ISO 27001 Access Control | Annex A 5.15 | The Lead Auditor’s Implementation and Audit Guide

/ By

ISO 27001 Annex A 5.15 Access Control is a security control that establishes rules to govern physical and logical access. By mandating the implementation of role-based access restrictions, it ensures only authorized entities interact with sensitive assets, delivering the critical reduction of internal fraud and external breach risks.

In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.15 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways: ISO 27001 Annex A 5.15 Access Control

ISO 27001 Annex A 5.15 requires organizations to establish and implement rules for controlling both physical and logical access to information and other associated assets. Access control is a fundamental “preventive” security measure; it ensures that only authorized individuals and entities (like software services or machines) can interact with sensitive data. By applying the principle of Least Privilege, you minimize the risk of accidental data leaks, internal fraud, and external compromise.

Core requirements for compliance include:

  • Access Control Policy: You must have a documented topic-specific policy that outlines the organization’s rules for granting, reviewing, and revoking access.
  • Asset Integration: You cannot control what you don’t know. Your access rules must be directly linked to your Asset Register (A.5.9) and Information Classification (A.5.12).
  • Need-to-Know vs. Need-to-Use: Access should only be granted based on a clear business requirement to perform a job function (Need-to-Know) or a specific task (Need-to-Use).
  • Role-Based Access Control (RBAC): For efficiency and consistency, access is best managed by assigning permissions to “Roles” (e.g., HR Manager) rather than individual users.
  • Entities Coverage: The control applies not just to humans, but also to “entities” such as automated service accounts, APIs, and connected devices.
  • Continuous Review: Access rights must be reviewed periodically (at least annually) to prevent “Privilege Creep,” where users accumulate unnecessary permissions over time.

Audit Focus: Auditors will look for “The Access Evidence Trail”:

  1. Approval Logs: “Show me the request and approval for the last person given access to the Finance system. Who authorized it?”
  2. The Leaver Test: “Show me a list of employees who left in the last 3 months. Can you prove their access to the VPN and SaaS tools was revoked on their final day?”
  3. Third-Party Access: “How do you manage access for your external IT consultants? Is it permanently open, or granted only when a fix is needed?”

Do it Yourself ISO 27001

Our Lead-Auditor verified templates with expert support have a 100% success rate.

Get the Auditor-Verified ISO 27001 Toolkit.
Fay Barker - High Table - ISO27001 Director

What is ISO 27001 Annex A 5.15?

ISO 27001 Annex A 5.15 is about access control which means you need a process to control who can access systems and information.

ISO 27001 Annex A 5.15 Access Control is an ISO 27001 control that requires an organisation to implement the control of access to information and other assets based on business and information security requirements.

For a deeper understanding on Access Control in general, read the ISO 27001 Access Control Policy Ultimate Guide.

ISO 27001 Annex A 5.15 Purpose

The purpose of ISO 27001 Annex A 5.15 is a preventive control that ensures authorised access and to prevent unauthorised access to information and other associated assets.

ISO 27001 Annex A 5.15 Definition

The ISO 27001 standard defines ISO 27001 Annex A 5.15 as:

Rules to control physical and logical access to information and other associated assets should be established

ISO 27001:2022 Annex A 5.15 Access Control

Watch the ISO 27001 Annex A 5.15 Video

In the video ISO 27001 Access Control Explained – ISO27001:2022 Annex A 5.15 show you how to implement it and how to pass the audit.

ISO 27001 Annex A 5.15 Podcast

In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.15 Access Control. The podcast explores what it is, why it is important and the path to compliance.

ISO 27001 Annex A 5.15 Implementation Guide

The control of access to information and other assets is going to require a topic specific ISO 27001 Access Control Policy. To implement control of access you are going to have to first identify what you have. We cannot control it if we do not know we have it so before you move on to access control be sure first to have completed your asset registers. We covered asset inventories in ISO 27001 Annex A 5.9 Inventory Of Information And Other Associated Assets.

Once you know what you have you are going to implement information classification which we covered in ISO 27001 Annex A 5.12 Classification Of Information. This is going to set out the classification levels of the organisation and the controls and restrictions for each classification.

The standard wants you to implement access control rules by defining and mapping appropriate access rights and restrictions to relevant entities. What it means by entities is the things that are doing the access which includes humans and also logical items such as services, devices and machines.

