset needs a designated owner, a classification level, and handling requirements that match its classification. Track assets from acquisition through to disposal. Enforce access policies with technical controls: directory services, identity providers with SSO, privileged access management tools, and data loss prevention where appropriate. Define procedures for emergency and temporary access with additional approval requirements, time-limited grants, and enhanced monitoring. Log all access changes so they are fully auditable.

Evidence Your Auditor Will Request

  • HR security procedures covering pre-employment, during employment, and termination
  • Access control policy defining least privilege principles and authentication requirements
  • Records of regular access reviews and remediation of findings
  • Asset inventory with classifications and designated owners
  • Evidence of MFA implementation for remote and privileged access

Common Mistakes

  • Access rights accumulate over time without review; users retain permissions from previous roles
  • Offboarding process does not ensure timely access revocation across all systems
  • Asset inventory is incomplete or outdated, missing cloud resources and shadow IT
  • Privileged accounts lack enhanced controls such as MFA and session monitoring
  • Background screening is not performed for roles with access to critical systems

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.5.15 Related
ISO 27001 A.6.1 Related
ISO 27001 A.5.9 Related
SOC 2 CC6.1 Related

Frequently Asked Questions

How often should access reviews be conducted?
Quarterly for privileged and administrative accounts, semi-annually for standard user accounts, and immediately whenever someone changes role or leaves the organisation. Systems handling regulated data or classified as high-risk may need more frequent reviews.
What level of background screening is expected?
It depends on the role. At a minimum, verify identity and qualifications for everyone. For roles with access to critical systems or sensitive data, you should consider criminal background checks and reference verification, subject to local employment law. The key principle is proportionality - the screening depth should match the sensitivity of what the person will have access to.

Track NIS2 compliance in one place

AuditFront helps you manage every NIS2 control, collect evidence, and stay audit-ready.

Start Free Assessment