ISO 27001 – Control 5.15 – Access Control

Control 5.15 Wording

Control 5.15 – Access Control states “Rules to control physical and logical access to information and other associated assets should be
established and implemented based on business and information security requirements.”

What this means

Control 5.15 – At its core, access control is about ensuring the right people have access to the right resources at the right time. Think of it as a sophisticated bouncer for your business assets, both digital and physical. It’s not just about keeping unauthorised people out; it’s about making sure authorised people can efficiently access what they need to do their jobs.

The Golden Rules of Access Control

There are four rules for access control. These are:

  • Defence in Depth – security must not depend upon any single control but be the sum of a number of complementary controls
  • Least Privilege – the default approach taken must be to assume that access is not required, rather than to assume that it is
  • Need to Know – access is only granted to the information required to perform a role, and no more
  • Need to Use – Users will only be able to access physical and logical facilities required for their role.

Key Elements of an Effective Access Control Strategy

1. Start with a Clear Policy

Your access control policy should be comprehensive yet understandable. It needs to address:

  • Who needs access and to what
  • How physical and digital access will be managed
  • What security levels exist for different types of information
  • How access requests and changes to access will be handled

2. Implement the “Least Privilege” Principle

Follow the safer approach of “everything is forbidden unless explicitly permitted” rather than “everything is permitted unless forbidden.” This might seem strict, but it’s much safer in the long run.

3. Consider Multiple Access Control Methods

Modern access control can be implemented in several ways and each may work for different circumstances. These methods are:

  • Role-Based Access Control (RBAC): Access based on job roles
  • Mandatory Access Control (MAC): System-enforced access rules
  • Discretionary Access Control (DAC): Owner-determined access rules
  • Attribute-Based Access Control (ABAC): Access based on user attributes and environmental factors

4. Don’t Forget Physical Security

Access control isn’t just digital! Consider:

  • Building entry systems
  • Secure areas within your offices and workplaces
  • Integration between physical and digital security measures

5. Regular Review and Monitoring

Your access control system should be dynamic and responsive so you will need to consider:

  • Regularly review access rights
  • Monitor access patterns for unusual behaviour
  • Update permissions when roles change
  • Document all access-related procedures so everyone is clear of the guidelines.

Making It Work in Practice

Remember that stronger access control may mean higher costs and potentially more complexity. The key is finding the right balance for your organisation:

  • Consider your specific business requirements
  • Assess your risk tolerance
  • Factor in compliance requirements
  • Think about user experience.

The Bottom Line

While implementing robust access control might seem daunting, it’s essential for protecting your business assets. Start with the basics, focus on your most critical assets first, and gradually build a comprehensive system that works for your organisation.

Remember: Good access control is like a well-oiled machine – it keeps the right people moving smoothly while keeping potential threats at bay.

If you want to talk about information security in your organisation then please book a free call here or email us here