How to Handle Access Control Under ISO 27001

Why Access Control Is the Backbone of ISO 27001

If you are working towards ISO 27001 certification, access control will be one of the areas your auditor scrutinises most closely. It sits at the intersection of technical security, human behaviour, and organisational policy, which means there are plenty of ways things can go wrong. Get it right, and you have a solid foundation for your entire Information Security Management System. Get it wrong, and you are looking at nonconformances, data breaches, and potentially serious regulatory consequences under Australian law.

Access control under ISO 27001 is not simply about passwords and locked doors. It covers the entire lifecycle of how people, systems, and processes are granted, managed, reviewed, and removed from access to your information assets. This guide walks you through what the standard actually requires, how to implement it practically, and what auditors are looking for when they arrive at your door.

What ISO 27001 Actually Requires for Access Control

The current version of ISO 27001 (the 2022 edition, which superseded the 2013 version) addresses access control primarily through Annex A. The 2022 revision restructured the controls significantly, reducing them from 114 to 93 and reorganising them into four themes: Organisational, People, Physical, and Technological.

Access control is no longer a standalone clause the way it was in the 2013 version. Instead, the relevant controls are distributed across themes. The key ones you need to understand are:

• Control 5.15 Access control (Organisational): Establishes the policy and rules for restricting access to information and other assets.
• Control 5.16 Identity management (Organisational): Managing the full lifecycle of identities.
• Control 5.17 Authentication information (Organisational): Managing passwords, tokens, and other authentication credentials.
• Control 5.18 Access rights (Organisational): Provisioning, reviewing, modifying, and revoking access rights.
• Control 8.2 Privileged access rights (Technological): Restricting and controlling the allocation of privileged access.
• Control 8.3 Information access restriction (Technological): Restricting access to information and application system functions.
• Control 8.5 Secure authentication (Technological): Implementing secure log-on procedures.

There are additional supporting controls around network access, remote access, and user endpoint management that feed into your overall access control posture. The point is that access control under ISO 27001 is not a single checkbox. It is a set of interconnected requirements that need to work together.

Building Your Access Control Policy

Before you configure a single system or assign a single permission, you need a documented access control policy. This is a non-negotiable requirement under Control 5.15, and it is one of the first things an auditor will ask to see.

What the policy needs to cover

Your access control policy does not need to be a 50-page document. In fact, shorter and clearer is usually better. It needs to address the following at a minimum:

• The scope of access control across your organisation and information assets
• The principles guiding access decisions, such as least privilege and need-to-know
• Who is responsible for approving access requests
• How access rights are assigned, reviewed, and revoked
• Requirements for privileged access management
• Rules around remote access and third-party access
• Consequences of policy violations

The least privilege principle deserves particular attention. It means that users should only ever have the minimum level of access required to do their job, nothing more. This sounds simple, but in practice most organisations accumulate access rights over time as people change roles, projects evolve, and nobody bothers to remove old permissions. This is one of the most common findings in ISO 27001 audits.

Aligning the policy with your risk assessment

Your access control policy should not exist in isolation. It needs to connect to your ISO 27001 risk assessment. The risks you have identified around unauthorised access, insider threats, and credential compromise should directly inform the controls you put in place and how strictly you apply them.

For example, if your risk assessment identifies that access to customer financial data by a malicious insider is a high-rated risk, your policy needs to reflect that with compensating controls: strict role-based access, regular access reviews, and monitoring of privileged user activity.

Identity Management and the Access Lifecycle

Control 5.16 requires you to manage the full lifecycle of identities within your organisation. This covers everyone from new starters to contractors, temporary staff, and third-party vendors. The lifecycle has four stages: provisioning, maintenance, review, and deprovisioning.

