The basics
ISO 27001 control A.5.15 Access control requires companies to establish and implement rules to access information and information-related assets – those rules should take into account both business and security needs in order to protect information against unauthorized disclosure or changes.
Documentation
ISO 27001 control A.5.15 Access control can be documented by writing an Access Control Policy.
This policy is not a mandatory document but is recommended for all companies.
Implementation
In order to comply with control A.5.15 Access control you might implement the following:
- Technology — the technology to enable access control may include software (e.g., user management features, logging and monitoring tools, etc.), hardware (e.g., tokens), and networks (e.g., firewalls and routers).
- Organization/processes — you should set up a process for defining criteria for access control, who is responsible for granting/revoking access, how requests for access must be performed and implemented, and how granted access must be reviewed and updated. You can document those processes through an Access Control Policy.
- People — make employees aware of why controlling access to information and related assets is needed, and train them on how to properly request access to information and assets.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.5.15 Access control: if rules to access information and information-related assets are established and implemented.
