In this article I lay bare the ISO 27001 Access Control Policy. Exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO 27001 certification.
I show you exactly what changed in the ISO 27001:2022 update.
I am Stuart Barker the ISO 27001 Ninja and this is the ISO 27001 Access Control Policy
Table of contents
- What is an ISO 27001 Access Control Policy?
- ISO 27001 Access Control Policy Template
- What is the Purpose of the ISO 27001 Access Control Policy?
- What is the ISO 27001 Access Control Policy Principle?
- Why is the ISO 27001 Access Control Policy Important?
- User Access Lifecycle
- Access Control in Practice
- What should the ISO 27001 Access Control Policy Contain?
- ISO 27001 Access Control Policy Example
- What are the benefits of ISO 27001 Access Control Policy?
- Who is responsible for the ISO 27001 Access Control Policy?
- What are examples of a violation of the ISO 27001 Access Control Policy?
- What are the consequences of violating the ISO 27001 Access Control Policy?
- How do you monitor the effectiveness of the ISO 27001 Access Control Policy?
- ISO 27001 and the ISO 27001 Access Control Policy
- ISO 27001 Access Control Policy FAQ
What is an ISO 27001 Access Control Policy?
The ISO 27001 Access Control Policy ensures the correct access to the correct information and resources by the correct people. The objective is to limit access to information and systems based on need rather than have a Wild West free for all.
The access control policy template is a simple yet effective policy that covers access to information and systems including the management and lifecycle.
The access control policy sets out what you do for Access Control.
Stop Spanking £10,000s on consultants and ISMS online-tools.
ISO 27001 Access Control Policy Template
What is the Purpose of the ISO 27001 Access Control Policy?
The purpose of the ISO 27001 Access Control Policy is to ensure the correct access to the correct information and resources by the correct people.
What is the ISO 27001 Access Control Policy Principle?
Access control is granted on the principle of least privilege. Users are only provided access to the information they require to perform their tasks and role.
Why is the ISO 27001 Access Control Policy Important?
A cornerstone of information security is confidentiality and providing the right access to the right people at the right time. We want to ensure that people have access to do their job but no more. We want to protect the information and data that we have.
People will talk about preventing unauthorised access which is a fancy way of saying getting access to data they should not have. By protecting the access to the data we can reduce the risk of information security incidents and data breaches.
The ISO 27001 Access Control Policy is important as it sets out clearly and in written form what you expect to happen. If you don’t tell people what you expect of them then how can you expect them to do it? Communicating what is expected is a key step in any HR disciplinary process with many not being enforceable or actionable if you have not told people what to do and got them to accept that they understand what is being asked.
The ISO 27001 standard wants you to have the access control policy in place, communicated, and accepted by staff as part of your ISO 27001 certification. It actually forms part of a wider set of required information security policies that are all included in the ISO 27001 toolkit.
User Access Lifecycle
The lifecycle of user access is
Someone requires access to systems or data and requests that access either for themselves or a member of their team.
Approving Access Requests
Access requests cannot be approved by the person requesting the access. This is known as segregation of duty. The person responsible for approving the access request is usually the system or data owner.
Once approved the access will be granted and technically implemented. This is usually the responsibility of a trained IT professional. Great care should be taken if using the technique of copying or cloning access rights based on an existing user. This can introduce unintended consequences and result in unexpected unauthorised access. A better method is to base the access rights on role based access. Access that is defined by role and the role applied to the individual requiring access.
Managing Changes to Access
As a person changes role over time their access will be revisited and revised. To do this the process starts again at step 1 – requesting access.
Access is monitored on a regular basis. The main requirement is to conduct and evidence access reviews. Access reviews are usually performed by the system or data owner to ensure that the people with access are still required and relevant. Common practice is to conduct this on a monthly basis. It is a great way to catch when a person has left and their access has not been removed or to catch when a person has changed role and their access needs to be modified.
Revoking access can take place during a change in role or when a person leaves the organisation. It is best practice to revoke that access at the earliest opportunity. For audit trail the process of requesting the access be revoked, that request being approved and then actioned would be followed.
Access Control in Practice
The ISO 27001 Access Control Policy is all about access to systems and data. When looking at access we are looking at the different types of access. We differentiate between normal users and administrators.
First things first we want to ensure that we have confidentiality agreements in place and being required to access systems. This may form part of employment contracts. It makes sense to grant access to systems based on roles where the role defines the level of access that is allowed. We want to ensure that we can track actions back to individuals so the concept of one user and one ID is introduced. If we have shared accounts it can be nearly impossible to track back who exactly did what. This can become critical if incidents occur and we need to conduct investigations. Users of systems are responsible for their actions.
System access is not a one time deal. We will have a start, leaver, mover process that covers the provision of access, the changes to access as roles change and the removal of access when someone leaves. To ensure that all is working as planned we are going to conduct regular access reviews. An access review is as simple as seeing who has access to systems, what level of access they have and confirming that they still need it. If they don’t, or they have changed role, or they have left and the normal processes hasn’t caught it then we handle it at that point.