Considerations when implementing access control

Let us take a look at considerations when defining and implementing access control rules

  • Working to the principle of least privilege which means we restrict access to everything unless needed as opposed to the principle of everyone has access to everything unless forbidden.
  • Account for automation in process and technology where permissions are changed automatically
  • Implement a review of the approval processes at least annually or based on significant change
  • It is important to ensure we are consistent in our approach to both access rights and information classification
  • Physical perimeter security should be considered if it is appropriate and to be consistent with access rights
  • Where dynamic access control is in play to consider the factors and elements and how they can be reflected

Steps in implementing access control

You are going to have to

I’ve sat in the Auditor’s chair for 20 years. These are the exact tools I use to guarantee a pass.

Get the Auditor-Proven Toolkit.
Stuart Barker - High Table - ISO27001 Director

How to implement ISO 27001 Annex A 5.15

Implementing ISO 27001 Annex A 5.15 is about more than just setting passwords: it is about governing the entire lifecycle of access to your organisation’s information assets. As a Lead Auditor, I expect to see a robust framework where access is granted based on business necessity and strictly enforced through technical controls. Follow these ten steps to build a compliant and secure access control environment.

1. Formalise the Access Control Policy

Create a comprehensive policy document that defines the rules for both logical and physical access across the organisation. This policy serves as your “Source of Truth” during an audit and must be approved by senior management. Requirements include:

  • Defining access rules based on the “Need to Know” and “Least Privilege” principles.
  • Establishing clear guidelines for different classifications of information.
  • Distinguishing between standard user access and administrative privileges.

2. Map Roles to the Asset Register

Consult your Asset Register to identify every information asset and its respective owner. This step ensures that access is authorised by the person responsible for the data, rather than IT acting in isolation. Requirements include:

  • Identifying all software, hardware, and data assets within the ISMS scope.
  • Assigning an Asset Owner to every entry in the register.
  • Documenting which job roles require access to specific assets to perform their duties.

3. Standardise User Registration and De-registration

Establish a formal workflow for the onboarding and offboarding of employees, contractors, and third parties. This process prevents “Shadow Access” where accounts are created without proper oversight. Requirements include:

  • Implementing a Joiner process that verifies identity before provisioning unique IDs.
  • Ensuring a Leaver process that revokes all access immediately upon termination of employment.
  • Maintaining a Record of Evidence (ROE) for all registration and de-registration activities.

4. Provision Access via Role-Based Access Control (RBAC)

Use an RBAC model to provision access rights based on job functions rather than individual requests. This ensures consistency and reduces the risk of excessive permissions. Requirements include:

  • Creating IAM (Identity and Access Management) roles that mirror organisational positions.
  • Ensuring that access is only provisioned after formal authorisation from the Asset Owner.
  • Verifying that temporary access for contractors is set to expire automatically.

5. Segregate Privileged Access Rights

Strictly control accounts with elevated permissions, such as Domain Admins or Superusers, as these represent the highest security risk. Privileged access must be handled via a separate, audited process. Requirements include:

  • Provisioning dedicated administrative accounts that are separate from standard user accounts.
  • Restricting privileged access to the absolute minimum number of individuals.
  • Implementing a “Just-In-Time” (JIT) access model for sensitive configuration changes.

6. Enforce Strong Authentication and MFA

Implement technical controls to verify the identity of users attempting to access the network. Multi-Factor Authentication (MFA) is a mandatory requirement for remote and privileged access. Requirements include:

  • Mandating MFA for all external access via VPN or cloud services.
  • Setting minimum password complexity and rotation requirements in line with industry standards.
  • Prohibiting the use of shared or generic accounts for any information asset.

7. Configure Resource-Level Restrictions

Apply technical “Read, Write, and Delete” permissions at the file and database level to enforce the policy. This ensures that even if a user is on the network, they can only interact with data relevant to their role. Requirements include:

  • Configuring Access Control Lists (ACLs) on all file servers and cloud storage.
  • Restricting access to specific applications and functions based on user roles.
  • Verifying that “Everyone” or “Guest” access is disabled on all internal resources.

8. Execute Quarterly User Access Reviews

Perform regular “re-certification” of user access rights to ensure permissions remain appropriate as the organisation evolves. This is a critical check for an ISO 27001 auditor. Requirements include:

  • Distributing user lists to Asset Owners for periodic verification and sign-off.
  • Removing access for any users who no longer have a valid business requirement.
  • Documenting the review process and the results in an Audit ROE.

