Access Control - ISO 27001 Annex A Control

ISO 27001 Annex A 5.15

Access control is key to ensuring safe storage and management of information. As well as compliance with data protection laws.

ISO 27001 Annex A 5.15 - Access Control

Access control is the framework that decides who gets to see what. The control sits at the top of a chain that includes identity management, authentication, access rights and privileged access. Annex A 5.15 is about the rules that drive all of those - the principles and policy that the more specific controls implement.

The rules need to be based on business requirements and security requirements, not on convenience. Most organisations work to a least-privilege principle, where staff get the access they need for their role and no more. Role-based access control simplifies this by mapping access to defined roles rather than individual user grants.

Both physical and logical access fall in scope. Physical means doors, server rooms, secure areas. Logical means systems, applications, file shares, cloud services. The same principle applies to both - access is granted in line with the defined rules, reviewed regularly, and removed when no longer needed.

Access control is one of the most-audited areas because it is one of the most common places things go wrong. Old user accounts that should have been removed. Privileged access granted years ago and never reviewed. Shared accounts that nobody owns. Keep on top of these and access control is sorted. Let them drift and the audit findings pile up.

Practical Compliance Guidance

Access control arrangements are described in the IMS1 Manual in section 8.2 on information security arrangements and section 8.5 on the topic-specific Access Control Policy. The ER10 IT Equipment Logins Register holds the list of active accounts.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit including the IMS1 Manual, policies, procedures, registers and audit checklists.
P24 Access Control Policy	The headline access control policy. Sets out the rules for granting, reviewing and removing access, the principles applied and the responsibilities of users and administrators.
ER10 IT Equipment and Logins Register	The ER10 IT Equipment and Logins Register is designed to help organisations track, manage, and secure IT equipment, user logins, keys, and access cards in line with ISO 27001 requirements.
PP-8-04 Access Control Policy Procedure	Policy-procedure detailing the arrangements in place to manage and control access to information throughout the organisation to prevent unauthorised access.
A-C_P46 Information Security Access Control	Audit checklist covering information security access control.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

What is the difference between A.5.15 and A.5.18 Access rights?

A.5.15 is about the policy and rules - the framework that decides who gets access to what. A.5.18 is about the operational management of access rights - granting, modifying and revoking individual permissions in line with that framework. The two work together but address different layers.

How often should access rights be reviewed?

At least annually for routine access, more frequently for privileged or high-risk access. Reviews should also be triggered by role changes, leavers, organisational changes and incidents. The review confirms each user still needs the access they have.

Does the same access control policy cover physical and logical access?

It can do. Many organisations have a single access control policy that addresses both, with separate sections or appendices for physical access controls. Others split them into separate policies. Either approach works as long as both are covered.

Further Resources