ISO 27001 Annex A 5.15 is about Access Control. This rule says that an organisation must create and follow rules to control who can access information and other assets. This is based on what the business needs and what is required for security. The main goal is to let authorised people in and keep unauthorised people out.
Table of contents
What Is Access Control?
Access control is one of the most important ways to keep data safe. It helps protect information from being viewed, changed, or destroyed by people who shouldn’t have access. It’s about giving people only the access they need to do their jobs. This is based on two key ideas:
- Need to Know: People should only get access to the information they need for their job.
- Least Privilege: People should have the lowest level of permission needed to do their work.
What is ISO 27001 Annex A 5.15?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Access Control”.
What is the ISO 27001 Annex A 5.15 control objective?
The formal definition and control objective in the standard is: “Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements.“
What is the purpose of ISO 27001 Annex A 5.15?
The purpose of ISO 27001 Annex A 5.15 is “To ensure authorised access and to prevent unauthorised access to information and other associated assets.“
Is ISO 27001 Annex A 5.15 Mandatory?
ISO 27001 Annex A control 5.15 (Access Control in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 5.15 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will look for:
- A written policy for access control.
- A list of all your physical and digital assets.
- Your method for access control and that you put it into practice.
- Regular checks of who has access to what and that you have removed access for people who no longer need it.
- Evidence that you follow the process for access control.
- Proof that you have a way to manage access control and access rights on a regular basis.
You can learn more about access control and ISO 27001 by watching this video:ISO 27001 Access Control.
