In this ultimate how to audit guide to ISO 27001 Annex A 5.15 Access Control, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Access Control Policy Approval and Communication Verified
- 2. Business-Driven Access Requirement Definition Confirmed
- 3. User Registration and De-registration Records Present
- 4. Privileged Access Management (PAM) Restrictions Validated
- 5. Periodic Access Rights Review Execution Evidenced
- 6. Strong Authentication and MFA Enforcement Verified
- 7. Source Code Access Restrictions Validated
- 8. Segregation of Access Control Roles Confirmed
- 9. Generic and Service Account Lockdown Verified
- 10. Physical Access Rights Alignment Verified
Auditing ISO 27001 Annex A 5.15 Access Control involves the rigorous verification of logical and physical access governance. This process validates the Primary Implementation Requirement of provisioning, reviewing, and revoking access rights based on business needs and the principle of least privilege. The Business Benefit protects information assets from unauthorized access, ensuring data confidentiality and system integrity.
1. Access Control Policy Approval and Communication Verified
Verification Criteria: A documented access control policy exists, is approved by management, and has been communicated to all relevant stakeholders and system users.
Required Evidence: Approved Access Control Policy with version history and evidence of distribution (e.g. staff handbook acknowledgement or intranet logs).
Pass/Fail Test: If the policy lacks a formal management sign-off or does not define rules for both logical and physical access, mark as Non-Compliant.
2. Business-Driven Access Requirement Definition Confirmed
Verification Criteria: Access rights for each information asset are defined based on business needs, job functions, and the classification of information.
Required Evidence: A Role-Based Access Control (RBAC) matrix or access rights register mapping specific job roles to required system permissions.
Pass/Fail Test: If users are granted access based on personal request rather than a predefined role mapping or business justification, mark as Non-Compliant.
3. User Registration and De-registration Records Present
Verification Criteria: A formal process is in place for the unique identification and registration of users, including the immediate removal of access upon termination of employment.
Required Evidence: Completed Joiner/Leaver/Mover (JLM) forms or tickets from the ITSM tool (e.g. Jira/ServiceNow) showing timestamps for access creation and revocation.
Pass/Fail Test: If a sample of recently terminated employees still possesses active accounts in any corporate system, mark as Non-Compliant.
