When to use this
Use this matrix when defining or reviewing role-based access to an application, service, database, report set, or information repository.
Related controls
- A.8.3 Information Access Restriction
- A.5.15 Access Control
- A.5.18 Access Rights
- A.5.12 Classification of Information
Access rules
| Application/information set | Owner | Role/group | Information/function | Classification | Create | Read | Modify | Delete | Export/print | Admin | Conditions | Approved by |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| TBD | TBD | TBD | TBD | TBD | Yes/No | Yes/No | Yes/No | Yes/No | Yes/No | Yes/No | TBD | TBD |
Minimum checks
- Access rules are approved by the information or application owner.
- Permissions match business need.
- Sensitive information has matching classification and handling rules.
- Export, print, and download permissions are explicitly defined.
- Admin and maintenance functions are separately controlled.
- Template
- Iso27001
- Technological controls
- Access control
Note Metadata
Aliases: Application Access Rule Matrix
Source: 90 Templates/Information Access Rule Matrix.md
Related Notes
- ISO 27001 A.5.12 - Classification of Information
- ISO 27001 A.5.15 - Access Control
- ISO 27001 A.5.18 - Access Rights
- A.8.3 Audit Evidence Pack
- ISO 27001 A.8.3 - Information Access Restriction
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Guide
- A.8 Technological Controls Audit Guide
- A.8 Technological Controls Implementation Audit Risk Mapping
- ISO 27002 Annex A Control Interpretation Map
- A.8.3 Audit Checklist
- Information Access Restriction Review Checklist
- Sensitive Function and Export Control Checklist
- Templates MOC