ISO 27001 Annex A 8.3 is about information access restriction, which means you must have a system to handle to restrict who can access information and IT systems.
Table of contents
What Is Information Access Restriction?
The best way to keep your information safe is by using access control and limits on who can see data. Its main job is to make sure your data stays private. You use this method every day when you sign into websites and services.
This rule in the ISO 27001 guide tells you to limit who can see information and services. It also tells you how to set up and run access control correctly.
This is important because people without the correct controls could see data that isn’t for them. This creates a risk of a data leak or a security issue, which can cause big legal, rule-based, and customer problems for you.
What is ISO 27001 Annex A 8.3?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Information Access Restriction”.
What is the ISO 27001 Annex A 8.3 control objective?
The formal definition and control objective in the standard is: “Access to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control.“
What is the purpose of ISO 27001 Annex A 8.3?
The purpose of ISO 27001 Annex A 8.3 is “To ensure only authorised access and to prevent unauthorised access to information and other associated assets.“
Is ISO 27001 Annex A 8.3 Mandatory?
ISO 27001 Annex A control 8.3 (Information Access Restriction in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 8.3 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
Use an Access Control Policy
Your first step for this rule is to create a policy about access control. This policy must explain how you approach access. You can find policy templates already written for you. This policy will give you a guide on how to manage access. We are focusing on general access here, not special, higher access.
Set up Role-Based Access
Using role-based access is a great method here. You need to figure out which job roles you have, describe them, and then give people access based on what their role needs.
Follow Access Principles
You should grant access based on two simple ideas:
- Least Privilege: Users only get the least amount of access needed for their job.
- Need-to-Know: People should only see the information they need to do their work.
Make Access Rules Stick
You must enforce proper access control. This access level should match the risk posed by the access needed.
Plan for Changes in Access
This rule is not very hard; it is mainly common sense. The standard talks about dynamic access management. This just means thinking ahead about sudden changes that need access control. Examples are sharing things outside the company or during company checks.
Link Access to Information Type
Connect your access rules to your information classification. This makes sure sensitive data is protected correctly. You use your classification scheme to decide who should get access to what.
Put Technical Rules in Place
Once you have your rules and needs, make sure they work on your systems, applications, and services. These rules are mainly technical. Good technical examples include:
- Using passwords, tokens, or certificates to get into information.
- Setting access to be available only at certain times.
- Using encryption to protect data on the device or the file itself.
- Deciding who can print things, if needed.
Check and Record Access
You must keep a record of who accessed what. You should also check access rights regularly to ensure they are still correct. You must record, watch, report, and alert on access activities.
Get Rid of Shared Accounts
Try to avoid using generic accounts. You need to be able to link every action back to a specific person. If you absolutely need a generic account, manage it as an exception. Record it in your risk register and manage any risks it creates.