9. Automate Account Adjustment for Movers

Update access rights immediately when an individual changes roles within the organisation to prevent “Privilege Creep.” This ensures that old permissions are removed when they are no longer needed. Requirements include:

  • Triggering an access review whenever a user’s department or job title changes in HR systems.
  • Revoking old permissions before granting new ones to ensure “Least Privilege.”
  • Reviewing and adjusting physical access rights (e.g., key cards) for internal movers.

10. Document the Control Environment in an ROE

Maintain a centralised Record of Evidence (ROE) that proves your access controls are functioning as intended. Without documentation, you cannot prove compliance to an external auditor. Requirements include:

  • Collecting logs of account creation, modification, and deletion.
  • Storing signed authorisation forms and quarterly review sign-offs.
  • Maintaining a history of MFA enrolment and privileged access logs for at least 12 months.

The Tools We Use.

100% Audit Success. Zero AI Guesswork.

Get the Auditor-Proven Toolkit.
Stuart and Fay High Table

How to audit ISO 27001 Annex A 5.15

Auditing ISO 27001 Annex A 5.15 requires a rigorous examination of how your organisation manages the full lifecycle of user access. As a Lead Auditor, I look for evidence that access is not merely granted, but is governed by business necessity and strictly enforced through technical controls. Follow these ten steps to ensure your access control environment meets the required standard of compliance.

1. Review the Formal Access Control Policy

Examine the overarching policy documentation to ensure it aligns with business requirements and risk assessments. A successful audit outcome confirms that the policy defines clear rules for both logical and physical access across all information assets. Requirements include:

  • Verification that the policy is approved by senior management.
  • Confirmation that access rules are based on the “Need to Know” and “Least Privilege” principles.
  • Evidence of regular policy updates to reflect changes in the technical environment.

2. Validate the Asset Register and Ownership

Cross-reference your access controls with the central Asset Register to ensure every information asset has a designated owner. This step ensures that access is authorised by the individual responsible for the data. Requirements include:

  • Evidence that asset owners have defined access levels for their respective assets.
  • Verification that the Asset Register is accurate and up to date.
  • Mapping of user roles to specific asset classifications.

3. Audit the Joiner Process and Initial Provisioning

Inspect the workflow for new employees or contractors to verify that access is only granted through a formalised process. This prevents “shadow access” where accounts are created without proper oversight. Requirements include:

  • Review of HR records against IAM (Identity and Access Management) logs.
  • Verification of signed non-disclosure agreements before access is provisioned.
  • Confirmation that unique user IDs are assigned to every individual.

4. Evaluate the Mover Process and Role Changes

Assess how access rights are adjusted when an individual changes roles within the organisation. This prevents “privilege creep,” where users retain old permissions that are no longer required. Requirements include:

  • Evidence of a formal notification system between HR and IT for internal transfers.
  • Verification that old permissions are revoked before new ones are granted.
  • Review of recent “Mover” tickets to ensure no residual access remains.

5. Verify the Leaver Process and Immediate Revocation

Test the effectiveness of the termination process to ensure access is revoked immediately upon departure. This is a critical security step to prevent unauthorised access by former personnel. Requirements include:

  • Checking timestamps of account deactivation against the employee’s final working day.
  • Verification that physical access tokens or keys were collected.
  • Confirmation that remote access and VPN accounts are disabled.

6. Inspect Privileged Access Management (PAM)

Conduct a deep dive into accounts with elevated permissions, such as Domain Admins or Superusers. These accounts represent the highest risk to the organisation and require stricter controls. Requirements include:

  • Evidence that privileged access is restricted to the absolute minimum number of users.
  • Verification that administrative tasks are performed using dedicated admin accounts rather than standard user accounts.
  • Review of the authorisation logs for granting temporary elevated rights.

7. Test Authentication and MFA Enforcement

Verify that the technical implementation of authentication matches the policy requirements. Multi-Factor Authentication (MFA) is now a baseline expectation for ISO 27001 compliance. Requirements include:

  • Verification that MFA is active for all remote and privileged access points.
  • Testing password complexity and rotation settings in Active Directory or Cloud Identity providers.
  • Ensuring that default vendor passwords have been changed on all hardware and software.

