top of page
Search

ISO27001:2022 A8.3 – Information access restriction




In relation to ISO27001 controls, it often feels like we’re duplicating effort and having similar conversation in different places. And that’s not far from the truth.  A8.3 is just such a control, where we should have already discussed the applicability and controls required.


 

In terms of access control, we discussed this in ISO27001 Annex A control (A5.15 - Access Control), and then Annex A control (A5.18 - Access Rights) highlights the need to assess the implementation of access rights.  Finally, Annex A Control (A8.2 - Privileged access rights) ask us to consider the allocation and management of privileged access rights. 

 

Clearly, then, ISO27001 feels that controlling access to processing facilities (including technical and physical), an important topic. So what’s so different about this control? Why do we need another control if it is already covered elsewhere?

 

What does the standard require?

The standard states that “Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control.” (A8.3 – Information access restriction)

 

Note here that the requirement is to restrict access in accordance with a topic-specific policy. Previously, all other ISO27001 Annex A controls spoke of controlling access and access rights. But this control is specifically interested in how you restrict access. 

 

Why is this required?

This control ensures only allowed individuals and systems have access to processing facilities. It’s also intended to prevent unauthorised access to information and other associated assets.

 

As we have covered previously, without having adequate access controls in place, data breaches are more likely, which are deliberate or accidental.  This could affect your reputation, or could lead to compliance issues, which lead to financial losses.

 

When discussing Access Controls (A5.15 – Access Control), Access Rights (A5.18 – Access Rights) and restricting privileged access (A8.2 - Privileged access rights), we were effectively establishing the importance of restricting access on a ‘needs to know’ basis.

 

Restricting what individuals can do with information they have access to reduces the risks you face from accidental or deliberate misuse.

 

For example, you wouldn’t want everyone in the finance team to have full access to the accounting system, as this might cause error or misuse of the system. Developers would be concerned to know that everyone had full access to their source code. Without restricting access to the code, it could be damaged, or disclosed in error.


 

What the auditor is looking for

The ISO27001 auditor will look for evidence of security measures including;

 

 

 

What do you need to do?

When you developed processes and policies around access control, you would have created much of the evidence needed for this control.  However, it is important to pay close attention to the point that this control is looking at access restrictions.  Therefore, the first step is to carefully analyse your organization chart and decide on the restrictions that should be implemented for your internal personnel.

 

For example, if you have an office space, do you allow them to come and go as they please? Or should you restrict access to your office to normal office hours (e.g. 8am – 6pm, Monday to Friday)? Perhaps you will restrict access to systems from only trusted IP addresses or restrict the use of certain apps to specific roles within your business. 

 

Also, think about the restrictions you can place on the way systems are used. For example, you can impose a limit on the size of files that users can send externally. This prevents large data files from being exported out of your business (something which is common practice when someone is planning on leaving a company!).

 

You will also need to review your supplier relationships and agreements and consider the same restrictions.  For example, IT support companies often have access to your entire infrastructure. This is quite normal, and accepted, but could you restrict their access to extended business hours? Is there really any need for them to have access to your systems between the hours of 10pm and 5am? If not, then restrict their access between these hours.

 

Keep in mind that you are reliant on suppliers to have robust security in place, while you have given them unfettered access to your networks and data. Restrict their access to the systems, drives and services they need, and restrict the time they can access these areas to minimise your risk of exposure.


 

Q & A

Are there any common access control frameworks to use?

Yes, you can use Role Based Access Control (RBAC) for basic access control, and Attribute Based Access Control (ABAC) for more detailed control. The ABAC grants access based on dynamic attributes like user role, location, time, and the specific information or specific system or asset being accessed. ABAC is the framework we would refer to when considering how we can restrict access to data.

 

Difficulty rating

We rate this a 2.5 out of 5 difficulty rating. This control requires careful consideration of the access needs of your business. The use of ABAC, and having to place restrictions on access can be a contentious topic, and will require some level of technical knowledge to implement.  The first hurdle you have is to establish the need for access, and then how you can apply it.

 

More questions?

Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.

 

For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.

4 views

Comments


bottom of page