1. Framework FAQs

ISO 27001: 2022 A.8.3 Information access restriction

This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.8.3 Information access restriction.

ISO 27001: 2022 Control Description

Access to information and other associated assets shall be restricted in  accordance with the established topic-specific policy on access control.

Purpose

To ensure that only authorised individuals have access and to prevent unauthorised access to information and associated assets.

Guidance on implementation

Access to information and associated assets should be restricted based on the organisation’s access control policies. Consider the following to support access restriction:

  1. Preventing Unauthorised Access: do not allow access to sensitive information by unknown or anonymous users. Public or anonymous access should only be permitted for storage locations that do not contain sensitive information.
  2. Configuration Control: implement mechanisms to manage access to information within systems, applications, and services.
  3. Data Access Control: control which data can be accessed by specific users.
  4. Identity Management: manage which identities or groups have access to different functions (e.g., read, write, delete, execute).
  5. Isolation of Sensitive Information: provide physical or logical access controls to isolate sensitive applications, data, or systems.

Dynamic Access Management

For sensitive information that is highly valuable to the organisation, consider implementing dynamic access management techniques:

  1. Granular Control: control who can access the information, when, and how.
  2. External Sharing: maintain control over who can access sensitive information shared outside the organisation.
  3. Real-time Management: dynamically manage the use and distribution of information in real time.
  4. Protection Against Unauthorised Actions: prevent unauthorised changes, copying, or distribution of sensitive information.
  5. Monitoring Usage: monitor how the information is used and who accesses it.
  6. Tracking Changes: record any changes to the information for potential future investigation.

Implementation of Dynamic Access Management

Dynamic access management should protect information throughout its entire life cycle—creation, processing, storage, transmission, and disposal. Key steps include:

  1. Rule Establishment: define rules for managing dynamic access based on specific scenarios. This includes setting permissions based on identity, device, location, or application and using classification schemes to determine the protection level required.
  2. Operational Support: establish processes for operation, monitoring, and reporting, and ensure the technical infrastructure supports these needs.

Security Measures in Dynamic Access Management

Dynamic access management systems should enhance security by:

  1. Authentication: require authentication, credentials, or certificates to access information.
  2. Time-Based Access: restrict access to certain time frames (e.g., after a specific date or until a set date).
  3. Encryption: use encryption to protect information.
  4. Printing Permissions: define permissions for printing sensitive information.
  5. Activity Logging: record who accesses the information and how it is used.
  6. Alerting: raise alerts if attempts to misuse the information are detected.

Other Information

Dynamic access management techniques can protect information even when it is shared outside the originating organisation, where traditional access controls may not be effective. These techniques can be applied to documents, emails, and other files to control who can access the content and how. Dynamic access management is not a replacement for traditional access management (e.g., access control lists) but enhances it with additional security factors, real-time evaluations, and conditional access.

This approach allows for flexible control of information access, especially beyond the organisation’s environment, and supports incident response by enabling the modification or revocation of permissions as needed.