8. Review Resource Access Restrictions

Examine the technical configuration of folders, databases, and applications to ensure users can only access what is necessary for their role. This validates the technical enforcement of the policy. Requirements include:

  • Sampling folder permissions on file shares to check for “Everyone” or “Authenticated User” groups with excessive rights.
  • Verifying database-level permissions for sensitive customer or financial data.
  • Reviewing Role-Based Access Control (RBAC) configurations in SaaS applications.

9. Confirm Periodic Access Reviews

Check for evidence that management performs regular reviews of user access rights. This “re-certification” ensures that access remains appropriate over time. Requirements include:

  • Review of the Record of Evidence (ROE) showing that asset owners have signed off on user lists.
  • Verification that any discrepancies found during reviews were remediated promptly.
  • Confirmation that the frequency of reviews matches the risk level of the asset.

10. Formalise the Audit Record of Evidence

Consolidate all findings into a structured report to demonstrate compliance to external auditors. A clear audit trail is essential for maintaining ISO 27001 certification. Requirements include:

  • Compilation of all screenshots, logs, and ticket samples collected during the audit.
  • Documentation of any non-conformities and the associated corrective action plans.
  • Final sign-off by the Lead Auditor or Information Security Manager.

Access Control Principles

The principles on access control usually fall in to mainstream camps of thinking. They are:

Need to know

Need to know is the principle that you grant access to the information required to perform the tasks and duties.

Need to use

Need to use is the principle of granting access where a clear need is present

Let’s be fair the difference is subtle and barely material in that you grant access to what people need. You will not be quizzed on this and a simpler way to look at it is, do not give people access to things they don’t need.

Access Control Methodologies

There is no one right way to implement access control although the most common is role based access. It is the most common as it most often the most simple. The list of access control methodologies is

  • MAC – mandatory access control
  • DAC – discretionary access control
  • RBAC – role based access control
  • ABAC – attribute based access control

Access Control Granularity

The level of granularity of access control is based on your business and business risk. It is a wide range with examples of covering entire networks or systems all the way down to restricting access to individual fields. You can consider factors such as locations or how people connect or who connects from teams to individuals.

The level of granularity has a direct correlation on cost and security.

The more granular you are the more cost you will incur in time and resources but the more secure you will be.

The less granular you are then the less cost in time and resources but the more insecure (potentially) you will be.

The art is to find the balance that is right for you.

Access Matrix Example

Role HR System Finance System IT Admin Panel ISO 27001:2022 Control
HR Manager Read/Write Read Only (Payroll) No Access Annex A 5.15 / 5.18
Finance Clerk No Access Read/Write No Access Annex A 5.15 / 5.18
IT Admin No Access No Access Full Control Annex A 5.15 / 8.15
Standard User Read Self (Profile) No Access No Access Annex A 5.15

ISO 27001 Access Control Policy Template

The ISO 27001 Access Control Policy template is pre written and ready to go. It is one of the required ISO 27001 policies that sets out the organisations approach to access control.

ISO 27001 Access Control Policy =- ISO 27001 Annex A 5.15 Template
Download the ISO 27001 Access Control Policy Template

How to comply

To comply with ISO 27001 Annex A 5.15 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to

How to pass an ISO 27001 Annex A 5.15 audit

To pass an audit of ISO 27001 Annex A 5.15 you are going to make sure that you have followed the steps above in how to comply.

What the auditor will check

The audit is going to check a number of areas. Lets go through the most common

1. That you have not done something stupid

The auditor is going to check the rules, procedures and access control methodolgy and make sure you followed them. As with everything having documented evidence of anything you can is going to be your friend. So practical things like asset registers, access control procedures that you can evidence are in operation, reviews of access. Work through recent hires for example and ensure the processes were followed and look for the gotchas. Is there an approval audit trail. When you log into the system that was approved does the users access match what was requested

2. That you have rules, processes and you have followed them and have trained people

This is obvious but they are going to look that you have documented what you say you do, that you follow it and that you have trained people. The biggest gotcha here is having people with access that have left. In other words you didn’t have or follow a leaver process and so people’s access remain even though their contract has ended.

3. Documentation

They are going to look at audit trails and all your documentation and see that is classified and labelled. All the documents that you show them, as a minimum if they are confidential should be labelled as such. Is the document up to date. Has it been reviewed in the last 12 months. Does the version control match. Doing anything else would be a massive own goal.

