How to Implement ISO 27001:2022 Annex A 8.3: Information Access Restriction

/ By
How to Implement ISO 27001 Annex A 8.3

We have all heard the phrase “knowledge is power.” In the world of information security, however, knowledge—or rather, access to it—is a liability. If everyone in your company can read the CEO’s emails or edit the payroll database, you don’t have a security system; you have an open house.

This is where ISO 27001:2022 Annex A 8.3 steps in. It is the control dedicated to Information Access Restriction. It sounds formal, but the concept is simple: put a velvet rope around your data and only let the people on the VIP list cross it.

Table of contents

What is Annex A 8.3?

In the 2022 update of the standard, Annex A 8.3 falls under the “Technological Controls” category, but don’t let that fool you. It requires a heavy mix of policy and process before you even touch a firewall setting.

The control requires that “access to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control.” In plain English? You need clear rules about who can touch what, and technical barriers to enforce those rules.

Step 1: Write the Rules (Access Control Policy)

You cannot configure your permissions if you don’t know the rules. The standard explicitly asks for a Topic-Specific Policy on Access Control.

This isn’t just a document for the auditor; it’s your blueprint. It needs to define:

  • Who decides? (Who is the “Data Owner” that says yes or no to access?)
  • What are the principles? (Are we strict by default, or open by default?)
  • How do we handle guests? (Do contractors get the same keys as staff?)

If you are staring at a blank page, Hightable.io provides excellent ISO 27001 toolkits that include a pre-written Access Control Policy, saving you the headache of drafting one from scratch.

Step 2: The “Need-to-Know” and Least Privilege

If you implement nothing else, implement this. The Principle of Least Privilege means giving a user the minimum level of access they need to do their job, and nothing more.

If Jane in Marketing needs to upload a brochure to the website, she gets “Write” access to the /images folder. She does not get “Admin” access to the web server.

To make this manageable, use Role-Based Access Control (RBAC). Instead of assigning permissions to “Jane,” assign permissions to the “Marketing Role.” When Jane leaves and Bob joins, you just drop Bob into the Marketing role. It’s cleaner, safer, and auditors love it.

Step 3: Define the Granularity

Access isn’t just a binary “Yes/No.” Annex A 8.3 requires you to be specific about what someone can do. You should define separate permissions for:

  • Read: Look but don’t touch.
  • Write/Create: Add new data.
  • Edit/Modify: Change existing data.
  • Delete: The most dangerous permission—restrict this heavily.
  • Execute: Run a program or script.

Step 4: Dynamic Access Management

The 2022 update to ISO 27001 introduced a modern twist: Dynamic Access. In the old days, if you had the password, you got in. Today, we need to be smarter.

Dynamic access means the rules change based on the context. For example:

  • Location: The CFO can access the payroll system from the office, but not from a coffee shop Wi-Fi in another country.
  • Time: A contractor can access the servers Monday to Friday, 9-5, but their access is blocked on weekends.
  • Device: You can access email from a company laptop, but not from a personal iPad.

Step 5: The Lifecycle (Joiners, Movers, Leavers)

Your access restrictions must be alive. They need to adapt as your people change.

  • Joiners: Access is provisioned only after screening (Annex A 6.1) is complete.
  • Movers: If someone moves from Sales to HR, you must revoke their Sales access before granting HR access. “Permission Creep” (where users collect rights like badges) is a major security risk.
  • Leavers: Access must be revoked immediately upon termination. Not next week. Now.

Common Pitfalls to Avoid

  • “Clone” Accounts: When a new hire starts, don’t just say “Copy permissions from Dave.” Dave might have accumulated 5 years of random access rights he no longer needs.
  • The “Everyone” Group: Never grant access to the “Everyone” or “Domain Users” group unless it is truly public data (like the cafeteria menu).
  • Ignoring Physical Access: Remember, access restriction applies to filing cabinets and server rooms too, not just digital folders.

Conclusion

Implementing ISO 27001 Annex A 8.3 is about moving from “Trust” to “Verify.” It ensures that your valuable data is only visible to the people who actually need it to keep your business running.

Start by defining your roles, locking down your most sensitive data first, and ensuring you have the documentation to back it up. If the paperwork feels overwhelming, the templates at Hightable.io can provide the structure you need to get your access control compliant and audit-ready.

Stuart Barker
🎓 MSc Security 🛡️ Lead Auditor ⚡ 30+ Years Exp 🏢 Ex-GE Leader

Stuart Barker

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Shopping Basket
Scroll to Top