Inverifi logo

An Introduction to ISO 27001 Access Control

Access control is a critical component of any information security program, as it helps prevent unauthorized access to sensitive data.

ISO 27001 Access control illustration image

When looking into access control, it is first important to understand what it is and how it can affect you no matter what role you are in.

 

Access control is an essential component of any information security program, as it helps to prevent unauthorised access to sensitive data and systems.

 

By implementing effective access control measures, organisations can protect themselves against a wide range of security threats, including data breaches, cyber attacks, and insider threats.

 

Access control is linked to ISO 27001 standards, specifically annex control A.9.1, which requires businesses to have access control implemented to limit access to information and information processing facilities.

How does access control work?

Now that we have a general sense of what access control is, we can look deeper into how it works. There are five main steps that access control goes through to work correctly and I’m going to explain what each step is and why it’s done.

 

  • Authorisation – Is the first step in access control as it’s the step that lets administrators set up access rights and permissions that are needed.

 

  • Authentication – Lets the people that have been previously authorised in the last step gain access if they do have the correct credentials. This for example could take the form of a login screen asking for the correct username and password.

 

  • Access – The credentials given in the last step have been checked and been verified as correct, which then means they are provided access (according to the rules & permissions defined against their account)

 

  • Manage – Helps administrators with the process of onboarding, offboarding users and troubleshooting any access issues that occur.

 

  • Audit – Allows administrators to go through logs of the access control system and examine if anything may be wrong.

Types of access control models

Access control models are frameworks that organisations use to manage and restrict access to resources, such as data, systems, and facilities. There are several types of access control models. I will go through four of these models in this section to help you better understand the different methods of implementing access control.


Mandatory Access Control (MAC)

The mandatory access control model is a very inflexible and rigid solution but due to this, it is also one of the most secure. In this case, it means that the end user has no control over any settings that could provide any privileges to anyone.

 

There are two security models associated with MAC and these are Biba Model and Bell-LaPadula Model, I won’t be going into them here but if you wish to, you can read up on Wikipedia for more information.

 

MAC is the highest access control there is. It is mostly utilised in military or government settings, utilising the access levels of Classified, Secret and Unclassified.

 

Role-Based Access Control (RBAC)

The role-based access control model is designed to provide access control based on the position an individual fills in a business. Eg. an individual who works as a network engineer would be assigned permissions that their role as a network engineer actually requires, instead of sweeping global permissions.

 

This makes life easier for the system administrator since access controls can be grouped together in roles which makes large permission changes much faster.

 

Discretionary Access Control (DAC)

The discretionary access control model is the least restrictive when compared to the MAC model discussed above. This is because DAC allows individuals complete control over any data they own, along with any other programs associated with it.

 

This isn’t ideal as it gives the end user complete control over being able to set security level settings for other users and, even worse, the permissions the users is provided are inherited into other programs – which could lead to the end user executing malware that has more access than it should, leading to more damage.

 

Rule-Based Access Control (RBAC or RB-RBAC)

Rule-Based Access Control (RBAC) is a model in which access to resources is granted based on the defined rules and policies. These rules specify the actions that a user can perform on a resource. This, for example, could be used in a situation where a user should only have access to files during a certain period of time.

 

The main issue of this approach is that these extra rules may require being implemented into the network by the system administrator in the form of code.

 

 

The importance of Access Controls for ISO 27001

Access controls are important in relation to ISO 27001, because they are required as part of the annex controls under A.9. 


In order to gain ISO 27001 certification, a business must have an access control policy that successfully limits access to information and information processing systems. This is because it mitigates the risk of information being accessed without appropriate authorisation and the risk of a data breach.

Conclusion

The topic of access control may seem simple at first glance but it can get quite complicated when you venture into the different models out there and the process of implementing it into a business.

 

In conclusion, access control is a crucial component of any information security program. It helps organisations protect themselves against a range of security threats by limiting access to sensitive data and systems to authorised users. There are several types of access control models. Each model has its own strengths and weaknesses and is best suited to different types of organisations and needs. By understanding and implementing the right access control model for your organisation, you can ensure the security and integrity of your sensitive data and systems.

 

If you have any questions about access control or want to share your experiences with different access control models, get in touch with us.

More blogs you might like