In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.15 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Key Takeaways: ISO 27001 Annex A 5.15 Access Control
ISO 27001 Annex A 5.15 requires organizations to establish and implement rules for controlling both physical and logical access to information and other associated assets. Access control is a fundamental “preventive” security measure; it ensures that only authorized individuals and entities (like software services or machines) can interact with sensitive data. By applying the principle of Least Privilege, you minimize the risk of accidental data leaks, internal fraud, and external compromise.
Core requirements for compliance include:
- Access Control Policy: You must have a documented topic-specific policy that outlines the organization’s rules for granting, reviewing, and revoking access.
- Asset Integration: You cannot control what you don’t know. Your access rules must be directly linked to your Asset Register (A.5.9) and Information Classification (A.5.12).
- Need-to-Know vs. Need-to-Use: Access should only be granted based on a clear business requirement to perform a job function (Need-to-Know) or a specific task (Need-to-Use).
- Role-Based Access Control (RBAC): For efficiency and consistency, access is best managed by assigning permissions to “Roles” (e.g., HR Manager) rather than individual users.
- Entities Coverage: The control applies not just to humans, but also to “entities” such as automated service accounts, APIs, and connected devices.
- Continuous Review: Access rights must be reviewed periodically (at least annually) to prevent “Privilege Creep,” where users accumulate unnecessary permissions over time.
Audit Focus: Auditors will look for “The Access Evidence Trail”:
- Approval Logs: “Show me the request and approval for the last person given access to the Finance system. Who authorized it?”
- The Leaver Test: “Show me a list of employees who left in the last 3 months. Can you prove their access to the VPN and SaaS tools was revoked on their final day?”
- Third-Party Access: “How do you manage access for your external IT consultants? Is it permanently open, or granted only when a fix is needed?”
Table of contents
- What is ISO 27001 Annex A 5.15?
- Watch the ISO 27001 Annex A 5.15 Video
- ISO 27001 Annex A 5.15 Podcast
- ISO 27001 Annex A 5.15 Implementation Guide
- How to implement ISO 27001 Annex A 5.15
- Access Control Principles
- Access Control Methodologies
- Access Control Granularity
- Access Matrix Example
- ISO 27001 Access Control Policy Template
- How to comply
- How to pass an ISO 27001 Annex A 5.15 audit
- What the auditor will check
- Top 3 ISO 27001 Annex A 5.15 Mistakes People Make and How to Avoid Them
- Applicability of ISO 27001 Annex A 5.15 across different business models.
- Fast Track ISO 27001 Annex A 5.15 Compliance with the ISO 27001 Toolkit
- ISO 27001 Annex A 5.15 FAQ
- Related ISO 27001 Controls
- Further Reading
- ISO 27001 controls and attribute values
What is ISO 27001 Annex A 5.15?
ISO 27001 Annex A 5.15 is about access control which means you need a process to control who can access systems and information.
ISO 27001 Annex A 5.15 Access Control is an ISO 27001 control that requires an organisation to implement the control of access to information and other assets based on business and information security requirements.
For a deeper understanding on Access Control in general, read the ISO 27001 Access Control Policy Ultimate Guide.
ISO 27001 Annex A 5.15 Purpose
The purpose of ISO 27001 Annex A 5.15 is a preventive control that ensures authorised access and to prevent unauthorised access to information and other associated assets.
ISO 27001 Annex A 5.15 Definition
The ISO 27001 standard defines ISO 27001 Annex A 5.15 as:
Rules to control physical and logical access to information and other associated assets should be established
ISO 27001:2022 Annex A 5.15 Access Control
Watch the ISO 27001 Annex A 5.15 Video
In the video ISO 27001 Access Control Explained – ISO27001:2022 Annex A 5.15 show you how to implement it and how to pass the audit.
ISO 27001 Annex A 5.15 Podcast
In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.15 Access Control. The podcast explores what it is, why it is important and the path to compliance.
ISO 27001 Annex A 5.15 Implementation Guide
The control of access to information and other assets is going to require a topic specific ISO 27001 Access Control Policy. To implement control of access you are going to have to first identify what you have. We cannot control it if we do not know we have it so before you move on to access control be sure first to have completed your asset registers. We covered asset inventories in ISO 27001 Annex A 5.9 Inventory Of Information And Other Associated Assets.
Once you know what you have you are going to implement information classification which we covered in ISO 27001 Annex A 5.12 Classification Of Information. This is going to set out the classification levels of the organisation and the controls and restrictions for each classification.
