Want to keep your company's data safe? That’s where an access control policy comes into play. It's designed to protect sensitive information and control who can access your organisation's files.
Read on for a full breakdown of an access control policy: what it is, why it matters, and how to set one up in your organisation (using our template).
*Update: It's important to highlight that the ISO 27001:2013 standard was updated on 25th October 2022, resulting in the ISO 27001:2022 most recent edition with revised guidelines. For the most current and precise details about the ISO 27001 Annex A Controls, please refer to the updated version.
In this blog post, we'll cover:
- What is access control, and what is access control policy?
- Why do you need an access control policy?
- What does ISO 27001 say about access control?
- What should your access control policy cover?
- How do you set up an access control policy for your company?
- How can DataGuard help you with your access control policy?
What is access control, and what is access control policy?
Before we get started, knowing the difference between access control and access control policy can help you implement access control effectively in your company.
Access control
Access control refers to ensuring that authorised users are able to access the required files or services while preventing access to non-authorised users.
Access control policy
An access control policy is a framework to implement access control in your company. It limits access to information and ensures only the right people who need the information are given access to it.
Access control is also a key component of ISO 27001 certification, the international standard for information security. A proper access control policy can help you successfully get the certification while staying compliant with data privacy laws like the UK GDPR.
Why do you need an access control policy?
Not every employee needs access to all company data, and an access control policy can help you define the levels of access for different people. Clearly, outlining an access control policy is crucial and has several benefits. Some of them are:
- Make sure that only the authorised people who need the data have access to your files. This can help you preemptively prevent data breaches by keeping unauthorised users out.
- Keep track of who accesses what information and hardware. This helps you to easily identify the cause in case of a security breach.
- Avoid the threats of a traditional key system. Traditional key system has several weaknesses that can compromise your whole building’s security.
- Comply with data privacy laws and international standards. Laws such as UK GDPR and standards, including ISO 27001, require you to have proper access control policies.
If you plan on getting ISO 27001 certified, implementing access control in line with ISO 27001 standard in your company is essential. So, what does ISO 27001 say about access control? Let’s find out.
What does ISO 27001 say about access control?
The ISO 27001 standard (international standard for information security) has listed 14 different categories of controls (Annex A controls) to manage information within your company. Annex A.9 of the list deals with access control.
There are four categories of Annex A.9 controls:
- Annex A.9.1.1 – Access Controls
- Annex A.9.2 – User Access Management
- Annex A.9.3 – User Responsibilities
- Annex A.9.4 – Application Access Controls
The first Annex A.9 subset lets you know the requirements to set up an access control policy. Let’s see how you can do it and what your policy should cover.
What should your access control policy cover?
What should your access control policy cover? Your access control policy should cover both technical and physical security measures to prevent unauthorised access to records.
When writing your access control policy, including the following areas of information is important to stay compliant with standards and laws such as ISO 27001 and the UK’s General Data Protection Regulation (GDPR), one of the most comprehensive laws around data protection in the UK and the EU:
- Document Version Control
- Document Contents Page
- Purpose
- Scope
- People
- Systems
- Physical Access
- Access Control Policy
- Principle
- Confidentiality Agreements
- Role Based Access
- Unique Identifier
- Access Authentication
- Access Rights Review
- Privilege Accounts / Administrator Accounts
- Passwords
- User Account Provisioning
- Leavers
- Authentication
- Remote Access
- Third-Party Remote Access
- Monitoring and Reporting
- Policy Compliance
- Compliance Measurement
- Exceptions
- Non-Compliance
- Continual Improvement
Keeping track of everything you need to write your access control policy can be overwhelming. That’s why we’ve put together an initial access control policy template to help you get there.
Now that you know what an access control policy needs let’s see how you can set up one for your company.
How do you set up an access control policy for your company?
There are six key steps you should take when creating an access control policy:
1. Identify the objective of the policy
Access control policies fall under two categories:
- Administrative policies that concern your IT department
- Operational policies that concern your network resources
Identifying why you are setting up your access control policy is the first step to setting up your information security.
2. Identify the type of information that requires protection
Your access control policies are designed to protect sensitive information, and figuring out the type of data you collect can help you determine who should access it.
Some examples of protected information are:
- Credit card information
- Intellectual property assets
- HR information
3. Identify who needs access to this information
Who needs access to what data? Taking a good look at their job responsibilities can help you determine this. Once you know who these people are, you can decide on a minimum level of access and put it in your access control policy.
4. Identify the roles of these individuals and groups
After identifying the parties who need access, it's time to outline their roles. Every company has different needs, and you can use them to identify the tasks and responsibilities of who handles protected information.
Some examples of such roles are:
- Account manager
- Systems manager
- Access administrator
5. Identify how sensitive the information is
This is one of the most important steps in creating an access control policy. Sensitive information refers to information that should be protected from unauthorised access. There are three main types of sensitive information.
- Personal Information such as medical records and credit card numbers
- Business Information such as business plans and intellectual property
- Classified Information, such as confidential information of the government
Clearly defining the standard for sensitive information can help you:
- Decide on the security measures needed to protect it
- Hold people accountable when they handle information
6. Comply with government policies and regulations
Laws such as UK GDPR and GDPR have strict clauses on access management and access control policy. Ensuring your company complies with all applicable laws and regulations can help you avoid data breaches, policy violations and heavy fines.
A typical access control policy should take the above requirements into account.
How can DataGuard help you with your access control policy?
With the increasing cyber threats, access control is now more important than ever. With our information security solutions, you can gain control of your company’s data while staying legally compliant.
DataGuard’s solutions are suitable for your company because:
- Our experts will work with you to curate an information security solution tailored to your company’s needs.
- We can help you achieve ISO 27001 certification with ease after you’ve tackled access control.
- You can always talk to your designated DataGuard expert on any of your information security concerns.
A good access control policy is a key requirement of many standards and frameworks, including ISO 27001. If you want to become ISO 27001 compliant, we can help you.