Onboarding and provisioning access

When someone joins your organisation, their access should be provisioned based on their role, not based on what the previous person in that role had or what they ask for. A formal access request process is essential. This means:

• A documented request that specifies what access is needed and why
• Approval from the relevant manager or data owner
• A record of the access granted and when

Many small to medium businesses in Australia handle this informally, with IT simply doing whatever the manager asks over email. That will not pass an ISO 27001 audit. You need a traceable process, even if it is a simple form or a ticket in your IT helpdesk system.

Maintaining access during employment

Access rights need to be updated when someone changes roles. This is where organisations consistently fall short. Someone gets promoted or moves to a different team, they get new access for their new role, but nobody removes the access from their old role. Over time, individuals accumulate permissions far beyond what they need. This is sometimes called privilege creep, and it is a significant security risk.

Your process should require that whenever a role change occurs, a formal review of existing access rights takes place before new access is provisioned.

Regular access reviews

Control 5.18 explicitly requires that access rights are reviewed at regular intervals. How often depends on the sensitivity of the information and the risk level. For most organisations, a quarterly review of privileged access and an annual review of all user access is a reasonable starting point. High-risk environments may require more frequent reviews.

The review needs to be documented. An auditor will want to see evidence that reviews actually happened, who conducted them, what was found, and what action was taken. A spreadsheet with a date and a signature from the responsible manager is the minimum. Purpose-built identity governance tools make this far easier if your organisation is large enough to justify the investment.

Offboarding and revoking access

This is arguably the most critical part of the access lifecycle, and the area where organisations most commonly fail. When someone leaves your organisation, their access needs to be revoked promptly. Ideally, this happens on the day of departure or before, not weeks later when someone remembers to raise an IT ticket.

Your offboarding process should include a checklist that covers all systems, not just the obvious ones like email and the main business application. Think about cloud services, project management tools, shared drives, remote access VPNs, and any third-party platforms the individual had access to. A departing employee with lingering access to your CRM or financial system is a serious risk that ISO 27001 auditors will flag without hesitation.

Managing Privileged Access

Privileged access, meaning administrator accounts, root access, service accounts, and other elevated permissions, carries significantly higher risk than standard user access. Control 8.2 requires that privileged access rights are allocated on a restricted and controlled basis.

Practical controls for privileged accounts

Here is what good privileged access management looks like in practice:

• Separate accounts for privileged tasks: Administrators should have a standard user account for day-to-day work and a separate privileged account used only when elevated access is actually needed.
• Multi-factor authentication: All privileged accounts should require MFA without exception. This is now a baseline expectation under ISO 27001 and aligns with guidance from the Australian Cyber Security Centre Essential Eight framework.
• Just-in-time access: Rather than leaving privileged permissions permanently assigned, consider tools that grant elevated access only when needed and for a defined time period.
• Logging and monitoring: All actions taken under privileged accounts should be logged, and those logs should be reviewed regularly.
• Regular review and recertification: Privileged accounts should be reviewed more frequently than standard user accounts, at least quarterly.

One thing I see regularly in Australian businesses going through ISO 27001 certification is that privileged accounts are far more widespread than anyone realised. When you actually sit down and enumerate all the accounts with admin rights across your environment, the number is often two or three times what management expected. That enumeration exercise alone is valuable.

Authentication and Password Management

Control 5.17 covers authentication information, and Control 8.5 covers secure authentication procedures. Together, they set expectations around how users prove their identity when accessing systems.

What auditors look for

Your authentication controls need to demonstrate the following:

• Password policies that enforce minimum length, complexity, and prevent reuse of recent passwords
• Multi-factor authentication for remote access, privileged accounts, and ideally all user access to sensitive systems
• Automatic session timeouts after a period of inactivity
• Account lockout after a defined number of failed login attempts
• Prohibition on sharing credentials between users
• Secure storage of passwords (hashed and salted, not stored in plain text)

The days of a simple eight-character password being acceptable are long gone. The current guidance from most security frameworks, including ISO 27001, favours longer passphrases and MFA over complex but short passwords that people write on sticky notes.

