Least Privilege is a fundamental principle of information security that dictates that a user, process, or device should only be given the minimum level of access or permissions necessary to perform its function. The goal is to limit the potential damage that could result from a security breach, error, or misuse by ensuring that even if an account is compromised, the attacker’s ability to move laterally and access critical systems is severely restricted.
Examples
- A user who only needs to view a financial report is given read-only access to that file. They are not granted permission to edit or delete it.
- An IT administrator who manages a server is given administrator rights only on that specific server, not on the entire network.
- An application that only needs to read customer data is not granted permission to write or delete records from the database.
ISO 27001 Context
The principle of Least Privilege is a core concept that underpins several controls in ISO 27001, particularly those related to access control (ISO 27001 Annex A 5.15 Access Control) and user access management (ISO 27001 Annex A 5.18 Access Rights). By consistently applying this principle, an organisation significantly reduces its risk exposure.