Top 3 ISO 27001 Annex A 5.15 Mistakes People Make and How to Avoid Them

The top 3 Mistakes People Make For ISO 27001 Annex A 5.15 are

1. People have left but they still have access

Make sure that access to systems is up to date and that people or third parties that have left no longer have access.

2. Third parties have open access

Third parties should follow process and the process should be to grant access to them when the access required and remove it when it is not. It should not be open and continual access. Consider the example where you need a third party to fix something. You would grant access to allow the fix and then remove it. You would not have open ended access granted.

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Applicability of ISO 27001 Annex A 5.15 across different business models.

Business Type Applicability & Interpretation Examples of Control
Small Businesses

Owner-Defined Rules. In small teams, “Roles” are often fluid. Compliance means defining clear, high-level rules (e.g., “Only the owner can approve payments”) rather than complex matrixes.

The “Owner Approval” Rule: A policy stating that any access to the bank account or payroll system requires explicit approval from the Director.
Least Privilege: Defaulting all new email accounts to “Standard User” rather than “Administrator” to prevent accidental system-wide changes.
Tech Startups

RBAC & Attribute-Based Access. Startups must move away from “Everyone is Admin.” The focus is on Role-Based Access Control (RBAC) where permissions are linked to the job title, not the person.

Role Definitions: Defining strict roles in your policy (e.g., “Junior Dev” has Read-Only access to Prod; “Senior Dev” has Deploy access).
Dynamic Access: Using Attribute-Based Access Control (ABAC) rules, such as “Developers can only access Production logs via the VPN during work hours.”
AI Companies

Data Segmentation Rules. Access control is critical for IP protection. The policy must strictly separate “Research/Training” environments from “Inference/Production” environments to prevent data leakage.

Need-to-Know Datasets: A rule enforcing that Data Scientists only have access to the specific datasets required for their current project, not the entire Data Lake.
Service Account Rules: Mandating that automated training bots have “Write” access to model buckets but only “Read” access to raw customer PII.
Applicability of ISO 27001 Annex A 5.15 across different business models.

Fast Track ISO 27001 Annex A 5.15 Compliance with the ISO 27001 Toolkit

For ISO 27001 Annex A 5.15 (Access control), the requirement is to implement rules and procedures to control physical and logical access to information and assets. This is a core preventive control that ensures only authorized entities (humans or systems) can access what they need to perform their duties, following the principle of “least privilege.”

Compliance Factor SaaS Compliance Platforms High Table ISO 27001 Toolkit Audit Evidence Example
Policy Ownership Rents access to your access rules; if you cancel the subscription, your documented RBAC/ABAC methodologies and history vanish. Permanent Assets: Fully editable Word/Excel Access Control Policies and Matrix templates that you own forever. A localized “Access Control Policy” defining the specific “Need to Know” and “Least Privilege” rules for the business.
Governance Utility Attempts to “automate” provisioning via dashboards that cannot decide the actual business necessity of specific user permissions. Governance-First: Provides the framework to formalize your existing AD, Okta, or system-level permissions into an auditor-ready format. A completed “Access Matrix” proving that user roles (e.g., Finance, Engineering) only have access to necessary assets.
Cost Efficiency Charges a “User Seat Tax” or “Role Tax” that scales costs aggressively as your headcount and organizational complexity grow. One-Off Fee: A single payment covers your access governance for 5 roles or 500, with no recurring overhead. Allocating budget to advanced Multi-Factor Authentication (MFA) rather than monthly “compliance dashboard” seat fees.
Strategic Freedom Mandates rigid reporting formats that often fail to align with lean startup environments or specialized SaaS-heavy stacks. 100% Agnostic: Procedures adapt to any environment—high-end automation or manual, risk-managed approvals—without limits. The ability to evolve your access strategy (e.g., Zero Trust) without reconfiguring a rigid, third-party SaaS compliance module.