The standard wants you to implement access control rules by defining and mapping appropriate access rights and restrictions to relevant entities. What it means by entities is the things that are doing the access which includes humans and also logical items such as services, devices and machines.
Considerations when implementing access control
Let us take a look at considerations when defining and implementing access control rules
- Working to the principle of least privilege which means we restrict access to everything unless needed as opposed to the principle of everyone has access to everything unless forbidden.
- Account for automation in process and technology where permissions are changed automatically
- Implement a review of the approval processes at least annually or based on significant change
- It is important to ensure we are consistent in our approach to both access rights and information classification
- Physical perimeter security should be considered if it is appropriate and to be consistent with access rights
- Where dynamic access control is in play to consider the factors and elements and how they can be reflected
Steps in implementing access control
You are going to have to
- Establish and communicate a topic specific ISO 27001 Access Control Policy
- Complete your physical and virtual asset register
- Complete your data asset register
- Decide on your access control methodology / approach
- Implement your access control
How to implement ISO 27001 Annex A 5.15
Implementing ISO 27001 Annex A 5.15 requires a transition from ad hoc permission management to a structured, policy-driven governance model. By establishing clear rules for both physical and logical access, organisations can ensure that information assets are only available to authorised entities based on the Principle of Least Privilege (PoLP). This action-orientated guide provides the technical steps necessary to build a compliant access control framework that satisfies lead auditor expectations.
1. Formalise the Topic-Specific Policy on Access Control
Establish a documented policy that defines the organisation’s high-level rules for granting and managing access. This action results in a consistent governance layer that dictates how users, devices, and services interact with sensitive data.
- Define mandatory criteria for access based on “Need to Know” and “Need to Use” principles.
- Document the requirements for different access types, including remote, local, and administrative privileges.
- Specify the technical standards for authentication, such as the mandatory use of Multi-Factor Authentication (MFA).
2. Provision Role-Based Access Control (RBAC) Frameworks
Execute the mapping of job functions to specific technical permissions within your systems. This results in a scalable identity and access management (IAM) structure that prevents excessive privilege accumulation.
- Identify critical business roles and assign the minimum necessary IAM roles to each.
- Implement Attribute-Based Access Control (ABAC) for complex environments requiring dynamic permission sets.
- Formalise “Rules of Engagement” (ROE) documents for third-party contractors and service providers.
3. Implement Secure Login and Session Management
Configure system authentication interfaces to prevent unauthorised harvesting of credentials and session hijacking. This action results in a technically dense defensive layer at the point of entry.
- Enforce account lockout thresholds and secure login screens that do not provide hints about valid usernames.
- Provision automated session timeouts and re-authentication requirements for high-risk applications.
- Utilise secure protocols (e.g. TLS 1.3) for all authentication traffic to protect credentials in transit.
4. Formalise Physical Access Control Boundaries
Establish physical security perimeters and entry controls to protect hardware and printed information. This results in a comprehensive “layered” security approach that extends beyond the digital network.
- Provision secure entry points using biometric readers, RFID badges, or physical keys with logged entry.
- Establish “Clean Desk and Clear Screen” protocols to prevent opportunistic data exfiltration in office environments.
- Formalise visitor management procedures, including mandatory logging and escort requirements in sensitive areas.
5. Execute Continuous Access Monitoring and Review
Perform regular audits of user permissions and access logs to identify anomalies or redundant accounts. This result-focused step ensures that the access control environment remains aligned with the current workforce and risk profile.
- Review privileged account access quarterly and standard user access at least annually.
- Implement automated alerting for unusual login patterns or failed authentication attempts on critical assets.
- Revoke access immediately for any “Leaver” or “Mover” as part of the formalised offboarding checklist.
Access Control Principles
The principles on access control usually fall in to mainstream camps of thinking. They are:
Need to know
Need to know is the principle that you grant access to the information required to perform the tasks and duties.
Need to use
Need to use is the principle of granting access where a clear need is present
Let’s be fair the difference is subtle and barely material in that you grant access to what people need. You will not be quizzed on this and a simpler way to look at it is, do not give people access to things they don’t need.
Access Control Methodologies
There is no one right way to implement access control although the most common is role based access. It is the most common as it most often the most simple. The list of access control methodologies is
- MAC – mandatory access control
- DAC – discretionary access control
- RBAC – role based access control
- ABAC – attribute based access control
Access Control Granularity
The level of granularity of access control is based on your business and business risk. It is a wide range with examples of covering entire networks or systems all the way down to restricting access to individual fields. You can consider factors such as locations or how people connect or who connects from teams to individuals.
The level of granularity has a direct correlation on cost and security.
