Access control

Implementing access control in alignment with ISO 27001:2022 requires a structured approach to ensure that only authorised users, processes, and devices can access information assets. By following these ten steps, you will establish a robust framework that satisfies Annex A 5.15 through 5.18, reducing the risk of unauthorised data disclosure or modification.

1. Formalise the Access Control Policy

Define and document the business and security requirements for access control to establish a clear governance framework. This policy serves as the foundation for all subsequent technical configurations.

• Identify business requirements for user access.
• Define the “Principle of Least Privilege” as the default security posture.
• Establish clear ownership of the policy within the Information Security Management System (ISMS).

2. Map Access to the Asset Register

Link your access control requirements directly to your Asset Register to ensure every information asset has a defined access owner. This step ensures that technical controls are proportionate to the criticality of the data.

• Review the existing Asset Register for completeness.
• Assign an owner to every identified information asset.
• Document the classification level of each asset to determine necessary access restrictions.

3. Provision User Identities and Credentials

Implement a formalised user registration and de-registration process to manage the lifecycle of user identities. This ensures that every individual is uniquely identifiable and accountable for their actions.

• Create a standardised onboarding workflow for new employees and contractors.
• Issue unique user IDs: sharing accounts is strictly prohibited.
• Verify the identity of the user before issuing any authentication credentials.

4. Configure Role-Based Access Control (RBAC)

Utilise Identity and Access Management (IAM) roles to automate the assignment of permissions based on job functions. This reduces the administrative burden and the risk of “permission creep” over time.

• Define standard job roles and the minimum access required for each.
• Group permissions into roles rather than assigning them to individual users.
• Map roles to organisational departments to ensure logical access boundaries.

5. Enforce Multi-Factor Authentication (MFA)

Deploy MFA for all remote access and privileged account logins to mitigate the risk of credential theft. This provides a critical layer of security beyond simple passwords.

• Select a technical solution such as hardware tokens, authenticator apps, or biometrics.
• Mandate MFA for all access to cloud-based services and internal servers.
• Audit MFA enrolment to ensure 100% coverage across the workforce.

6. Restrict Privileged Access Rights

Strictly control the allocation and use of administrative privileges through a Privileged Access Management (PAM) framework. Excessive privileges are a primary target for external threats and internal misuse.

• Separate administrative accounts from standard user accounts.
• Implement “Just-In-Time” (JIT) access for sensitive configuration tasks.
• Review privileged access logs daily to detect unauthorised changes.

7. Secure Authentication Information

Establish technical controls for the management of passwords and secret keys to prevent unauthorised exposure. Centralised management ensures that security standards are enforced across all platforms.

• Implement a corporate password vault or manager for shared service secrets.
• Enforce complex password requirements through Group Policy Objects (GPO).
• Educate staff on the prohibition of sharing or writing down secret authentication information.
• Set automated expiry or rotation for service account passwords.

8. Formalise Periodic Access Reviews

Conduct regularly scheduled audits of user access rights to ensure they remain relevant to the user’s current job role. This process identifies and removes “stale” accounts and excessive permissions.

• Schedule quarterly reviews for standard users and monthly reviews for privileged users.
• Require asset owners to sign off on the continued necessity of user access.
• Document the outcome of each review as evidence for ISO 27001 auditors.

9. Revoke Access and Offboard Users

Establish a rigorous offboarding process to ensure access is terminated immediately upon the end of employment or contract. This step prevents former staff from accessing sensitive systems post-departure.

• Link the HR termination process to IT service desk tickets.
• Use a Rules of Engagement (ROE) document to define the timelines for account disabling.
• Recover all physical access tokens, laptops, and mobile devices as part of the exit checklist.

10. Analyse Access and Audit Logs

Monitor and review logs of user activities, exceptions, and security events to identify potential breaches. Proactive monitoring allows for rapid incident response and continuous improvement of the ISMS.

• Enable logging for all successful and failed login attempts.
• Aggregate logs into a Centralised Log Management or SIEM system.
• Regularly review logs for anomalies such as out-of-hours access or brute-force attempts.