Third-party and vendor access

Third-party access is an area that catches many organisations off guard. When you give a vendor or contractor access to your systems, the same access control requirements apply. They need to be provisioned through your formal process, their access should be time-limited and scoped to what they actually need, and it must be revoked when the engagement ends.

Many organisations have dormant vendor accounts sitting in their systems for months or years after a contract ended. This is a finding that appears in almost every ISO 27001 audit I have seen. A simple quarterly review of all active accounts, including vendor accounts, will catch this before your auditor does.

Physical Access Control

Access control under ISO 27001 is not purely digital. The Physical theme in Annex A includes controls around physical access to facilities, server rooms, and other sensitive areas. Control 7.2 requires physical entry controls, and Control 7.3 covers securing offices, rooms, and facilities.

For most businesses, this means:

• Restricting physical access to server rooms and network equipment to authorised personnel only
• Maintaining a log of who accessed sensitive physical areas and when
• Visitor management procedures, including signing in and being escorted
• Ensuring that workstations in public or semi-public areas are locked when unattended
• Secure disposal of physical media that contains sensitive information

Physical access controls are often the easiest to demonstrate in an audit because they are visible and tangible. A locked server room with a keycard log is straightforward evidence. Where organisations struggle is with the documentation and review of that evidence.

Documenting and Evidencing Your Access Controls

ISO 27001 is a documented management system. That means your access controls need to be supported by documented information that demonstrates they are actually operating, not just written down in a policy that nobody follows.

The key pieces of documented evidence you need to maintain include:

• Your access control policy (reviewed and approved at defined intervals)
• Access request forms or tickets showing approval history
• User access registers showing current access rights by system and user
• Records of access reviews, including who conducted them and what actions resulted
• Offboarding checklists showing access revocation for departed staff
• Privileged account inventories and review records
• Authentication configuration settings (screenshots or configuration exports)

One practical tip: do not wait until your certification audit to pull this evidence together. Build the habit of documenting as you go. When an auditor asks to see evidence of your last access review, you want to be able to produce it in minutes, not spend the afternoon scrambling through email threads.

If you want a broader picture of what auditors look for across your entire ISMS, the article on what is an Information Security Management System is a useful starting point before diving into individual controls.

Common Access Control Nonconformances in ISO 27001 Audits

Based on real audit experience, here are the access control issues that come up most frequently:

• No formal access request or approval process: Access is granted informally without documentation.
• Privilege creep: Users accumulate permissions over time that are never removed.
• Stale accounts: Former employees or contractors still have active accounts.
• No regular access reviews: Access rights are never formally reviewed after initial provisioning.
• Shared credentials: Multiple users sharing a single account, making it impossible to attribute actions to individuals.
• No MFA on privileged or remote access accounts: A major finding in almost every audit of a business that has not specifically addressed this.
• Vendor access not managed: Third-party accounts left active after engagements end.
• Physical access not logged: Server rooms accessible without any record of who entered.

None of these are difficult to fix. They are almost always the result of informal practices that grew up over time rather than deliberate choices. The process of implementing ISO 27001 forces you to formalise what should have been formalised years ago.

Getting Help With ISO 27001 Access Control Implementation

Implementing access control properly across your organisation takes time, especially if you are starting from a position where processes have been informal. For many businesses, particularly those without a dedicated information security function, working with an experienced ISO 27001 consultant makes the process significantly more efficient.

A good consultant will help you map your current access control practices against the standard requirements, identify gaps, design practical controls that fit your organisation, and prepare the documentation you need for certification. If you are not sure where to find one, comparing ISO 27001 consultants before you commit is worth doing carefully.

CertBetter connects Australian businesses with verified ISO 27001 consultants and accredited certification bodies. Submit one form, receive up to three competing quotes, and compare providers before making a decision. The service is completely free for businesses seeking certification help, and every provider on the platform has been vetted for credentials and experience.