Summary: For Annex A 5.15, the auditor wants to see that you have a formal Access Control Policy and proof that you follow it (e.g., a documented access matrix and evidence of least privilege). The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

Standard / LawRelevant SectionRelationship to Access Control (Annex A 5.15)
UK Data (Use and Access) Act 2025Security of ProcessingThe UK’s evolution of GDPR. While it reduces “red tape” for some admin tasks, it maintains high security thresholds. Annex A 5.15 provides the “appropriate technical measures” required to protect personal data from unauthorised access.
Cyber Security and Resilience Bill (UK)Supply Chain & MSP SecurityThe UK’s version of NIS2. It mandates that Managed Service Providers (MSPs) have strict access controls in place to prevent “pivot attacks” where a breach of the provider leads to a breach of the client.
NIS2 Directive (EU)Article 21 (Cybersecurity Risk Management)Mandates “Identity and Access Management” (IAM) as a core pillar. A 5.15 is the direct implementation of the “hygiene” and “training” requirements for entities in critical sectors.
DORA (Digital Operational Resilience Act)Article 9 (ICT Security)Specifically requires financial entities to implement “strict logical access” policies. A 5.15’s focus on role-based access control (RBAC) and least privilege is a non-negotiable requirement for DORA compliance.
GDPR (EU/UK)Article 32 (Security of Processing)Requires the “Confidentiality” of processing systems. Access control is the primary mechanism used to ensure that only authorised personnel can view or process PII (Personally Identifiable Information).
NIST Cybersecurity Framework (CSF) 2.0PR.AA (Authentication and Authorisation)NIST focuses heavily on Identity Management. A 5.15 maps directly to NIST’s requirements for verifying identities and authorising access based on risk and business need.
SOC2 (Trust Services Criteria)CC6.0 (Logical and Physical Access)SOC2 audits look for the exact same evidence as ISO 27001: request logs, approval workflows, and immediate revocation. A 5.15 is essentially the blueprint for SOC2’s access criteria.
CIRCIA (USA)Incident Reporting RequirementsWhile CIRCIA focus is on reporting, poor access control is the leading cause of “reportable” incidents. A 5.15 acts as a preventive control to avoid the 72-hour reporting mandate triggered by unauthorised access.
EU Product Liability Directive (PLD)Cybersecurity Flaws LiabilityExtends strict liability to software providers. If a product lacks robust access control mechanisms (as defined in A 5.15), the provider can be held liable for damages resulting from cybersecurity flaws.
ECCF (European Cybersecurity Certification Framework)Harmonised Security LabelsThe framework uses ISO 27001 as a baseline. To achieve a “High” assurance level label, an organisation must demonstrate the “Least Privilege” and “MFA” requirements found in A 5.15.
EU AI Act / ISO/IEC 42001Data Governance & RobustnessAI systems require strict data segmentation. A 5.15 ensures that “Training Data” is kept separate from “Production Data” and that only authorised Data Scientists can modify model weights.
HIPAA (USA)§ 164.312 (Technical Safeguards)For healthcare data, access control is a legal requirement. A 5.15 provides the framework for “Unique User Identification” and “Automatic Logoff” required by HIPAA.
CCPA / CPRA (California)Right to Limit Use & SecurityRequires businesses to implement reasonable security procedures. Implementing A 5.15 is considered “industry standard” evidence of fulfilling this legal duty to protect Californian residents’ data.

ISO 27001:2013 vs 2022: What Changed for Access Control?

As promised in the introduction, let us look at exactly what changed in the 2022 update. In the older ISO 27001:2013 standard, Access Control was a massive, sprawling domain known as Clause 9. It contained over a dozen sub-controls.

The 2022 update streamlined this beautifully. The old Controls 9.1.1 (Access control policy) and 9.1.2 (Access to networks and network services) were merged to create the new Annex A 5.15. More importantly, the 2022 standard split the concept of access into three distinct phases. Annex A 5.15 sets the overarching rules. Annex A 5.16 handles the creation of the user identity. Annex A 5.18 handles the day-to-day provisioning of the access rights. This modular approach makes it much easier to build a logical, step-by-step compliance program.

Zero Trust Architecture and ISO 27001

The old way of managing access control relied on a “castle and moat” strategy. Once a user connected to the corporate VPN, they were trusted and could roam freely around the network. Modern auditors know this is no longer secure. If one user gets hacked, the entire network falls.

The modern standard for satisfying Annex A 5.15 is Zero Trust Architecture. The core philosophy of Zero Trust is “never trust, always verify.” It means that every single request to access a system or file is independently authenticated and authorised, regardless of whether the user is sitting in the corporate office or working from a coffee shop. By implementing Zero Trust, you mathematically enforce the Principle of Least Privilege and make your ISO 27001 audit incredibly smooth.

