Access Control (ISO 27001 Annex A 5.15)

Protecting sensitive company assets is of the utmost importance. Therefore, you should prevent unauthorized access and prevent authorizing unnecessary access to these assets. This concept is called “Access Control” and is a key control of ISO 27001 (Annex A 5.15). The control requires that “Rules to control physical and logical access to information and other associated assets should be established”. This applies to access to software, hardware, customer data, employee data, and even physical locations

To have such control over access to your assets, you will first need to maintain an Asset Inventory. A good rule of thumb is to adhere to The Principle of Least Privilege, which states that access should only be granted to those that need it, at the level they need it and for the time that they need it. For example, admin level access should not be granted to someone that only needs standard user level access.

The granting of access is straightforward and obvious, but revocation of access is where mistakes are often made. Someone may have needed access for the duration of a project, but it is easy to forget to revoke that access upon the project’s completion. Also, when offboarding an individual, all their access should be revoked immediately.

This problem is more prevalent than you may think and a single slip up could cause irreparable damage to your company's revenue and reputation. Consider the following:

1. Some 20% of organizations say they have experienced data breaches by ex-employees. (techrepublic)

2. Around 11% of data breaches in 2023 were caused by actions of a rogue employee or insider threat. (OAIC)

3. 76% of IT leaders strongly agree that offboarding is a significant security threat. (zippia)

4. 89% of former employees still have access to private business apps and data. (zippia)

Certification will require you to have proper protocols in place for supporting this, as well as proof that you uphold your stated procedures. Therefore it is important to design your protocols to be realistically maintainable. You should also make use of tools to automate the processes and record the adherence to them along the way.

With AxoTrax, this is simple and affordable. You can maintain your Asset Inventory and automate your business’ custom access controls. When offboarding an individual, AxoTrax will generate any necessary tasks for access removal. It is also simple to perform regular audits to ensure any lingering access gets purged.