Annex A 5.15 verified ISO/IEC 27001:2022
Access Control Policies and Procedures
Set and apply rules for who can access information and systems based on their security needs.
record_voice_over
Plain language
This control is about setting clear rules for who can enter a company’s systems and access its information. It matters because if these rules aren’t in place, unauthorised people could get access to sensitive information, potentially leading to data breaches or misuse of data.
01 — Overview
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Organisational controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.
verified ISO/IEC 27001:2022 Annex A 5.15
priority_high
Why it matters
Without defined and implemented access control policies and procedures, logical and physical access may be granted inappropriately, enabling unauthorised access and data breaches.
settings
Operational notes
Regularly review access permissions to align with role changes and prevent privilege creep across the organisation.
02 — Implement
build
Implementation tips
- The IT manager should identify which staff members or positions need access to specific systems and information. This can be done by reviewing job descriptions and understanding the tasks employees need to perform. Once understood, set access permissions based strictly on these needs, ensuring that no unnecessary access is granted.
- The HR team should work with the IT department to ensure that physical access to facilities is appropriately restricted. This involves issuing and maintaining a record of access cards or keys and ensuring visitors sign in and are escorted. Australian regulations, such as the Privacy Act 1988, require safeguarding private information, which includes controlling who physically accesses areas where data is stored.
- The board or management should create a written access control policy that outlines the rules for accessing both physical and digital assets. This policy should be communicated to all employees and include principles like 'need-to-know' and 'least privilege'. It should also reference relevant guidance from ISO 27002:2022.
- IT administrators should establish a process for regularly reviewing and updating access rights. This means checking at intervals that only current employees have access and that their access levels match their roles. Annual reviews or whenever an employee changes jobs or leaves the organisation ensure compliance with Australian standards like CPS 234.
- Security and IT staff should set up systems for logging access attempts to sensitive systems. This involves using tools that can record who accessed what, and when, and setting alerts for unusual access attempts. This aligns with the ASD Essential Eight strategies for improving cybersecurity resilience.
03 — Audit
fact_check
Audit / evidence tips
-
Askthe organisation's access control policy document
Gooda detailed document that matches access levels to business needs and includes statements of security principles such as 'need-to-know'
-
Askto see a list of current system access permissions and compare this with an employee list
-
Aska demonstration of the physical access control system (such as card swipe records)
-
Askrecords of access reviews and adjustments
-
Asklogs of system access over the past month
04 — Mappings
link
Cross-framework mappings
How Annex A 5.15 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (5) expand_less | ||
| link Related (10) expand_less | ||
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (45) expand_less | ||
| ISM-0409 | ISM-0409 requires foreign nationals to be restricted from accessing systems that process AUSTEO or REL data unless controls prevent this ... | |
| ISM-0411 | ISM-0411 requires foreign nationals (excluding seconded foreign nationals) to be prevented from accessing AGAO data on systems unless eff... | |
| ISM-0418 | ISM-0418 requires a specific rule for handling physical credentials: keep them separate from the systems they authenticate to except duri... | |
| ISM-0432 | ISM-0432 requires that access requirements for each system and its resources be documented in the system’s security plan | |
| ISM-0441 | ISM-0441 requires controls to ensure temporary system access is limited to only the data required for duties | |
| ISM-0443 | ISM-0443 prohibits granting temporary access to systems that process, store or communicate caveated or sensitive compartmented information | |
| ISM-0487 | ISM-0487 requires organisations to harden passwordless SSH logins by disabling specific SSH capabilities such as port forwarding, agent f... | |
| ISM-0489 | ISM-0489 requires that where SSH-agent (or similar) key caching is used, it is only on workstations/servers with screen locks and the key... | |
| ISM-0530 | ISM-0530 requires a specific access rule: VLAN-managing network devices must be administered from the most trusted security domain | |
| ISM-0551 | ISM-0551 mandates specific access control configuration for IP telephony, including authenticated registration, disabling auto-registrati... | |
| ISM-0611 | ISM-0611 requires that gateway administrators are assigned only the minimum privileges required for their duties | |
| ISM-0622 | ISM-0622 requires IT equipment to prove its identity to networks reached through gateways, which is a specific logical access control req... | |
| ISM-0687 | ISM-0687 requires that mobile devices used to access SECRET or TOP SECRET systems/data are on ASD-approved mobile platforms and operated ... | |
| ISM-0694 | ISM-0694 mandates that privately-owned devices are not permitted to access SECRET and TOP SECRET systems or data | |