Our most powerful users are administrators. They hold the keys to the kingdom. There are special considerations when it comes these administrative accounts. How they are allocated, when they are allocated, how they are used, how they are monitored is addressed.
We all use passwords and the rules for passwords are set. How passwords are created, how complex do they need to be, how often if at all are they changed, how are they communicated to users. Passwords are the keys to the doors of our systems and data so we are clear on their management and use.
Often times we rely on third parties or suppliers to help support and run our systems. We want to grant them the access that they need, when they need it to help us. We set out the policy and rules for their access. We also address remote access of all users.
What should the ISO 27001 Access Control Policy Contain?
The ISO 27001 Access Control Policy is required to be presented in a certain way. What we mean by that is that the policy is expected to have certain document markup. Document mark up is just a fancy words for having certain information on the policy. It will need version control, a version number, an owner, an information security classification. An example ISO 27001 Access Control Policy table of contents would look something like this:
- Document Version Control
- Document Contents Page
- Physical Access
- Access Control Policy
- Confidentiality Agreements
- Role Based Access
- Unique Identifier
- Access Authentication
- Access Rights Review
- Privilege Accounts / Administrator Accounts
- User Account Provisioning
- Remote Access
- Third Party Remote Access
- Monitoring and Reporting
- Policy Compliance
- Compliance Measurement
- Continual Improvement
ISO 27001 Access Control Policy Example
This is an example ISO 27001 Access Control Policy:
What are the benefits of ISO 27001 Access Control Policy?
- Improved Security: Access to data will be granted only to those that require it and have been approved reducing the risk of unauthorised access and data breaches.
- Reduced Risk: Control who has access will reduce the risk of data being access by the wrong people and reduce the risk of data breaches.
- Improved Compliance: Standards and regulations require access control to be in place.
- Reputation Protection: In the event of a breach having effective access control management will reduce the potential for fines and reduce the PR impact of an event
Who is responsible for the ISO 27001 Access Control Policy?
Access is the responsibility of the data and system owners. The ISO 27001 Access Control Policy is the responsibility of the senior leadership team. This can also be the senior operational leadership team.
What are examples of a violation of the ISO 27001 Access Control Policy?
- Unauthorised access: accessing data without authorisation or approval.
- Unauthorised disclosure of data: sharing data or information with people that are not authorised to access it.
- Sharing passwords: allowing others to use your password to access data to which they are not authorised.
- Unauthorised destruction or modification of data: Changing or modifying data you have access to but are not granted to permission to delete or modify.
What are the consequences of violating the ISO 27001 Access Control Policy?
Not managing access to systems can have severe consequences. This is a simple, effective protection against cyber attack and data breach. Like giving a key to your door to everyone and anyone that asks, you are inviting attackers into your systems. The consequences could be legal and regulatory fines and / or enforcement, loss of data, loss of revenue and in the most extreme cases risk to life and closure of your organisation.
How do you monitor the effectiveness of the ISO 27001 Access Control Policy?
The approaches to monitoring the effectives of access control include:
- Monthly access reviews by the system and data owners
- Internal audit of the access control process
- External audit of the access control process
- Review of system logs and alerts for anomalies in operation
ISO 27001 and the ISO 27001 Access Control Policy
The ISO 27001 Access Control Policy satisfies the following clauses in ISO 27001:2022
ISO 27001:2022 Clause 5 Leadership
ISO 27002:2022 Clause 5 Organisational Controls
ISO 27002:2022 Clause 8 Technological Controls
ISO 27002:2022 Clause 8.11 Data Masking
ISO 27001 Access Control Policy FAQ
The ISO 27001 Access Control Policy can be downloaded at High Table: The ISO 27001 Company.
1. Requesting Access
2. Approving Access Requests
3. Implementing Access
4. Managing Changes to Access
5. Monitoring Access
6. Revoking Access
A free example PDF Access Control Policy is available at High Table: The ISO 27001 Company.
The benefits of an ISO 27001 Access Control Policy are:
1. Improved Security
2. Reduced Risk
3. Improved Compliance
4. Reputation Protection
Senior management is responsible for the ISO 27001 Access Control Policy.
ISO 27001:2022 Clause 5 Leadership
ISO 27001:2022 Clause 5.1 Leadership and commitment
ISO 27001:2022 Clause 5.2 Policy
ISO 27001:2022 Clause 6.2 Information security objectives and planning to achieve them
ISO 27001:2022 Clause 7.5.3 Control of documented information
ISO 27001:2022 Clause 7.3 Awareness
ISO27001:2022 Annex A 5.15 Access Control
ISO 27001:2022 Annex A 5.16 Identity Management
ISO 27001:2022 Annex A 5.17 Authentication Information
ISO 27001:2022 Annex A 5.18 Access Rights