richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
iso27diy-corp/Corpus/ISMS/Access Control in ISO 27001.md

6.9 KiB
Raw Blame History

Relevant articles for Access Control

The prevention of unauthorized access to classified data is fundamentally supported by a comprehensive set of controls across organizational, physical, and technological domains, particularly those focusing on Confidentiality (one of the core Information Security Properties).

The relevant clauses and controls, primarily derived from ISO/IEC 27002:2022 (referenced in Annex A of ISO/IEC 27001:2022), are detailed below:

1. Controls Focused on Data Identification, Classification, and Handling

To prevent unauthorized access to classified data, the data itself must first be identified and properly protected according to its sensitivity:

  • 5.12 Classification of information: Information should be classified according to the organization's information security needs based on confidentiality, integrity, availability, and relevant interested party requirements. This helps ensure the identification and understanding of the protection needs of information.
  • 5.13 Labelling of information: An appropriate set of procedures for information labelling should be developed and implemented in accordance with the adopted classification scheme. Labelling communicates the classification and supports automation of protection controls.
  • 5.10 Acceptable use of information and other associated assets: Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented, and implemented. This involves access restrictions supporting the protection requirements for each level of classification.
  • 5.33 Protection of records: Records must be protected from unauthorized access.
  • 5.34 Privacy and protection of PII: The organization should identify and meet requirements regarding the preservation of privacy and protection of Personally Identifiable Information (PII) according to applicable laws, regulations, and contractual requirements, since PII is often considered sensitive or classified.
  • 7.7 Clear desk and clear screen: Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities should be defined and enforced to reduce the risk of unauthorized access or loss of information outside of normal working hours.

2. Controls Related to Identity, Access Management, and Privileges

These controls directly manage who (or what) is authorized to access resources and classified data:

  • 5.15 Access control: Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements. Access rules should adhere to principles like "need-to-know".
  • 8.3 Information access restriction: Access to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control. Public or anonymous access should generally not be granted to storage locations containing sensitive information.
  • 8.2 Privileged access rights: The allocation and use of privileged access rights should be restricted and managed. Inappropriate use of system administrator privileges is a major factor contributing to system failures or breaches.
  • 5.16 Identity management: The full life cycle of identities should be managed to ensure unique identification of individuals and systems and enable appropriate assignment of access rights.
  • 5.17 Authentication information: The allocation and management of authentication information (e.g., passwords, tokens) must be controlled by a management process, including advising personnel on appropriate handling, to ensure proper entity authentication.
  • 8.5 Secure authentication: Secure authentication technologies and procedures (like multi-factor authentication) should be implemented based on information access restrictions and the access control policy.
  • 5.18 Access rights: Access rights should be provisioned, reviewed, modified, and removed in accordance with the access control policy. This process ensures access is defined and authorized according to business needs.
  • 8.18 Use of privileged utility programs: The use of utility programs capable of overriding system and application controls must be restricted and tightly controlled to ensure they do not harm information security.
  • 8.4 Access to source code: Read and write access to source code, development tools, and software libraries should be appropriately managed to maintain the confidentiality of valuable intellectual property.

3. Technological Controls for Data Protection and Leakage Prevention

These technical measures actively protect classified data from disclosure:

  • 8.12 Data leakage prevention: Measures should be applied to systems, networks, and devices that process, store, or transmit sensitive information to detect and prevent unauthorized disclosure and extraction of information.
  • 8.11 Data masking: Data masking techniques (like pseudonymization or anonymization) should be used in accordance with access control policies and legal requirements to limit the exposure of sensitive data.
  • 8.24 Use of cryptography: Rules for the effective use of cryptography, including key management, should be defined and implemented to protect the confidentiality and integrity of information.
  • 8.1 User endpoint devices: Information stored on, processed by, or accessible via user endpoint devices must be protected against associated risks. This includes requirements for physical protection, storage device encryption, and logical access controls.
  • 6.7 Remote working: Security measures must be implemented when personnel are working remotely to protect information accessed, processed, or stored outside the organizations premises.

4. Segregation and Operational Controls

These controls prevent classified data from being compromised via unauthorized operational pathways or environments:

  • 8.31 Separation of development, test and production environments: Development, testing, and production environments should be separated and secured to protect the production environment and data from compromise. This prevents the compromise of live production data by activities in development or testing.
  • 8.33 Test information: Test information must be appropriately selected, protected, and managed. This typically involves using access controls comparable to production and avoiding the direct copying of sensitive production data into test environments unless masking is used.
  • 5.3 Segregation of duties: Conflicting duties and responsibilities should be segregated to reduce the risk of bypassing information security controls.
  • 8.22 Segregation of networks: Groups of services, users, and systems should be segregated in the organizations networks to split the network into security boundaries and control traffic between them.