Why Access Control Is Central to ISO 27001
Access control determines who can access what information and systems, under what conditions. It is arguably the most operationally impactful area of your ISMS because it touches every user, every system, and every piece of data in your organization.
ISO 27001:2022 dedicates numerous Annex A controls to access management:
- A.5.15 - Access Control
- A.5.16 - Identity Management
- A.5.17 - Authentication Information
- A.5.18 - Access Rights
- A.8.2 - Privileged Access Rights
- A.8.3 - Information Access Restriction
- A.8.5 - Secure Authentication
Auditors pay particular attention to access control because failures here directly enable data breaches, privilege escalation, and unauthorized data modification.
Access Control Policy Structure
1. Access Control Principles
Your policy should establish core principles:
Least Privilege: Users receive only the minimum access rights necessary to perform their job functions. No more, no less.
Need-to-Know: Access to information is granted only when there is a demonstrated business need.
Separation of Duties: Critical functions are divided among different people to prevent fraud and error. No single person should be able to initiate, approve, and execute a sensitive transaction.
Default Deny: Access is denied by default. All access must be explicitly granted through the defined provisioning process.
2. User Access Management
Access Provisioning
Document the process for granting access:
- Manager submits access request specifying role and required systems
- System owner approves based on business justification
- IT provisions access according to the role-based access matrix
- User receives credentials through secure channel
- Access is logged in the access management system
Access Modification
When users change roles:
- Manager submits modification request
- Previous access rights are reviewed - unnecessary access is removed
- New access rights are provisioned per the new role
- Changes are logged and auditable
Access Revocation
When users leave the organization or no longer need access:
- HR notifies IT immediately upon termination decision
- Access is disabled within 4 hours of last working day (or immediately for involuntary termination)
- All credentials are revoked, including VPN, email, cloud services
- Shared credentials are rotated
- Physical access (badges, keys) is collected
3. Authentication Requirements
| System Category | Minimum Authentication | MFA Required? | Password Policy |
|---|---|---|---|
| Critical systems (production, financial) | Username + password + MFA | Yes | 14+ characters, complexity, 90-day rotation |
| Business systems (email, CRM, ERP) | Username + password + MFA | Yes | 12+ characters, complexity |
| Internal tools (wiki, project management) | Username + password | Recommended | 10+ characters |
| External-facing services | Username + password + MFA | Yes | 14+ characters, complexity |
Password Requirements
- Minimum length: 12 characters (14 for privileged accounts)
- Complexity: combination of uppercase, lowercase, numbers, and special characters
- No reuse of previous 12 passwords
- Account lockout after 5 failed attempts
- Automatic session timeout after 15 minutes of inactivity
4. Privileged Access Management
Privileged accounts (administrators, root, service accounts) require additional controls:
- Separate accounts: Administrators must use separate privileged accounts for administrative tasks (not their daily user account)
- Just-in-time access: Where possible, provide privileged access only when needed and automatically revoke it after use
- Logging: All privileged actions must be logged and regularly reviewed
- Break-glass procedures: Document emergency access procedures for when normal channels are unavailable
- Regular review: Privileged access is reviewed quarterly by system owners
5. Access Reviews
Regular access reviews are essential for maintaining the principle of least privilege over time:
| Review Type | Frequency | Scope | Reviewer |
|---|---|---|---|
| User access review | Quarterly | All user accounts and their access rights | System owners |
| Privileged access review | Monthly | All administrative and service accounts | Security team |
| Dormant account review | Monthly | Accounts with no login for 30+ days | IT operations |
| Service account review | Quarterly | All non-human accounts | Application owners |
Document review results, including any access that was modified or revoked, and maintain records for audit evidence.
6. Remote Access
With hybrid and remote work, your policy must cover:
- VPN requirements for accessing internal resources
- Approved remote access tools (no shadow IT)
- Device requirements for remote access (company-managed or BYOD with MDM)
- Network segmentation for remote connections
- Geographic restrictions if applicable
7. Third-Party Access
Vendor and partner access requires additional scrutiny:
- Business justification for all third-party access
- Time-limited access with defined expiry dates
- Monitoring and logging of all third-party sessions
- NDA and security requirements in contracts
- Separate accounts (never share employee credentials)
- Access review when contracts end
Implementation Checklist
Use this checklist to verify your access control implementation:
- Access control policy approved by management
- Role-based access matrix defined for all systems
- Provisioning and deprovisioning procedures documented
- MFA implemented for all critical and external-facing systems
- Password policy enforced technically (not just documented)
- Privileged access management procedures in place
- Quarterly access reviews scheduled and assigned
- Remote access policy defined and communicated
- Third-party access procedures documented
- Access logs retained for audit requirements
Get a Professional Template
Writing an access control policy from scratch takes significant effort. The ISO 27001 Document Pack includes a complete Access Control Policy template covering all Annex A requirements, plus supporting templates for user access request forms, access review checklists, and privileged access procedures.
All templates are in editable Word format with no watermarks.
Found this article helpful?
Share it with your colleagues.
