What is ISO 27001 Annex A 5.15 in ISO 27001?
ISO 27001 Annex A 5.15 defines the rules for managing user access. It is a documented process integrated into your primary business tools. This control requires a formal policy to restrict access to information assets. It ensures users only see data relevant to their specific job functions. Effective implementation relies on internal documentation and clear management oversight.
Auditor’s Eye: The Shortcut Trap
Automated SaaS compliance platforms often promise simplified access reviews. These tools create a dangerous disconnect between security and operations. Auditors find these “black box” dashboards superficial. They often lack the context of your specific business workflows. We prefer seeing evidence within your native document repositories. Jira tickets provide a superior audit trail for access requests. SharePoint version history proves your policy is an active document. Compliance must live within your daily tools to be effective.
| 2013 Control Reference | 2022 Control Reference | Nature of Change |
|---|---|---|
| A.9.1.1 (Access Control Policy) | 5.15 (Access Control) | Consolidated requirements into a single organizational control. |
| A.9.1.2 (Access to Networks) | 5.15 (Access Control) | Broadened scope to cover all logical access types. |
How to Implement ISO 27001 Annex A 5.15 (Step-by-Step)
Implementation begins with defining clear access rules. You must integrate these rules into your existing organisational tools. This ensures security becomes part of your daily culture. Start with the policy before moving to technical configuration.
- Draft the Policy: Use SharePoint to create a version-controlled Access Control Policy. Define the “need-to-know” principle.
- Map Roles: Create a role-permission matrix in Confluence. Link every job title to specific software permissions.
- Standardise Requests: Use Jira to build a formal access request form. Include mandatory fields for manager approval.
- Schedule Reviews: Set recurring calendar invites for access audits. Document the findings in your management meeting minutes.
- Automate Reports: Use native system logs to verify active accounts. Compare these logs against your internal HR records.
ISO 27001 Annex A 5.15 Audit Evidence Checklist
Auditors look for manual records and internal document versions. These prove human oversight and intent. Avoid relying on third-party compliance software dashboards.
- Access Control Policy with clear evidence of management approval.
- Jira workflow logs showing the lifecycle of an access request.
- Employee exit checklists proving timely access revocation.
- Spreadsheets or Confluence pages detailing role-based access levels.
- Meeting minutes from the last four quarterly access reviews.
Relational Mapping
Annex A 5.15 connects directly to several other controls. It relies on Clause 5.16 (Identity Management) for user verification. It supports Clause 5.18 (Access Rights) by providing the underlying rules. Proper access control also aids Clause 8.2 (Privileged Access Rights). Each control forms part of a cohesive Document-Based Management System.
Auditor Interview
Auditor: How do you manage access for new employees?
User: We use a Jira onboarding workflow. The manager specifies the required roles.
Auditor: Who reviews the access rights for existing staff?
User: Department heads perform reviews every quarter using our internal matrix.
Auditor: Where do you record the results of these reviews?
User: We save the reviewed lists and meeting minutes in SharePoint.
Common Non-Conformities
| Failure Point | Description of Non-Conformity |
|---|---|
| Automated Complacency | Relying on platform green ticks without having internal procedural evidence. |
| Policy-Practice Gap | Having a policy in SharePoint that does not match actual system permissions. |
| Lack of Reviews | Failing to document management oversight of active access rights. |
Frequently Asked Questions
What is the primary requirement of ISO 27001 Annex A 5.15?
Bottom Line Up Front: The core requirement is to establish and document an access control policy. This policy must base access on business and security requirements. It ensures users only access information necessary for their roles. Managers must review these rights at regular intervals.
How should an organisation manage access requests?
Bottom Line Up Front: Organisations should use a formal registration and de-registration process. Integrated tools like Jira provide an audit trail for approvals. Every request must have a documented business justification. This prevents unauthorised access and ensures accountability.
What is the difference between A 5.15 and A 5.18?
Bottom Line Up Front: Annex A 5.15 focuses on the high-level policy and rules for access. Annex A 5.18 specifically addresses the management of access rights. Both controls work together to secure data. They require documented procedures and regular management oversight.