ISO 27001 A.8.3: Information access restriction
What This Control Requires
Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control.
In Plain Language
Having an access control policy (A.5.15) and a process for managing access rights (A.5.18) is great on paper. But this control is about what actually happens at the technical level - are your systems enforcing those restrictions in practice?
Users should only be able to reach the data and functions they are authorised for. That means granular restrictions on data, application features, system configurations, and output. Broad access because it was easier to set up is exactly what auditors will flag.
The tricky part is consistency. Your access restrictions need to work the same way across on-premises systems, cloud apps, databases, file shares, and collaboration platforms. One system with overly permissive defaults can undermine the entire model.
How to Implement
Implement technical access controls across all information systems based on your access control policy and RBAC model. Consistency across platforms is what matters most here.
For applications: set up role-based access within each application, restrict access to specific functions and data based on user roles, enforce data-level restrictions (row-level and column-level security where needed), configure proper session management (timeouts, single-session restrictions), and hide functions the user is not permitted to use rather than just blocking them.
For databases: lock down direct database access to authorised administrators only. Use row-level security for multi-tenant databases. Prefer stored procedures and views over direct table access. Audit all database access, especially to sensitive tables. Encrypt sensitive columns at the database level.
For file systems and shared storage: set NTFS or equivalent permissions aligned with your access control matrix. Keep share permissions as tight as possible. Deploy DLP to prevent unauthorised copying. Run regular permission audits to catch access drift, and strip out inherited permissions that are too broad.
For cloud and SaaS: integrate SSO with your identity provider. Use conditional access policies to enforce context-based restrictions. Lock down data sharing and export within cloud platforms. Consider a CASB for visibility and control, and secure API access to prevent programmatic bypass.
Verify your access restrictions actually work. Use automated tools to scan for misconfigured permissions, overly broad grants, and orphaned accounts. Penetration testing should specifically check whether access controls can be bypassed. Fix findings quickly and track remediation to completion.
Evidence Your Auditor Will Request
- Access control configuration in key applications and systems
- RBAC implementation showing role-to-permission mappings
- Database access control configuration and audit records
- File share permission configurations and audit records
- Access control testing or penetration testing results
Common Mistakes
- Access restrictions are not granular enough, giving users access to more data than needed
- Different systems implement access control inconsistently
- Direct database access is granted to users who only need application-level access
- File share permissions are too broad due to inheritance or poor management
- Access restrictions are not tested to verify they work correctly
Related Controls Across Frameworks
| Framework | Control ID | Relationship |
|---|---|---|
| SOC 2 | CC6.1 | Equivalent |
| GDPR | Art.25 | Partial overlap |
| GDPR | Art.32 | Related |
| NIS2 | Art.21(2)(i) | Related |
Frequently Asked Questions
How granular should access restrictions be?
How do we handle access restrictions in multi-tenant SaaS applications?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment