Definition

Access controls

Access controls regulate who can access information resources and what actions they can perform on them.

Access controls are policies, procedures and technical mechanisms restricting access to systems, networks and data. ISO 27002 classifies them as logical (authentication, authorization) and physical (restricted areas). Least privilege and segregation of duties are key foundations.

Key aspects

Least privilege

Each user should have only the minimum permissions needed for their function. Excessive access is a frequent audit finding.

Multi-factor authentication

ISO 27002 recommends MFA for privileged access and critical systems, combining knowledge, possession and inherence factors.

Periodic review

Permissions must be periodically reviewed and revoked when a collaborator changes roles or leaves the organization.

Frequently asked questions

Role-Based Access Control assigns permissions to roles, not individual users. It simplifies management in large organizations.

No. They include physical controls (biometrics, surveillance) and administrative controls (policies, user provisioning procedures).

Comparison

Ready to act on these findings?

Need an assessment in this area?

Request diagnosis→View research→

Loading content…

Access controls

Key aspects

Least privilege

Multi-factor authentication

Periodic review

Frequently asked questions

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

How to implement ISO 27001 in your organization

How to prepare for an ISO audit

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?

Access controls

Key aspects

Least privilege

Multi-factor authentication

Periodic review

Frequently asked questions

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

How to implement ISO 27001 in your organization

How to prepare for an ISO audit

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?

Access controls

Key aspects

Least privilege

Multi-factor authentication

Periodic review

Frequently asked questions

Related content

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

How to implement ISO 27001 in your organization

How to prepare for an ISO audit

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?

Access controls

Key aspects

Least privilege

Multi-factor authentication

Periodic review

Frequently asked questions

Related content

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

How to implement ISO 27001 in your organization

How to prepare for an ISO audit

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?