This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.5.15 Access control.
ISO 27001: 2022 Control Description
Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.
Purpose
Owners of information and other associated assets should determine the information security and business requirements related to access control. A topic-specific policy on access control should be defined, taking these requirements into account, and should be communicated to all relevant interested parties.
Guidance on implementation
These requirements and the topic-specific policy should consider the following:
a) Determining which entities require which type of access to the information and other associated assets;
b) Security of applications;
c) Physical access, which needs to be supported by appropriate physical entry controls;
d) Information dissemination and authorisation (e.g. the need-to-know principle) and information security levels, including the classification of information;
e) Restrictions on privileged access;
f) Segregation of duties;
g) Relevant legislation, regulations, and any contractual obligations regarding the limitation of access to data or services;
h) Segregation of access control functions (e.g. access request, access authorisation, access administration);
i) Formal authorisation of access requests;
j) The management of access rights;
k) Logging.
Access control rules should be implemented by defining and mapping appropriate access rights and restrictions to the relevant entities (see A.5.16). An entity can represent a human user as well as a technical or logical item (e.g. a machine, device, or service). To simplify access control management, specific roles can be assigned to entity groups.
The following should be considered when defining and implementing access control rules:
a) Consistency between the access rights and information classification;
b) Consistency between the access rights and the physical perimeter security needs and requirements;
c) Considering all types of available connections in distributed environments so entities are only provided with access to information and other associated assets, including networks and network services, that they are authorised to use;
d) Considering how elements or factors relevant to dynamic access control can be reflected.
Other Information
There are often overarching principles used in the context of access control. Two of the most frequently used principles are:
a) Need-to-know: An entity is only granted access to the information that it requires in order to perform its tasks (different tasks or roles mean different need-to-know information and hence different access profiles);
b) Need-to-use: An entity is only assigned access to information technology infrastructure where a clear need is present.
Care should be taken when specifying access control rules to consider:
a) Establishing rules based on the premise of least privilege, “Everything is generally forbidden unless expressly permitted,” rather than the weaker rule, “Everything is generally permitted unless expressly forbidden”;
b) Changes in information labels that are initiated automatically by information processing facilities and those initiated at the discretion of a user;
c) Changes in user permissions that are initiated automatically by the information system and those initiated by an administrator;
d) When to define and regularly review the approval.
Access control rules should be supported by documented procedures and defined responsibilities.
There are several ways to implement access control, such as MAC (mandatory access control), DAC (discretionary access control), RBAC (role-based access control), and ABAC (attribute-based access control).
Access control rules can also contain dynamic elements (e.g. a function that evaluates past accesses or specific environment values). Access control rules can be implemented with varying granularity, ranging from covering entire networks or systems to specific data fields, and can also consider properties such as user location or the type of network connection used for access. These principles and how granular access control is defined can have a significant cost impact. Stronger rules and more granular controls often increase the complexity and cost of access management.