ISO 27001

ISO 27001 A.5.15: Access Control Explained

Establish and implement rules governing physical and logical access to information and associated assets based on business need and least privilege.

OFFICIAL REFERENCE (PARAPHRASED)

Rules to control physical and logical access to information and other associated assets shall be established and implemented, based on business and information security requirements. (ISO/IEC 27001:2022 Annex A.5.15)

Last reviewed: June 2026. Not legal or audit advice.

WHAT EVIDENCE SATISFIES THIS

✓ Access control policy approved by management
✓ Role-based access matrix by system
✓ Periodic access review records
✓ Joiner-mover-leaver procedure

Cross-framework overlap

This control requirement also appears in:

SOC 2 CC6.1 →

See this control in your personalized checklist

Start free →

See your readiness in 5 minutes

Answer a few questions and get a personalized, actionable checklist, free, no card.

Get your free checklist →