The Physical Access Blindspot

It is very easy to get obsessed with Identity and Access Management software, Multi-Factor Authentication, and cloud permissions. Do not forget that Annex A 5.15 explicitly requires you to control physical access to information assets.

As an auditor, I will walk around your office. I will look for server rooms with propped-open doors. I will check if your filing cabinets containing HR records are locked. I will stand by your main entrance and see if I can “tailgate” an employee through the security barriers without swiping a badge. Your Access Control Policy must define clear rules for office visitors, physical key management, and secure zones.

How to Measure Access Control Success (KPIs)

You cannot pass a Stage 2 audit just by having a written policy. You must prove to the auditor that your management team actively monitors the effectiveness of your access controls. You should track the following Key Performance Indicators (KPIs) and present them at your Management Review meetings:

  • MFA Adoption Rate: The percentage of active user accounts that have Multi-Factor Authentication enabled and enforced (Target: 100%).
  • Orphaned Account Count: The number of active accounts belonging to users or contractors who left the organisation more than 24 hours ago.
  • Access Review Completion: The percentage of Asset Owners who successfully completed their quarterly user access review on time.

The “Break-Glass” Emergency Access Procedure

Your Role-Based Access Control system is perfectly tuned. Multi-Factor Authentication is enforced everywhere. Then, a catastrophic outage hits your primary identity provider, locking every single employee out of your network. How do your engineers get in to fix it?

Auditors look for a documented “Break-Glass” or “Firecall” procedure. This involves creating a highly privileged emergency administrator account that bypasses standard SSO. The credentials for this account must be stored offline in a physical safe or a highly restricted digital vault. Most importantly, the moment this account is used to log in, it must trigger an immediate, un-ignorable alert to your security team and management. Access control must account for absolute worst-case scenarios.

Securing Non-Human Identities (Service Accounts)

Organisations spend months refining their joiner and leaver processes for human employees, but completely ignore their machines. A service account used by your backup software to copy your databases often holds more privileges than your CEO.

Annex A 5.15 explicitly states that access control applies to “entities,” not just people. During an audit, I will ask to see your service account registry. You must prove that non-human accounts have interactive logins disabled, meaning a human cannot manually type in the password to log into a portal. You must also prove that these API keys and passwords are automatically rotated and restricted to specific internal IP addresses.

Enforcing Segregation of Duties (SoD)

Access control is intimately linked to Annex A 5.3 (Segregation of Duties). The purpose of access control is not just to keep external attackers out. It is also designed to prevent internal fraud and catastrophic errors.

When defining your Access Control Matrix, you must actively identify and prevent “toxic combinations.” A classic example is the finance department. The person who has access to create a new vendor in your accounting system must not be the same person who has access to approve payments to that vendor. Your technical access controls must enforce this separation, requiring two distinct roles and two distinct logins to complete a highly sensitive business transaction.

ISO 27001 Annex A 5.15 FAQ

As a Lead Auditor with over 30 years of experience, I have seen thousands of organisations struggle with access control. Below are the definitive answers to the most common questions regarding ISO 27001 Annex A 5.15, formatted to help you pass your audit with confidence.

What is ISO 27001 Annex A 5.15?

ISO 27001 Annex A 5.15 is an organisational control that requires rules for physical and logical access to information and other associated assets to be established and implemented based on business and information security requirements. This control serves as the strategic foundation for all identity and access management (IAM) activities. Key components include:

  • Establishing high-level rules for who can access specific data.
  • Application to both digital systems and physical locations.
  • Mandating a “Need to Know” and “Need to Use” approach.

Is an Access Control Policy mandatory for ISO 27001?

Yes, a documented, topic-specific policy on access control is a mandatory requirement to satisfy Annex A 5.15 and ensure a consistent approach to managing user permissions. This policy provides the criteria used by auditors to verify compliance. Requirements include:

  • Defining rules for granting, changing, and revoking access.
  • Approval by senior management and clear communication to all staff.
  • Alignment with the organisation’s overall risk appetite.

What is the Principle of Least Privilege in ISO 27001?

The Principle of Least Privilege (PoLP) is a security mandate where users are granted only the minimum level of access necessary to perform their specific job functions. This is critical for citation-ready security because it reduces the “attack surface” in the event of a credential compromise. Benefits include:

  • Preventing unauthorised lateral movement within a network.
  • Minimising the risk of accidental or intentional data exfiltration.
  • Requiring regular reviews to ensure permissions haven’t “crept” over time.

