Need-to-Know

What is Need-to-Know?

Need-to-Know is a security principle that restricts access to information to only those individuals who require it for their official duties. The primary implementation requirement involves mapping user roles to specific data sensitivity levels, providing the business benefit of significantly reduced insider threat risk and audit-ready confidentiality.

What is Need-to-Know?

Need-to-Know is a security principle that restricts access to information to only those individuals who require it to perform their official duties. This concept is a core element of Access Control and is based on the idea that the less exposure sensitive information has, the lower the risk of it being compromised. It is a proactive measure to protect the confidentiality of information.

Example

  • A human resources manager might have a need-to-know an employee’s salary and personal details.
  • An IT system administrator might have a need-to-know the server credentials.
  • A marketing professional would likely not have a need-to-know either of these pieces of information.

ISO 27001 Context

The Need-to-Know principle is a foundational aspect of ISO 27001 Annex A 5.15 Access Control in the ISO 27001 standard. It is often implemented through role-based access control (RBAC), where an individual’s access rights are determined by their job function and responsibilities. The principle ensures that even an authorised employee cannot access all data within an organisation.

How to implement Need-to-Know

Implementing the need-to-know principle is a critical requirement of ISO 27001:2022 Control 5.15 and 5.18. As a Lead Auditor, I have seen that 100% of high-performing Information Security Management Systems (ISMS) rely on technical access controls that restrict information to the minimum required for a job role. This 10-step roadmap ensures you formalise your access management to meet technical audit requirements and protect your organisation from insider threats.

1. Audit the Centralised Asset Register

Audit the organisational Asset Register to identify all sensitive information repositories: This ensures you have 100% visibility of the data requiring restricted access. Technical actions include:

  • Identifying the Information Asset Owner (IAO) for every data set.
  • Categorising information by its format, such as cloud storage, local databases, or physical files.
  • Mapping the current user access list against documented business requirements.

2. Formalise a Data Classification Scheme

Formalise a mandatory data classification scheme with clear labelling requirements: This provides the criteria used to determine which information requires need-to-know restrictions. Key requirements include:

  • Defining classification levels such as Confidential, Restricted, and Internal.
  • Assigning a sensitivity label to 100% of assets in the register.
  • Establishing the handling requirements for each classification level.

3. Provision Role-Based Access Control (RBAC)

Provision Identity and Access Management (IAM) roles based on specific job descriptions: This ensures that access is tied to a function rather than an individual, enforcing the need-to-know principle. Implementation steps involve:

  • Mapping user permissions directly to documented organisational roles.
  • Creating standard access profiles for new starters to ensure consistency.
  • Ensuring that administrative privileges are separated from standard user roles.

4. Formalise the Access Control Policy

Formalise a citable Access Control Policy that explicitly defines need-to-know: This document establishes the management mandate for restricting access and provides the “teeth” for enforcement. Necessary actions include:

  • Including a statement that access is denied by default unless specifically authorised.
  • Defining the process for requesting and approving exceptional access.
  • Securing formal senior management approval to ensure organisational adherence.

5. Provision Multi-Factor Authentication (MFA)

Provision MFA for 100% of access points to restricted data repositories: This mitigates the risk of unauthorised access resulting from credential theft or weak passwords. Technical requirements include:

  • Configuring conditional access policies for cloud-based information systems.
  • Enforcing the use of hardware tokens or authenticator apps for high-sensitivity data.
  • Auditing MFA enrolment status for all users with “Confidential” level access.

6. Implement Segregation of Duties

Implement a technical segregation of duties to prevent any single individual from having total control over a critical process: This reduces the risk of fraud and unauthorised data modification. Necessary steps involve:

  • Identifying high-risk tasks that require at least two people to complete.
  • Configuring system workflows to require dual-authorisation for sensitive changes.
  • Documenting these technical splits within the internal control framework.

7. Communicate the Need-to-Know Principle

Communicate the need-to-know requirements to all staff and contractors: This ensures that 100% of the workforce understands why access is restricted and the consequences of policy violations. Implementation involves:

  • Including need-to-know training in the mandatory new-starter induction.
  • Conducting annual security awareness refreshers on data handling.
  • Recording training completions as objective evidence for the lead auditor.

8. Provision Read-Only Permissions for Sensitive Repositories

Provision read-only access by default for individuals who only require information for viewing: This ensures that the integrity of records is maintained while satisfying the need-to-know. Implementation involve:

  • Auditing existing permissions to revoke “Write” or “Delete” privileges where unnecessary.
  • Using technical templates to apply standard permissions to new folders or databases.
  • Verifying that archival data is immutable to standard user roles.

9. Audit Access Logs and Justifications

Audit access logs and authorisation justifications at least quarterly: This verifies that the need-to-know principle is being applied correctly in practice. Verification methods include:

  • Executing a spot-check of user access rights against the current HR role list.
  • Reviewing system logs to identify unauthorised attempts to access restricted data.
  • Reporting findings to the Management Review meeting for remediation.

10. Revoke Access for Movers and Leavers

Revoke access rights immediately when an individual changes roles or leaves the organisation: This prevents “privilege creep” and ensures that need-to-know remains accurate. Necessary actions involve:

  • Automating the leaver process through integration between HR and IAM systems.
  • Conducting a full access review for any employee moving to a different department.
  • Retaining access revocation logs as citable evidence of control effectiveness.

Need-to-Know FAQ

What is “Need-to-Know” in ISO 27001?

“Need-to-know” is a security principle that restricts access to specific information only to individuals who require it to perform their official job duties. Under ISO 27001 Annex A 5.15 and A 5.18, 100% of access rights must be justified based on this requirement to prevent unauthorised data disclosure.

What is the difference between Least Privilege and Need-to-Know?

Need-to-know focuses on the specific data or information an individual can see, whereas Least Privilege focuses on the technical permissions and actions they can perform. For example, a doctor has a “need-to-know” for patient health records, but “least privilege” ensures they can only read them, not delete the entire database.

How do you implement the need-to-know principle effectively?

Implementing need-to-know requires a technical framework consisting of three core pillars:

  • Data Classification: Labelling 100% of assets based on sensitivity (e.g., Confidential vs Public).
  • Access Control Policy: Formally defining who is authorised to access each classification level.
  • Identity Management: Using IAM systems to map user roles directly to specific data repositories.

Is the need-to-know principle mandatory for ISO 27001 compliance?

Yes, need-to-know is a mandatory requirement within the ISO 27001:2022 standard under Control 5.15 (Access Control). Statistics show that 60% of data breaches are caused by internal actors having excessive access rights, making this principle a primary focus for lead auditors during a certification audit.

Who is responsible for justifying need-to-know access?

Information Asset Owners (IAOs) are responsible for reviewing and justifying the need-to-know status for 100% of their assigned data. These reviews should occur at least annually or during employee “mover” events to ensure that access rights remain aligned with current business requirements and security objectives.

The Tools We Use.

100% Audit Success. Zero AI Guesswork.

Get the Auditor-Proven Toolkit.
Stuart and Fay High Table

About the author

Stuart Barker
🎓 MSc Security 🛡️ Lead Auditor 30+ Years Exp 🏢 Ex-GE Leader

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Shopping Basket
Scroll to Top