ISO 27001 Annex A 5.15 is about Access Control. This rule says that an organization must create and follow rules to control who can access information and other assets. This is based on what the business needs and what is required for security. The main goal is to let authorized people in and keep unauthorized people out.
What It’s About
Access control is one of the most important ways to keep data safe. It helps protect information from being viewed, changed, or destroyed by people who shouldn’t have access. It’s about giving people only the access they need to do their jobs. This is based on two key ideas:
- Need to Know: People should only get access to the information they need for their job.
- Least Privilege: People should have the lowest level of permission needed to do their work.
How to Do It
To follow this rule, you should:
- Create a specific policy for access control.
- Keep a list of all your physical and digital assets.
- Decide on your method for access control, then put it into practice.
- Regularly check who has access to what and remove access for people who no longer need it.
What an Auditor Checks For
An auditor will check your rules and make sure you are following them. They will look at your documentation and see if you have trained your staff on the policies.
Frequently Asked Questions
What are common mistakes?
A common mistake is to not remove access for people who have left the company. Another mistake is giving too much access to outside groups or not having good control over documents and their versions.
What changed in the new version?
The new version of the rule combines two older ones. The main idea is the same, but it is now more clear about controlling access to both physical places and digital networks.
Do I have to follow this rule?
Yes. Access control is a key part of keeping information safe. There is no good reason for a company to not have this control in place.
For a more detailed explanation of this topic, you can watch a video about ISO 27001 Access Control.