Requirement
Requirement lens
Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.
“Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.”
Plain-language meaning
The organization must define and enforce rules for who can access information, systems, services, networks, applications, repositories, and physical locations.
Access should be based on business need, information security requirements, classification, legal requirements, and asset owner approval. Anything not needed should be denied. That is least privilege.
Why this matters
Access control is one of the core protections for confidentiality, integrity, and availability. Weak access control gives people more access than their job requires, lets old access persist after role changes, and makes sensitive information available to people who do not need it.
Access control applies to:
- business applications;
- file shares and collaboration spaces;
- databases and repositories;
- networks and cloud platforms;
- privileged administration;
- physical areas containing information;
- business systems such as calendars, HR systems, finance systems, and ticketing tools.
Implementation guidance
Implementer focus
Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.
1. Define an access control policy
The policy should define:
- access control principles;
- least privilege;
- need-to-know and need-to-use;
- asset owner approval;
- role-based access profiles;
- treatment of privileged access;
- physical access rules;
- access review frequency;
- access removal and change triggers;
- exceptions and emergency access;
- monitoring and logging expectations.
2. Base access on business need
Access should be justified by role, task, asset sensitivity, and business requirement.
Weak justification:
- “Senior manager.”
- “Might need it someday.”
- “Everyone in the department has it.”
Better justification:
- “Payroll specialist needs payroll system write access to process monthly payroll.”
- “Incident responder needs temporary read access to logs during incident IR-2026-04.”
- “Facilities team needs badge access to server room only for escorted maintenance windows.”
3. Use role-based access where practical
Standard role profiles reduce inconsistent individual decisions.
Example:
| Role | Standard access |
|---|---|
| HR employee | HR case system, employee records needed for assigned region |
| Finance approver | Finance system approval workflow, no administrator access |
| Developer | Source repository for assigned product, development environment, no production write access |
| System administrator | Admin access for assigned platforms, logged and reviewed |
Role profiles still need review. Bad role profiles just automate excessive access.
4. Link access to classification and asset ownership
Sensitive information needs stronger access rules.
Asset owners should approve access to assets they own or approve standard access models for roles.
Access should align with:
- A.5.9 Inventory of Information and Other Associated Assets;
- A.5.12 Classification of Information;
- A.5.13 Labelling of Information;
- legal and regulatory requirements;
- contractual requirements.
5. Review and remove access
Access rights decay over time.
Review triggers:
- periodic access reviews;
- role change;
- termination;
- project closure;
- supplier contract end;
- classification change;
- incident or misuse;
- system migration;
- privilege elevation.
Managers and asset owners should review whether access remains necessary, not merely whether the user still exists.
Audit guidance
Auditor focus
Look for evidence that the process operates in practice, not just that a document exists.
Auditors should verify that access control rules are defined, implemented, traceable, reviewed, and consistent with business and security requirements.
Audit tests:
- review the access control policy;
- sample access rights for sensitive systems;
- trace access to approval and business need;
- check asset owner involvement;
- check access against classification;
- review leavers and movers;
- review privileged access;
- review role-based access profiles;
- check physical access to sensitive locations;
- verify that access reviews lead to removals or corrections.
Auditors should challenge unjustified access, especially for senior roles. Seniority is not a control objective.
Evidence examples
Evidence quality
Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.
| Evidence | What it proves |
|---|---|
| Access control policy | Rules are documented |
| Role-based access matrix | Standard access profiles are defined |
| Access request and approval records | Access is authorized |
| Asset owner approvals | Owners control access to assets |
| Access review records | Access is periodically checked |
| Leaver/mover records | Access changes follow employment changes |
| Privileged access register | Administrative access is controlled |
| Physical access records | Premises access is controlled |
| System access exports | Actual access can be tested |
| Exception records | Deviations are risk-managed |
Strong evidence
- Access policy defines least privilege, need-to-know, approval, review, and removal rules.
- Access is traceable to business need and owner approval.
- Role-based profiles are used and reviewed.
- Sensitive assets have tighter access rules.
- Access reviews are completed and result in removals where needed.
- Leavers and movers are promptly updated.
- Privileged and senior-user access is justified and monitored.
- Physical and logical access are both addressed.
Weak evidence
- Access granted because someone asked.
- Senior users have broad access without justification.
- Access review confirms users still exist but not whether access is needed.
- Asset owners do not approve access.
- Role profiles grant excessive access.
- Sensitive repositories are open to broad groups.
- Physical access is not reviewed.
- Access rights remain after job changes.
