Access Control
Plain English Translation
ISO 27001 Annex A.5.15 requires organizations to define and enforce rules for who can access information and assets. This covers both logical access (like logging into software or databases) and physical access (like entering a server room or office). The core principle is that access should not be granted arbitrarily; it must be based on specific business requirements and security needs, typically following the 'need-to-know' principle and 'least privilege' standards.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Draft a basic Access Control Policy defining user registration and de-registration
- Use an onboarding checklist to manually provision access based on roles
Required Actions (scaleup)
- Implement Role-Based Access Control (RBAC) across key systems (e.g., IdP groups)
- Schedule quarterly access reviews for critical production systems
Required Actions (enterprise)
- Deploy automated Identity Governance and Administration (IGA) tools
- Implement Just-in-Time (JIT) access for privileged administrative tasks
It is an organizational control that mandates the establishment of rules to control both physical and logical access to information assets based on business and security requirements.
A.5.15 consolidates the previous detailed controls (like A.9.1.1 Access control policy) into a single, broader requirement to establish and implement access rules based on business needs.
It should include the philosophy of 'need-to-know', rules for user registration/de-registration, management of privileged access rights, password management standards, and review frequencies.
By defining specific roles (RBAC) with the minimum permissions necessary to perform job functions and configuring systems to deny all access by default unless explicitly granted.
Auditors typically request the Access Control Policy, tickets showing approval for new access requests, logs of access reviews, and evidence of access revocation for terminated employees. WatchDog Security's Compliance Center can help centralize these evidence items against A.5.15 and track gaps where reviews or revocations are missing.
A.5.15 requires rules for access; while it doesn't explicitly name MFA, modern risk assessments usually dictate MFA as a necessary rule for remote or privileged access to meet 'security requirements'.
It requires defining IAM policies, using cloud-native roles, and ensuring that access to the cloud console and SaaS applications is restricted based on the established policy.
Logical access control restricts digital entry to systems and data (e.g., usernames/passwords), while physical access control restricts entry to buildings, rooms, and hardware (e.g., badges/keys).
Access rights should be reviewed at 'planned intervals', which typically translates to quarterly reviews for privileged/production access and annual reviews for standard user access.
Service accounts are 'associated assets' and must have restricted access rules, secure authentication (like key rotation), and be included in access reviews just like human users.
Access reviews often break down because ownership is unclear and evidence is scattered across tickets, spreadsheets, and emails, making it hard to prove reviews happened at planned intervals. WatchDog Security's Compliance Center helps by mapping A.5.15 to recurring evidence tasks and storing review outputs, so you can show who reviewed access, when it occurred, and what removals or changes were actioned.
Least privilege is hard to sustain when permissions drift and new services are adopted quickly, leading to over-provisioned roles and orphaned access paths. WatchDog Security's Posture Management helps by identifying misconfigurations and risky access-related settings across cloud environments, giving teams a structured way to detect and remediate access-control weaknesses tied to A.5.15.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-17 | WatchDog Security GRC Team | Initial publication |