The more granular you are the more cost you will incur in time and resources but the more secure you will be.
The less granular you are then the less cost in time and resources but the more insecure (potentially) you will be.
The art is to find the balance that is right for you.
Access Matrix Example
| Role | HR System | Finance System | IT Admin Panel | ISO 27001:2022 Control |
|---|---|---|---|---|
| HR Manager | Read/Write | Read Only (Payroll) | No Access | Annex A 5.15 / 5.18 |
| Finance Clerk | No Access | Read/Write | No Access | Annex A 5.15 / 5.18 |
| IT Admin | No Access | No Access | Full Control | Annex A 5.15 / 8.15 |
| Standard User | Read Self (Profile) | No Access | No Access | Annex A 5.15 |
ISO 27001 Access Control Policy Template
The ISO 27001 Access Control Policy template is pre written and ready to go. It is one of the required ISO 27001 policies that sets out the organisations approach to access control.
How to comply
To comply with ISO 27001 Annex A 5.15 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to
- Implement and ISO 27001 Access Control Policy
- Complete your physical and virtual asset register
- Complete your data asset register
- Decide on your access control methodology / approach
- Implement your access control
How to pass an ISO 27001 Annex A 5.15 audit
To pass an audit of ISO 27001 Annex A 5.15 you are going to make sure that you have followed the steps above in how to comply.
What the auditor will check
The audit is going to check a number of areas. Lets go through the most common
1. That you have not done something stupid
The auditor is going to check the rules, procedures and access control methodolgy and make sure you followed them. As with everything having documented evidence of anything you can is going to be your friend. So practical things like asset registers, access control procedures that you can evidence are in operation, reviews of access. Work through recent hires for example and ensure the processes were followed and look for the gotchas. Is there an approval audit trail. When you log into the system that was approved does the users access match what was requested
2. That you have rules, processes and you have followed them and have trained people
This is obvious but they are going to look that you have documented what you say you do, that you follow it and that you have trained people. The biggest gotcha here is having people with access that have left. In other words you didn’t have or follow a leaver process and so people’s access remain even though their contract has ended.
3. Documentation
They are going to look at audit trails and all your documentation and see that is classified and labelled. All the documents that you show them, as a minimum if they are confidential should be labelled as such. Is the document up to date. Has it been reviewed in the last 12 months. Does the version control match. Doing anything else would be a massive own goal.
Top 3 ISO 27001 Annex A 5.15 Mistakes People Make and How to Avoid Them
The top 3 Mistakes People Make For ISO 27001 Annex A 5.15 are
1. People have left but they still have access
Make sure that access to systems is up to date and that people or third parties that have left no longer have access.
2. Third parties have open access
Third parties should follow process and the process should be to grant access to them when the access required and remove it when it is not. It should not be open and continual access. Consider the example where you need a third party to fix something. You would grant access to allow the fix and then remove it. You would not have open ended access granted.
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
Applicability of ISO 27001 Annex A 5.15 across different business models.
| Business Type | Applicability & Interpretation | Examples of Control |
|---|---|---|
| Small Businesses |
Owner-Defined Rules. In small teams, “Roles” are often fluid. Compliance means defining clear, high-level rules (e.g., “Only the owner can approve payments”) rather than complex matrixes. |
• The “Owner Approval” Rule: A policy stating that any access to the bank account or payroll system requires explicit approval from the Director. |
| Tech Startups |
RBAC & Attribute-Based Access. Startups must move away from “Everyone is Admin.” The focus is on Role-Based Access Control (RBAC) where permissions are linked to the job title, not the person. |
• Role Definitions: Defining strict roles in your policy (e.g., “Junior Dev” has Read-Only access to Prod; “Senior Dev” has Deploy access). |
| AI Companies |
Data Segmentation Rules. Access control is critical for IP protection. The policy must strictly separate “Research/Training” environments from “Inference/Production” environments to prevent data leakage. |
• Need-to-Know Datasets: A rule enforcing that Data Scientists only have access to the specific datasets required for their current project, not the entire Data Lake. |
Fast Track ISO 27001 Annex A 5.15 Compliance with the ISO 27001 Toolkit
For ISO 27001 Annex A 5.15 (Access control), the requirement is to implement rules and procedures to control physical and logical access to information and assets. This is a core preventive control that ensures only authorized entities (humans or systems) can access what they need to perform their duties, following the principle of “least privilege.”
