If you have been navigating the world of information security for a while, you know that keeping up with ISO standards can feel like chasing a moving target. With the release of ISO 27001:2022, many professionals are scratching their heads wondering exactly how their existing controls have shifted. One of the most significant areas of interest is the transition of access control requirements into the new Annex A 5.15.
The 2022 update isn’t just a simple renumbering exercise; it’s a reflection of how much the digital landscape has changed over the last decade. Let’s dive into what has actually moved, what has stayed the same, and how you need to adapt.
Table of contents
The Evolution of Access Control
In the 2013 version of the standard, access control was a massive topic spread across several different sections, primarily under Annex A.9. It felt a bit clinical and was often siloed into technical and organizational categories that didn’t always talk to each other. You had specific controls for user registration, password management, and privileged access rights all living in different corners of the document.
The 2022 update has changed the game by introducing Annex A 5.15, titled simply “Access Control.” This new control is part of the “Organizational Controls” theme. The goal here was to create a more holistic, high-level approach that covers the entire lifecycle of access, from the moment a user joins an organisation to the moment they leave.
What Exactly Moved to Annex A 5.15?
If you are looking for your old 2013 controls, you will find that Annex A 5.15 is essentially a powerhouse consolidation. It pulls together several legacy controls, most notably A.9.1.1 (Access control policy) and A.9.1.2 (Access to networks and network services).
By merging these, the 2022 version acknowledges that you can’t really separate your policy from your practical network access anymore. As noted by the compliance experts at Hightable.io, this consolidation is designed to make the standard more “outcome-focused.” Instead of checking off boxes for different types of access, you are now looking at the total security posture of how information is reached.
The Shift Toward Dynamic Access Management
One of the biggest differences between the 2013 and 2022 versions is the context. In 2013, we were still very much focused on the “perimeter”—the idea that if you were inside the office network, you were safe. Today, with remote work and cloud services being the norm, that perimeter has vanished.
Annex A 5.15 reflects this by being much more flexible. It doesn’t just ask you to have a policy; it requires that access be managed based on both business and information security requirements. According to Hightable.io, the 2022 version puts a stronger emphasis on the “least privilege” principle and the “need-to-know” basis, ensuring that these aren’t just buzzwords but are actively enforced across all systems, whether they are on-premise or in the cloud.
Key Changes in Requirements and Documentation
While the 2013 version was quite prescriptive about “user responsibilities,” the 2022 update for Annex A 5.15 focuses more on the organisation’s responsibility to provide a secure environment. There is a clearer expectation that access control is a dynamic process. You aren’t just giving someone a username and password; you are managing their “identity.”
For those transitioning their ISMS, this means your Access Control Policy needs a refresh. You need to account for:
- Full lifecycle management of user identities.
- Authentication requirements that go beyond simple passwords (linking closely with the new Annex A 5.17 for authentication information).
- Segmentation of access based on the sensitivity of the data.
- Regular reviews that are more than just a “rubber stamp” exercise.
Practical Impact: Modernising Your Approach
The move to Annex A 5.15 simplifies your documentation because you no longer have to maintain fragmented policies for different types of access. However, it raises the bar for how those policies are implemented. The 2022 standard expects you to have a much tighter grip on who has access to what, especially in complex environments where users might be accessing data from multiple devices and locations.
Many organisations are finding that this update is the perfect excuse to move away from manual spreadsheets and toward automated identity and access management (IAM) tools. Hightable.io suggests that as you map your 2013 controls to the 2022 version, you should look for opportunities to automate the revocation of access, which remains one of the most common findings in security audits.
Why This Change is Better for Your Security
Ultimately, the change from the 2013 framework to ISO 27001:2022 Annex A 5.15 is about maturity. It moves the conversation away from “how many passwords do we have?” to “how are we protecting our most valuable assets?” By streamlining these controls, the standard makes it easier for security teams to communicate risks to the rest of the business.
If you are starting your transition, don’t view this as a burden. View it as a chance to clean up old processes that no longer serve your business. For those who need a bit of extra help, resources and templates from Hightable.io can be incredibly useful in ensuring your new Access Control Policy meets the rigorous demands of the 2022 update while staying practical for your day-to-day operations.