Do you allow anyone into your house? Do you allow visitors that you do allow in, to go roaming around your house, looking through your wardrobes? How about your journal or diary? Is that open for anyone to read?
The answer is most likely, no! Having an understanding of who has access to your house and to other informational assets is controlled. That’s what this control in ISO27001 is concerned with.
What does the standard require?
The standard states that “Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.” (A5.15 Access Control)
Why is this required?
As with the example provided above, you wouldn’t allow just anyone to enter your premises, or access your systems without knowing who they are. This control is important because it asks you to consider both physical and logical access to your assets, which could be targeted be a target of criminals.
Knowing who has access to your assets means that you can take additional steps to protect the information, should you need to. For example, you might allow your IT support vendor to have access to your systems, but restrict their access to infrastructure systems (i.e. the network and IT systems). You wouldn’t give them access to your HR platform. Taking this example further, you wouldn't want your HR function to have access to your Finance platform, unless there was a specific reason.
That’s why this control is required. You need to know who has access to your systems, and premises so that you can make conscious decisions on who has access to what.
What the auditor is looking for
Notice that this control says that information rules to control physical and logical access’ shall be established and implemented. Therefore, the auditor will specifically be looking for a topic specific policy for Access Control that covers your physical locations, and systems.
Although it’s not a requirement for a written process, you should also be able to describe and evidence how people are given access to your physical locations and systems. Your policy should describe how access will be provided, or changed when needed. The policy should also outline how it will be removed, or who is responsible for its removal. Finally, you should include provision for a review of the access rights that people and systems might have.
You might talk the auditor through the process of how you give a new employee or contractor access to your systems, which might include showing them your induction checklist, or onboarding process. This is a topic we cover in detail in Annex A6.1 Screening, but it will be important to show the auditor how access is provided.
You might base the access on the role that they will carry out in your organisation. For example, all Finance Account Managers would require access of X,Y,Z. But they would not need access to A.B.C… This approach is known as 'Role Based Access Control' (RBAC). You should be able to talk through the approach with the auditor and show them examples of completed request forms, tickets (with IT helpdesk), or emails asking for and receiving permission for access to systems.
The RBAC might also include details of physical access provided, and how that will be provided. For example your auditor would expect to talk through how access it controlled to internal physical assets. Perhaps you have a locked office, which is only accessed by the Finance team (as it contains quantities of money).
You should also be able to demonstrate to the auditor that you have an exiting process which ensures access is revoked when someone leaves your organisation. Again, this can be part of your exiting process which is discussed in Annex A control “A6.5 - Termination or change of employment responsibilities”.
Remember that there is not a requirement to document a process, but you should be able to show a process is in place by providing evidence that it is being followed. If you find that the process is not being followed, then you might want to consider creating a simple process flow, or include it within your training programme, which we cover in A6.3 Information security awareness, education and training and in another blog (“Employee Training for ISO27001: Strategies for Success”)
Q & A
Do I need a written policy?
Yes you need a topic-specific policy because the control asks for rules, and A5.18 also makes reference to ‘topic-specific policy on, and rules for access control’.
Like all policies, it sets out your expectations and intentions related to a specific topic. Don’t ‘drift’ into writing a process about how access controls are provisioned. Focus on who, why and what is required. The ‘how’ can be evidenced through your tickets and audit programme.
Is it possible to get this wrong?
You need to have a policy in place that covers Access Control, and you need evidence to show that it’s operating effectively.
You must be able to evidence that there is some form of access control in place, so you will need to be able to show how you give access to your physical locations (i.e. give them a key, or PIN code), and access to your systems. If you have no evidence, then this is going to be a problem.
Difficulty rating
We rate this a 2 out of 5 difficulty rating. This means that it requires a little more technical skill to understand the requirement and develop the access control policy. This is because you need to speak to your business and understand how physical access controls are provisioned, and managed throughout the life of a team member. You’ll need to develop supporting materials, such as onboarding or exiting checklists, and possibly an RBAC form.
More questions?
Remember that nothing in ISO27001 sits in isolation, so you should review our ISO27001 FAQs to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused by how to implement n RBAC process or identify the key roles in your organisation, just get in touch and we’ll be happy to help.
For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001” which is available on Amazon.