| Compliance Factor | SaaS Compliance Platforms | High Table ISO 27001 Toolkit | Audit Evidence Example |
|---|---|---|---|
| Policy Ownership | Rents access to your access rules; if you cancel the subscription, your documented RBAC/ABAC methodologies and history vanish. | Permanent Assets: Fully editable Word/Excel Access Control Policies and Matrix templates that you own forever. | A localized “Access Control Policy” defining the specific “Need to Know” and “Least Privilege” rules for the business. |
| Governance Utility | Attempts to “automate” provisioning via dashboards that cannot decide the actual business necessity of specific user permissions. | Governance-First: Provides the framework to formalize your existing AD, Okta, or system-level permissions into an auditor-ready format. | A completed “Access Matrix” proving that user roles (e.g., Finance, Engineering) only have access to necessary assets. |
| Cost Efficiency | Charges a “User Seat Tax” or “Role Tax” that scales costs aggressively as your headcount and organizational complexity grow. | One-Off Fee: A single payment covers your access governance for 5 roles or 500, with no recurring overhead. | Allocating budget to advanced Multi-Factor Authentication (MFA) rather than monthly “compliance dashboard” seat fees. |
| Strategic Freedom | Mandates rigid reporting formats that often fail to align with lean startup environments or specialized SaaS-heavy stacks. | 100% Agnostic: Procedures adapt to any environment—high-end automation or manual, risk-managed approvals—without limits. | The ability to evolve your access strategy (e.g., Zero Trust) without reconfiguring a rigid, third-party SaaS compliance module. |
Summary: For Annex A 5.15, the auditor wants to see that you have a formal Access Control Policy and proof that you follow it (e.g., a documented access matrix and evidence of least privilege). The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.
ISO 27001 Annex A 5.15 FAQ
What is ISO 27001 Annex A 5.15?
ISO 27001 Annex A 5.15 is an organisational control that requires rules for physical and logical access to information and other associated assets to be established and implemented based on business and information security requirements.
- Establishes high-level rules for who can access specific data.
- Applies to both digital systems and physical locations.
- Mandates a “Need to Know” and “Need to Use” approach.
- Forms the strategic foundation for all identity and access management (IAM) activities.
Is an Access Control Policy mandatory for ISO 27001?
Yes, a documented, topic-specific policy on access control is a mandatory requirement to satisfy Annex A 5.15 and ensure a consistent approach to managing user permissions.
- It must define the rules for granting, changing, and revoking access.
- It should be approved by senior management and communicated to all staff.
- It must align with the organisation’s overall risk appetite.
- It provides the criteria used by auditors to verify compliance.
What is the Principle of Least Privilege in ISO 27001?
The Principle of Least Privilege (PoLP) is a security mandate where users are granted only the minimum level of access necessary to perform their specific job functions.
- Reduces the “attack surface” in the event of a credential compromise.
- Prevents unauthorised lateral movement within a network.
- Minimises the risk of accidental or intentional data exfiltration.
- Requires regular reviews to ensure permissions haven’t “crept” over time.
How does Annex A 5.15 differ from Annex A 5.18?
The primary difference is that Annex A 5.15 focuses on the high-level rules and policy (the strategy), while Annex A 5.18 focuses on the operational lifecycle of managing access rights (the execution).
- 5.15: Defines the “Law” (Rules, Roles, and Business Logic).
- 5.18: Defines the “Enforcement” (Provisioning, Revocation, and Review).
- Relationship: You cannot implement 5.18 effectively without the rules established in 5.15.
What are the technical requirements for access control?
While ISO 27001 is technology-neutral, Annex A 5.15 implementation typically requires technical enforcement through robust authentication and authorisation systems.
- Enforcement of Multi-Factor Authentication (MFA) for critical systems.
- Use of Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC).
- Implementation of secure login screens and session timeouts.
- Centralised logging of all access attempts (successful and failed).
What evidence do auditors expect for Annex A 5.15?
Auditors expect to see a formal Access Control Policy supported by a User Access Register and records of periodic management reviews of user permissions.
- A signed and dated Topic-Specific Policy on Access Control.
- Approved access request forms or digital tickets for new users.
- Evidence of a “Leaver” process showing access was revoked promptly.
- Documentation showing that privileged accounts are restricted and monitored.
Related ISO 27001 Controls
ISO 27001 Annex A 5.18 Access Rights: Annex A 5.18
ISO 27001 Annex A 8.34 Protection of Information Systems During Audit Testing
Further Reading
The complete guide to ISO 27001 risk assessment
ISO 27001 controls and attribute values
| Control type | Information security properties | Cybersecurity concepts | Security domains |
|---|---|---|---|
| Preventive | Confidentiality | Protect | Protection |
| Integrity | |||
| Availability |
