In this article I lay bare the ISO 27001 Access Control Policy. Exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO 27001 certification.
I show you exactly what changed in the ISO 27001:2022 update.
I am Stuart Barker the ISO 27001 Ninja and this is the ISO 27001 Access Control Policy
The ISO 27001 Access Control Policy ensures the correct access to the correct information and resources by the correct people. The objective is to limit access to information and systems based on need rather than have a Wild West free for all.
The access control policy template is a simple yet effective policy that covers access to information and systems including the management and lifecycle.
The access control policy sets out what you do for Access Control.
The ISO 27001 Access Control Policy is pre written and ready to go. It is designed to save you over 8 hours of work. ISO 27001 templates are an absolute time and life saver.
DO IT YOURSELF ISO 27001
All the templates, tools, support and knowledge you need to do it yourself.
The purpose of the ISO 27001 Access Control Policy is to ensure the correct access to the correct information and resources by the correct people.
Access control is granted on the principle of least privilege. Users are only provided access to the information they require to perform their tasks and role.
A cornerstone of information security is confidentiality and providing the right access to the right people at the right time. We want to ensure that people have access to do their job but no more. We want to protect the information and data that we have.
People will talk about preventing unauthorised access which is a fancy way of saying getting access to data they should not have. By protecting the access to the data we can reduce the risk of information security incidents and data breaches.
The ISO 27001 Access Control Policy is important as it sets out clearly and in written form what you expect to happen. If you don’t tell people what you expect of them then how can you expect them to do it? Communicating what is expected is a key step in any HR disciplinary process with many not being enforceable or actionable if you have not told people what to do and got them to accept that they understand what is being asked.
The ISO 27001 standard wants you to have the access control policy in place, communicated, and accepted by staff as part of your ISO 27001 certification. It actually forms part of a wider set of required information security policies that are all included in the ISO 27001 toolkit.
The lifecycle of user access is
Someone requires access to systems or data and requests that access either for themselves or a member of their team.
Access requests cannot be approved by the person requesting the access. This is known as segregation of duty. The person responsible for approving the access request is usually the system or data owner.
Once approved the access will be granted and technically implemented. This is usually the responsibility of a trained IT professional. Great care should be taken if using the technique of copying or cloning access rights based on an existing user. This can introduce unintended consequences and result in unexpected unauthorised access. A better method is to base the access rights on role based access. Access that is defined by role and the role applied to the individual requiring access.
As a person changes role over time their access will be revisited and revised. To do this the process starts again at step 1 – requesting access.
Access is monitored on a regular basis. The main requirement is to conduct and evidence access reviews. Access reviews are usually performed by the system or data owner to ensure that the people with access are still required and relevant. Common practice is to conduct this on a monthly basis. It is a great way to catch when a person has left and their access has not been removed or to catch when a person has changed role and their access needs to be modified.
Revoking access can take place during a change in role or when a person leaves the organisation. It is best practice to revoke that access at the earliest opportunity. For audit trail the process of requesting the access be revoked, that request being approved and then actioned would be followed.
The ISO 27001 Access Control Policy is all about access to systems and data. When looking at access we are looking at the different types of access. We differentiate between normal users and administrators.
First things first we want to ensure that we have confidentiality agreements in place and being required to access systems. This may form part of employment contracts. It makes sense to grant access to systems based on roles where the role defines the level of access that is allowed. We want to ensure that we can track actions back to individuals so the concept of one user and one ID is introduced. If we have shared accounts it can be nearly impossible to track back who exactly did what. This can become critical if incidents occur and we need to conduct investigations. Users of systems are responsible for their actions.
System access is not a one time deal. We will have a start, leaver, mover process that covers the provision of access, the changes to access as roles change and the removal of access when someone leaves. To ensure that all is working as planned we are going to conduct regular access reviews. An access review is as simple as seeing who has access to systems, what level of access they have and confirming that they still need it. If they don’t, or they have changed role, or they have left and the normal processes hasn’t caught it then we handle it at that point.
Our most powerful users are administrators. They hold the keys to the kingdom. There are special considerations when it comes these administrative accounts. How they are allocated, when they are allocated, how they are used, how they are monitored is addressed.
We all use passwords and the rules for passwords are set. How passwords are created, how complex do they need to be, how often if at all are they changed, how are they communicated to users. Passwords are the keys to the doors of our systems and data so we are clear on their management and use.
Often times we rely on third parties or suppliers to help support and run our systems. We want to grant them the access that they need, when they need it to help us. We set out the policy and rules for their access. We also address remote access of all users.
The ISO 27001 Access Control Policy is required to be presented in a certain way. What we mean by that is that the policy is expected to have certain document markup. Document mark up is just a fancy words for having certain information on the policy. It will need version control, a version number, an owner, an information security classification. An example ISO 27001 Access Control Policy table of contents would look something like this:
This is an example ISO 27001 Access Control Policy:
Other that your ISO 27001 certification requiring the following are benefits of having the ISO 27001 Access Control Policy:
Access is the responsibility of the data and system owners. The ISO 27001 Access Control Policy is the responsibility of the senior leadership team. This can also be the senior operational leadership team.
Not managing access to systems can have severe consequences. This is a simple, effective protection against cyber attack and data breach. Like giving a key to your door to everyone and anyone that asks, you are inviting attackers into your systems. The consequences could be legal and regulatory fines and / or enforcement, loss of data, loss of revenue and in the most extreme cases risk to life and closure of your organisation.
The approaches to monitoring the effectives of access control include:
The ISO 27001 Access Control Policy satisfies the following clauses in ISO 27001:2022
ISO 27001 Clause 5 Leadership
