The basics
ISO 27001 control A.8.3 Information access restriction requires companies to limit access of users to information systems according to Access control policy, in order to prevent unauthorized disclosure of information.
Documentation
ISO 27001 control A.8.3 Information access restriction can be documented by writing:
- an Information Classification Policy to define which information is sensitive and requires restriction on access
- an Access Control Policy to define which person/role can access which information
These policies are not mandatory but are recommended for all companies.
Implementation
In order to comply with control A.8.3 Information access restriction you might implement the following:
- Technology — the technology to enable information access restriction mainly includes software (e.g., data loss prevention applications, and user management systems, logging and monitoring tools, etc. ). Companies may use access control features available on their local computers to restrict access rights to information (e.g., read-only access), and use networked systems to allow centralized and remote management of access rights to information.
- Organization/processes — you should set up a process for applying restrictions to information access based on their sensitivity, who is responsible for restricting access to information, how requests for access must be performed and implemented, and how applied access restrictions must be reviewed and updated. You can document those processes through an Information Classification Policy or an Access Control Policy.
- People — make employees aware of why restricting access to information and related assets is needed, and train IT staff on how to restrict access to information and assets.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.8.3 Information access restriction: if access of users to information systems is limited according to the defined access control policy.
