Implementing ISO 27001 Annex A 5.15 is the systematic enforcement of Access Control policies to restrict information availability based on business requirements. This control mandates the architecture of a Role-Based Access Control (RBAC) model, “Default Deny” network rules, and automated identity management to prevent unauthorised data exposure and ensure information integrity.
ISO 27001 Annex A Access Control Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 5.15 by establishing and technically enforcing rules that restrict access to information assets. Compliance requires a granular, “Default Deny” architecture configured within your Identity Provider and network infrastructure, not merely a high-level policy document saved in a GRC dashboard.
1. Define and Ratify the Topic-Specific Access Policy
Control Requirement: Rules to control access to information and other associated assets must be established, documented, and implemented. Required Implementation Step: Draft a “Topic-Specific Policy on Access Control” that explicitly defines your organisation’s stance on “Need to Know” and “Least Privilege“. Have this document formally signed off by the Board or C-Level executive to give IT the authority to deny access requests from senior managers.
Minimum Requirement: A signed mandate that authorises IT to block access to any user lacking a specific business requirement.
2. Construct a Role-Based Access Control (RBAC) Matrix
Control Requirement: Access rights must be assigned based on business roles, not individual preferences. Required Implementation Step: Open Excel or a database tool. Map every Job Title (from HR) to specific Active Directory Security Groups (e.g., “Junior Accountant” -> “SG-Finance-Read”, “SG-Invoicing-Write”). Ensure that when a user moves roles, their old permissions are stripped before new ones are added.
Minimum Requirement: Permissions are assigned to Groups, never directly to user accounts.
3. Enforce “Default Deny” at the Network Layer
Control Requirement: Access must be restricted by default. Required Implementation Step: Configure your firewall rules and file server Access Control Lists (ACLs) to block all traffic/access implicitly. Only create “Allow” rules for specific, authorised services. Verify that a new user with no group memberships cannot open *any* departmental folder on the file share.
Minimum Requirement: A user’s “Empty” profile grants access to absolutely zero sensitive data.
4. Establish Formal Access Provisioning Workflows
Control Requirement: Access requests must be formally authorised by the asset owner. Required Implementation Step: Configure your ITSM (Jira/ServiceNow) to enforce a mandatory approval workflow. When a user requests access to “HR Data”, the ticket must automatically route to the “Head of HR” (the Data Owner) for approval. IT Support must strictly be forbidden from granting access without this documented digital approval.
Minimum Requirement: No ticket approval = No access granted, regardless of urgency.
5. Implement Dynamic Conditional Access
Control Requirement: Access rules should consider the context of the access attempt. Required Implementation Step: Configure Azure AD (Entra ID) or Okta Conditional Access policies. Create rules that evaluate the user’s location, device health, and risk score. For example, block access to “Confidential” SharePoint sites if the user is logging in from a personal device or an unseen country.
Minimum Requirement: Access is blocked if the device is not managed by the corporate MDM.
6. Define Segregation of Duties (SoD) Rules
Control Requirement: Conflicting duties and areas of responsibility must be segregated to reduce opportunities for fraud. Required Implementation Step: Identify toxic combinations of access (e.g., the ability to “Create Vendor” and “Approve Payment”). Configure your ERP (SAP/Oracle/NetSuite) to technically prevent a single user ID from holding both permission sets simultaneously.
Minimum Requirement: Technical controls prevent the same user from initiating and approving a financial transaction.
7. Automate the “Mover” and “Leaver” Process
Control Requirement: Access rights must be removed upon termination or change of employment. Required Implementation Step: Integrate your HR Information System (HRIS) with your Identity Provider. Configure the script so that when a “Termination Date” is reached in HR, the user’s account is automatically disabled, sessions are revoked, and tokens are invalidated within 60 seconds.
Minimum Requirement: Access revocation is instantaneous and automated, not dependent on an email to the Helpdesk.
8. Restrict Use of Management Utility Programs
Control Requirement: Utility programs that can override system and application controls must be restricted. Required Implementation Step: Use AppLocker or Defender for Endpoint to block the execution of admin tools (PowerShell, RegEdit, PsExec) for standard users. Only specific administrative accounts on designated “Privileged Access Workstations” should have the right to run these binaries.
Minimum Requirement: Standard users cannot launch the Command Prompt or Registry Editor.
9. Conduct Quarterly User Access Reviews (UAR)
Control Requirement: Asset owners must review access rights at regular intervals. Required Implementation Step: Export the membership lists of all critical Security Groups. Send these lists to the respective Data Owners. Require them to explicitly mark “Keep” or “Remove” for every user. Process the removals immediately. Save the signed-off review sheets as audit evidence.
Minimum Requirement: Evidence that a manager has visually confirmed every user’s right to access their data within the last 90 days.
10. Enforce Physical Access Control Alignment
Control Requirement: Physical access to assets must align with digital access permissions. Required Implementation Step: Audit your door access control system (e.g., Paxton/Lenel). Ensure that the “Server Room” access group is restricted solely to the “IT Infrastructure” team. Verify that a “Junior Developer” cannot use their swipe card to enter the Data Centre.
Minimum Requirement: Physical access logs match the authorised personnel list exactly.
ISO 27001 Annex A 5.15 SaaS / GRC Platform Implementation Failure Checklist
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Policy Definition | GRC tool provides a “Standard Policy” template to download. | Fails if the policy isn’t configured in the AD Group Policy. A PDF doesn’t stop a user from deleting a file. |
| RBAC Implementation | Tool asks: “Do you use roles?” (Yes/No). | Fails if you have “User-1”, “User-2”, etc., with direct permissions. You need distinct, documented AD Groups. |
| Access Reviews | Automated email: “Does this look okay?” (Manager clicks ‘Approve All’). | Fails if the manager rubber-stamps it. Real compliance requires removing 5-10% of stale access rights per cycle. |
| Segregation of Duties | Not checked by simple compliance questionnaires. | Fails if your Finance Manager can add a fake vendor and pay them. This requires ERP-level configuration auditing. |
| Conditional Access | Tool checks if “MFA is on”. | Fails if MFA is on but the user can still download the entire database to an unmanaged home laptop. Context matters. |
| Leaver Process | Ticket system check: “Did you close the ticket?” | Fails if the ticket was closed but the account remained active for 3 days. Automated disablement is the only safe way. |
| Owner Authorisation | “IT Director approves everything.” | Fails because the IT Director doesn’t know who needs access to the HR folder. The specific Data Owner must sign off. |
Do it Yourself ISO 27001
Our Lead-Auditor verified templates with expert support have a 100% success rate.
About the author
