Access control

ISO 27001 access control is a security measure that limits who can view or use information. It’s like having a special key or password to get into a room or use a computer file. This helps keep important data safe from people who shouldn’t see it.

Examples

• Passwords: You need a password to log into your email. This password is a form of access control.
• Keycards: A keycard to enter an office building is another example. Only people with the right card can get in.
• Permissions: On a computer, you might have permission to read a document but not to change it. This controls what you can do with the file.

Context

Access control is a key part of information security. It makes sure that confidentiality, integrity, and availability of information are protected. It’s not just about stopping bad guys; it’s also about making sure people can’t accidentally mess up data. Organizations use this to meet rules and keep their info safe.

Relevant ISO 27001 Controls

The following controls from the ISO/IEC 27001:2022 standard are related to access control:

• ISO 27001:2022 Annex A 5.15: Access control: This is the main control for managing access rights.
• ISO 27001:2022 Annex A 5.16:Identity Management: This covers the process of giving, changing, and removing user access.
• ISO 27001:2022 Annex A 5.17: Authentication Information: This control deals with how users prove who they are (e.g., with passwords or keycards)
• ISO 27001:2022 Annex A 5.18: Access rights: This control focuses on setting up and reviewing user access to systems.
• ISO 27001:2022 Annex A 8.2: Privileged Access Rights This is about controlling access for powerful accounts, like system administrators.