UnixTime

Research Note

ISO 27001 A.5.15 - Access Control

The organization must define and enforce rules for who can access information, systems, services, networks, applications, repositories, and physical locations.

On this page

Requirement

Requirement lens

Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.

“Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.”

Plain-language meaning

The organization must define and enforce rules for who can access information, systems, services, networks, applications, repositories, and physical locations.

Access should be based on business need, information security requirements, classification, legal requirements, and asset owner approval. Anything not needed should be denied. That is least privilege.

Why this matters

Access control is one of the core protections for confidentiality, integrity, and availability. Weak access control gives people more access than their job requires, lets old access persist after role changes, and makes sensitive information available to people who do not need it.

Access control applies to:

  • business applications;
  • file shares and collaboration spaces;
  • databases and repositories;
  • networks and cloud platforms;
  • privileged administration;
  • physical areas containing information;
  • business systems such as calendars, HR systems, finance systems, and ticketing tools.

Implementation guidance

Implementer focus

Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.

1. Define an access control policy

The policy should define:

  • access control principles;
  • least privilege;
  • need-to-know and need-to-use;
  • asset owner approval;
  • role-based access profiles;
  • treatment of privileged access;
  • physical access rules;
  • access review frequency;
  • access removal and change triggers;
  • exceptions and emergency access;
  • monitoring and logging expectations.

2. Base access on business need

Access should be justified by role, task, asset sensitivity, and business requirement.

Weak justification:

  • “Senior manager.”
  • “Might need it someday.”
  • “Everyone in the department has it.”

Better justification:

  • “Payroll specialist needs payroll system write access to process monthly payroll.”
  • “Incident responder needs temporary read access to logs during incident IR-2026-04.”
  • “Facilities team needs badge access to server room only for escorted maintenance windows.”

3. Use role-based access where practical

Standard role profiles reduce inconsistent individual decisions.

Example:

Role Standard access
HR employee HR case system, employee records needed for assigned region
Finance approver Finance system approval workflow, no administrator access
Developer Source repository for assigned product, development environment, no production write access
System administrator Admin access for assigned platforms, logged and reviewed

Role profiles still need review. Bad role profiles just automate excessive access.

Sensitive information needs stronger access rules.

Asset owners should approve access to assets they own or approve standard access models for roles.

Access should align with:

5. Review and remove access

Access rights decay over time.

Review triggers:

  • periodic access reviews;
  • role change;
  • termination;
  • project closure;
  • supplier contract end;
  • classification change;
  • incident or misuse;
  • system migration;
  • privilege elevation.

Managers and asset owners should review whether access remains necessary, not merely whether the user still exists.

Audit guidance

Auditor focus

Look for evidence that the process operates in practice, not just that a document exists.

Auditors should verify that access control rules are defined, implemented, traceable, reviewed, and consistent with business and security requirements.

Audit tests:

  • review the access control policy;
  • sample access rights for sensitive systems;
  • trace access to approval and business need;
  • check asset owner involvement;
  • check access against classification;
  • review leavers and movers;
  • review privileged access;
  • review role-based access profiles;
  • check physical access to sensitive locations;
  • verify that access reviews lead to removals or corrections.

Auditors should challenge unjustified access, especially for senior roles. Seniority is not a control objective.

Evidence examples

Evidence quality

Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.

Evidence What it proves
Access control policy Rules are documented
Role-based access matrix Standard access profiles are defined
Access request and approval records Access is authorized
Asset owner approvals Owners control access to assets
Access review records Access is periodically checked
Leaver/mover records Access changes follow employment changes
Privileged access register Administrative access is controlled
Physical access records Premises access is controlled
System access exports Actual access can be tested
Exception records Deviations are risk-managed

Strong evidence

  • Access policy defines least privilege, need-to-know, approval, review, and removal rules.
  • Access is traceable to business need and owner approval.
  • Role-based profiles are used and reviewed.
  • Sensitive assets have tighter access rules.
  • Access reviews are completed and result in removals where needed.
  • Leavers and movers are promptly updated.
  • Privileged and senior-user access is justified and monitored.
  • Physical and logical access are both addressed.

Weak evidence

  • Access granted because someone asked.
  • Senior users have broad access without justification.
  • Access review confirms users still exist but not whether access is needed.
  • Asset owners do not approve access.
  • Role profiles grant excessive access.
  • Sensitive repositories are open to broad groups.
  • Physical access is not reviewed.
  • Access rights remain after job changes.

Common failures

Implementation watchouts

These are the fastest ways this topic fails in real ISMS work.

Failure Why it matters
Access based on convenience Excessive access becomes normal
No asset owner approval Business accountability is missing
No review of movers People accumulate access
Role-based access not reviewed Bad defaults spread quickly
Privileged access treated like normal access High-impact misuse risk increases
Physical access ignored Paper and infrastructure exposure remains
Classification not considered Sensitive information is under-protected

Exam traps

Exam focus

Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.

  • Access control covers physical and logical access.
  • Least privilege means deny access that is not needed for assigned activities.
  • Need-to-know and need-to-use both matter.
  • Seniority does not justify broad access.
  • Role-based access helps manage access, but roles must be designed and reviewed.
  • Access rights should be approved and reviewed by asset owners or authorized owners of access profiles.
  • Access reviews must test business need, not just account existence.

KB-ready summary

Quick refresher

Use this section for last-day review and for explaining the topic to a control owner.

A.5.15 requires physical and logical access control rules based on business and security requirements. Access should follow least privilege, need-to-know, need-to-use, classification, asset ownership, role-based profiles where practical, regular review, and prompt update after role or employment changes.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Organizational controls
  • Access control
  • Least privilege
  • Role based access
  • Audit

Note Metadata

Aliases: A.5.15, Access Control

Source: 02 Annex A Organizational Controls/A.5.15 Access Control.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

10

links

01
02

Implementation artifacts

Templates and working records that help operate the control.

03

Audit checks

Audit questions, checklists, or review material connected to the control.

04

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.