How does Annex A 5.15 differ from Annex A 5.18?

The primary difference is that Annex A 5.15 focuses on the high-level rules and policy (the strategy), while Annex A 5.18 focuses on the operational lifecycle of managing access rights (the execution). From a Lead Auditor’s perspective, A 5.15 defines the “Law” (Rules, Roles, and Business Logic), whereas A 5.18 defines the “Enforcement” (Provisioning, Revocation, and Review).

What are the technical requirements for access control?

While ISO 27001 is technology-neutral, Annex A 5.15 implementation typically requires technical enforcement through robust authentication and authorisation systems. Industry-standard implementations often include:

  • Enforcement of Multi-Factor Authentication (MFA) for critical systems.
  • Use of Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC).
  • Implementation of secure login screens and session timeouts.
  • Centralised logging of all access attempts (successful and failed).

What evidence do auditors expect for Annex A 5.15?

Auditors expect to see a formal Access Control Policy supported by a User Access Register and records of periodic management reviews of user permissions. To guarantee an audit pass, you should provide:

  • A signed and dated Topic-Specific Policy on Access Control.
  • Approved access request forms or digital tickets for new users.
  • Evidence of a “Leaver” process showing access was revoked promptly (typically within 24 hours).
  • Documentation showing that privileged accounts are restricted and monitored.
Related ISO 27001 ControlDescription
ISO 27001 Annex A 5.15 Access ControlAs a Lead Auditor, I consider this the definitive guide for establishing the governance rules of your organisation. It sets the mandate for how users and machines interact with your information assets and forms the bedrock of your preventive security posture.
ISO 27001 Access Control Policy Ultimate GuideThis is the overarching topic-specific guidance required to satisfy the governance aspect of A 5.15. From an auditor’s perspective, if you do not have a documented policy defining ‘Need to Know’ rules, your technical controls lack the necessary management authority.
ISO 27001 Annex A 5.16 Identity ManagementIdentity management is the precursor to access control. You cannot control access for an entity you haven’t identified. I look for a clean joiner, mover, and leaver process here to ensure that only valid identities are fed into your A 5.15 access rules.
ISO 27001 Annex A 5.17 Authentication InformationWhile A 5.15 sets the rules, A 5.17 covers the secrets used to verify those identities. If your authentication management is weak, your access controls can be bypassed, which is a major red flag during a certification audit.
ISO 27001 Annex A 5.18 Access RightsThis control provides the operational evidence of your access policy in action. It covers the lifecycle of provisioning, reviewing, and revoking rights. I use the records from this section to prove that your A 5.15 policy is actually being followed.
ISO 27001 Annex A 8.2 Privileged Access RightsThis is the high-risk extension of access control. As an auditor, I pay special attention to your ‘Super Users’ because they have the power to circumvent standard controls. You must demonstrate stricter authorisation for these accounts to pass.
ISO 27001 Annex A 8.3 Information Access RestrictionA 8.3 focuses on the technical enforcement within the systems themselves. It ensures that the ‘Need to Know’ rules you established in A 5.15 are technically locked down, preventing users from stumbling upon sensitive data they shouldn’t see.
ISO 27001 Annex A 8.5 Secure AuthenticationThis control focuses on the technical implementation of login security, such as MFA and password complexity. It provides the technical ‘teeth’ to your access control policy by ensuring only verified users can pass through your digital perimeters.
ISO 27001 ToolkitThe toolkit is the practical implementation layer for all access controls. It contains the exact templates, matrices, and records of evidence I expect to see when I sit down to audit your compliance with Annex A 5.15.
ISO 27001 Annex A 5.9 Inventory of AssetsYou cannot control access to what you do not know you have. This page relates directly to A 5.15 because your access rules must be mapped to the assets listed in your register, ensuring no data remains unprotected or unmanaged.

ISO 27001 controls and attribute values

Control typeInformation
security properties		Cybersecurity
concepts		Security domains
PreventiveConfidentialityProtectProtection
Integrity
Availability
, , , , , ,

About the author

Stuart Barker
🎓 MSc Security 🛡️ Lead Auditor 30+ Years Exp 🏢 Ex-GE Leader

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Shopping Basket
Scroll to Top