Access Control
The set of policies, procedures, and technical mechanisms that govern who can access which information assets, systems, and resources. Access control ensures that only authorized individuals can view, modify, or interact with sensitive data and systems.
Access control is one of the most fundamental information security concepts and appears as a core requirement in every major compliance framework. It operates on the principle that access to information and systems should be restricted to those who need it for legitimate business purposes — commonly known as the principle of least privilege.
Access control is typically implemented at multiple layers. Identity and authentication controls verify that users are who they claim to be, through passwords, multi-factor authentication (MFA), single sign-on (SSO), or biometric verification. Authorization controls determine what authenticated users are permitted to do, typically through role-based access control (RBAC) or attribute-based access control (ABAC). Physical access controls restrict access to facilities, server rooms, and other physical locations.
Beyond implementation, effective access control requires ongoing management. This includes regular access reviews (quarterly is the common standard), prompt deprovisioning when employees leave or change roles, monitoring for unauthorized access attempts, and maintaining audit logs of access events. ISO 27001 dedicates multiple Annex A controls to access management. SOC 2 addresses access control under both the Security and Confidentiality criteria. GDPR requires appropriate technical measures to protect personal data, which invariably includes access control. For SaaS companies, access control implementation typically covers both internal access to production systems and the access control features provided to customers within the product.
Related frameworks
Related terms
Annex A
The appendix to ISO 27001 that contains a reference set of 93 information security controls organized into four themes: Organizational, People, Physical, and Technological. Organizations use Annex A as a checklist to ensure their ISMS addresses all relevant control areas.
Audit Trail
A chronological record of system activities that provides documentary evidence of the sequence of events — including who accessed what, when, and what actions were taken. Audit trails are essential for security monitoring, incident investigation, and compliance evidence.
Encryption
The process of converting data into an encoded format that can only be read by authorized parties who possess the correct decryption key. Encryption protects data confidentiality both at rest (stored data) and in transit (data being transmitted over networks).
Information Security Management System
A systematic framework of policies, processes, and controls that an organization establishes to manage and protect its information assets. An ISMS addresses people, processes, and technology to ensure the confidentiality, integrity, and availability of information.
Assess your compliance posture
Run a free self-assessment for ISO 27001, SOC 2, GDPR, NIS2, or Tech DD and see exactly where you stand.
Start free assessment