Common failures
Implementation watchouts
These are the fastest ways this topic fails in real ISMS work.
| Failure | Why it matters |
|---|---|
| Access based on convenience | Excessive access becomes normal |
| No asset owner approval | Business accountability is missing |
| No review of movers | People accumulate access |
| Role-based access not reviewed | Bad defaults spread quickly |
| Privileged access treated like normal access | High-impact misuse risk increases |
| Physical access ignored | Paper and infrastructure exposure remains |
| Classification not considered | Sensitive information is under-protected |
Exam traps
Exam focus
Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.
- Access control covers physical and logical access.
- Least privilege means deny access that is not needed for assigned activities.
- Need-to-know and need-to-use both matter.
- Seniority does not justify broad access.
- Role-based access helps manage access, but roles must be designed and reviewed.
- Access rights should be approved and reviewed by asset owners or authorized owners of access profiles.
- Access reviews must test business need, not just account existence.
Related controls and concepts
- A.5.16 Identity Management
- A.5.9 Inventory of Information and Other Associated Assets
- A.5.12 Classification of Information
- A.5.13 Labelling of Information
- A.5.11 Return of Assets
- A.5.2 Information Security Roles and Responsibilities
- Risk Assessment
- Internal Audit
KB-ready summary
Quick refresher
Use this section for last-day review and for explaining the topic to a control owner.
A.5.15 requires physical and logical access control rules based on business and security requirements. Access should follow least privilege, need-to-know, need-to-use, classification, asset ownership, role-based profiles where practical, regular review, and prompt update after role or employment changes.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Organizational controls
- Access control
- Least privilege
- Role based access
- Audit
Note Metadata
Aliases: A.5.15, Access Control
Source: 02 Annex A Organizational Controls/A.5.15 Access Control.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
10
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- ISO27001 ISMS KB - Start Here
- Access Control
- Internal Audit
- Risk Assessment
- Segregation of Duties
- ISO 27001 A.5.11 - Return of Assets
- ISO 27001 A.5.12 - Classification of Information
- ISO 27001 A.5.13 - Labelling of Information
- ISO 27001 A.5.16 - Identity Management
- ISO 27001 A.5.17 - Authentication Information
- ISO 27001 A.5.18 - Access Rights
- ISO 27001 A.5.19 - Information Security in Supplier Relationships
- ISO 27001 A.5.2 - Information Security Roles and Responsibilities
- ISO 27001 A.5.20 - Addressing Information Security Within Supplier Agreements
- ISO 27001 A.5.23 - Information Security for Use of Cloud Services
- ISO 27001 A.5.37 - Documented Operating Procedures
- ISO 27001 A.5.9 - Inventory of Information and Other Associated Assets
- A.5 Organizational Controls MOC
- ISO 27001 A.6.5 - Responsibilities After Termination or Change of Employment
- ISO 27001 A.6.7 - Remote Working
- ISO 27001 A.7.1 - Physical Security Perimeters
- ISO 27001 A.7.2 - Physical Entry
- ISO 27001 A.7.3 - Securing Offices, Rooms and Facilities
- ISO 27001 A.7.6 - Working in Secure Areas
- ISO 27001 A.7.8 - Equipment Siting and Protection
- ISO 27001 A.7.9 - Security of Assets Off-Premises
- A.7 Physical Controls MOC
- A.5.15 Audit Evidence Pack
- A.5.16 Audit Evidence Pack
- A.6.7 Audit Evidence Pack
- AQ-ISO27001-A.5.15 Access Control
- ISO 27001 A.8.1 - User End Point Devices
- ISO 27001 A.8.11 - Data Masking
- ISO 27001 A.8.2 - Privileged Access Rights
- ISO 27001 A.8.20 - Networks Security
- ISO 27001 A.8.22 - Segregation of Networks
- ISO 27001 A.8.26 - Application Security Requirements
- ISO 27001 A.8.3 - Information Access Restriction
- ISO 27001 A.8.4 - Access to Source Code
- ISO 27001 A.8.5 - Secure Authentication
- A.8 Technological Controls MOC
- A.5 Organizational Controls Implementation Guide
- ISO27001-A.5.15 Access Control
- A.5 Controls Implementation Audit Risk Mapping
- EXAM-009 - Access, Identity, Authentication, and Rights
- ISO 27002 Annex A Control Interpretation Map
- A.5.15 Audit Checklist
- Access Control Matrix
- Access Review Checklist
- Authentication Information Handling Standard
- Building Management System Security Review
- Template - Control Owner Register
- Identity Lifecycle Register
- Information Access Rule Matrix
- Maintenance Access and Tamper Check Record
- Remote Access and Endpoint Connection Checklist
- Remote Working Authorization Register
- Remote Working Risk Assessment
- Secure Area Working Procedure
- Annex A Controls MOC
- ISO 27001 Overview