This article looks at ISO 27001 Access Control Policy examples and how these can be implemented at your organisation. Before we dive in to look at ISO 27001 Access Control Policy examples, let’s examine the ISO 27001 requirement for access control.
A.9.1.1 requires the organisation to document an access control policy based on business requirements. The actual requirement specifies the need to establish, document and review the access control policy periodically – meaning that a documented policy is mandatory!
The purpose of the access control policy is to determine access control rules for the organisation to comply with based on a number of factors such as the sensitivity of the asset being accessed, the location of personnel accessing the asset and legal/regulatory/contractual restrictions that may be in place.
As an example,a business may specify that sensitive personal data residing in a database may only be accessed and interrogated by personnel based in the EU due to DPA regulations. Furthermore, access to that database may only be possible over an encrypted link and via two-factor authentication to reduce the risk of unauthorised access. This is a very specific example, but gives an idea of the type of issues that should be considered.
The access control policy should include authenticate requirements for users.
So what do ISO 27001 access control policy examples look like? What should be included? How generic does the policy need to be and what should be considered? Let’s take a further look.
The access control policy should consider a number of general principles. The first of these is need-to-know, or last-privilege. This is the principle that users should only have access to assets they require for their job role, or for business purposes. Users should be provided privileges that are relevant to their job role e.g. you would not want to give domain admin privileges to all users as this significantly increases risk as compromised accounts would have the keys to the kingdom. Specifying your organisations stance on privileges within the access control policy is highly recommended.
The next consideration in an ISO 27001 access control policy example may be management of user access rights. That is, how are user accounts issued, amended and most importantly, revoked. The userID lifecycle should be considered and the organisations stance on this documented within the policy.
Remember, the policy specifies the organisations stance on what is and is not tolerated, therefore, this does not to be a “how to” level document but simply a set of requirements for the business to adhere to. “User accounts shall only be issued following formal approval from line management and HR” is an access control policy example statement that might be used.
The organisations stance on privileged user access management should be defined in the access control policy
Another access control policy example to consider would be management of privileged user access rights. As briefly mentioned above, this is often a major risk in most organisations as attackers will target elevated privileges to successfully compromise a network. Therefore, issuing of privileged user accounts should be tracked, audited and managed through a formal approvals process. The rules governing this process should be addressed in the access control policy and supported by formal procedures to remind employees of the process to follow when issuing privileged accounts.
Above are just a few topics to consider when producing an ISO 27001 access control policy example.
The following sample list may give you an idea of how to structure your policy effectively:
- Introduction
- Policy Statement
- Roles and Responsibilities
- Information/Systems Access
- User Registration/De-Registration
- Secure Log-On Requirements
- Physical Access Controls
You may wish to extend this to include additional areas, cross-referencing with other control areas within ISO 27001. For example, segregation of duties requires privileged actions to have additional layers of responsibilities to reduce the risk of a single point of failure or an individual causing huge impacts the organisation. This applies to the access control process as well in terms of issuing accounts, so covering this within the access control policy may be an option.
However you decide to structure the access control policy, it is one of the most important policy documents in ISO 27001 as access control cross-references with most other control domains. There are numerous ISO 27001 access control policies available on the web, so it is recommended that you review available templates to support this process.