| ISM-0854 | ISM-0854 sets a strict rule about where and on what systems AUSTEO and AGAO data may be accessed (Australian Government solely controlled... | |
| ISM-1006 | ISM-1006 requires security measures to prevent unauthorised access to network management traffic | |
| ISM-1014 | ISM-1014 requires individual logins for IP phones used for SECRET or TOP SECRET conversations to ensure user-specific access and accounta... | |
| ISM-1250 | ISM-1250 requires organisations to implement least-privilege file system permissions for server application accounts | |
| ISM-1255 | ISM-1255 requires duty-based restriction of database actions (read/write/change/delete) for database users | |
| ISM-1256 | ISM-1256 requires applying file permissions to database files to protect them from unauthorised access | |
| ISM-1392 | ISM-1392 requires a concrete access restriction outcome: only approved users can modify approved files and write to approved folders when... | |
| ISM-1403 | ISM-1403 requires user accounts (except break glass accounts) to be locked after a maximum of five failed logon attempts, addressing spec... | |
| ISM-1404 | ISM-1404 mandates a specific access control rule: disabling unprivileged access after 45 days of inactivity | |
| ISM-1418 | ISM-1418 requires disabling unnecessary removable media and device reading via device access control or disabling external interfaces | |
| ISM-1432 | ISM-1432 requires organisations to protect online service domain names by using registrar locking and confirming domain registration deta... | |
| ISM-1505 | ISM-1505 requires MFA to be used to authenticate users of data repositories | |
| ISM-1508 | ISM-1508 requires privileged access to be limited to essential duties only | |
| ISM-1530 | ISM-1530 requires classified servers, network devices and cryptographic equipment to be physically secured in security containers appropr... | |
| ISM-1604 | ISM-1604 requires hardening of the virtual server isolation mechanism and restricting access to the administrative interface used to mana... | |
| ISM-1611 | ISM-1611 requires break glass accounts to be used only when normal authentication processes cannot be used (i.e., emergency-only use) | |
| ISM-1649 | ISM-1649 requires organisations to use just-in-time administration to control when administrative access is granted for system administra... | |
| ISM-1746 | ISM-1746 requires a specific access restriction: only approved users can change file system permissions for approved files and folders us... | |
| ISM-1832 | ISM-1832 requires that SPNs are only set on service and computer accounts to reduce unnecessary exposure in Active Directory | |
| ISM-1839 | ISM-1839 requires that Active Directory account properties visible to unprivileged users are not used to store passwords | |
| ISM-1841 | ISM-1841 requires restricting the ability to join computers to a domain so that unprivileged users cannot perform domain joins | |
| ISM-1933 | ISM-1933 requires an explicit logical access restriction: SPN service accounts must not have DCSync (directory replication) permissions | |
| ISM-1936 | ISM-1936 addresses a specific logical access control weakness by requiring organisations not to use the sIDHistory attribute on user acco... | |
| ISM-1946 | ISM-1946 requires organisations to enforce a specific logical access rule: unprivileged users must not be able to write to certificate te... | |
| ISM-1985 | ISM-1985 requires restricting who can access event logs to authorised individuals | |
| ISM-2014 | ISM-2014 focuses on enforcing client authentication and authorisation when internal network APIs are called to access non-public data | |
| ISM-2048 | ISM-2048 requires a specific access control outcome: non-admin users are blocked from changing their own permissions or privileges in rol... | |
| ISM-2092 | ISM-2092 requires organisations to implement access control policies that enforce fine-grained permissions specifically for artificial in... | |
| ISM-2093 | ISM-2093 requires organisations to implement RBAC in AI applications to prevent unauthorised access to sensitive AI data | |
| ISM-2095 | ISM-2095 prohibits personnel from granting unapproved AI agents access when using privately-owned devices to access OFFICIAL: Sensitive o... | |
| ISM-2098 | ISM-2098 requires mobile devices to be configured so data cannot be transferred over USB connections | |
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-0258 | ISM-0258 requires organisations to develop, implement and maintain a web usage policy governing web access and use | |
| ISM-1327 | Annex A 5.15 requires rules and procedures to control physical and logical access to information and associated assets | |
| ISM-2080 | ISM-2080 states that password complexity requirements are not imposed for passwords | |
| handshake Supports (18) expand_less | ||
| ISM-0027 | ISM-0027 requires system owners to obtain an authorisation to operate from an authorising officer, based on acceptance of the security ri... | |
| ISM-0407 | ISM-0407 requires a secure record of user identities, access approvals, access levels, periodic reviews, changes and withdrawal | |
| ISM-0408 | ISM-0408 requires systems to display a logon banner reminding users of their security responsibilities when they authenticate | |
| ISM-0434 | ISM-0434 requires employment screening and, where necessary, security clearance before personnel are granted access to systems and resources | |
| ISM-0484 | ISM-0484 ensures secure remote access behaviour for SSH by disabling insecure options like direct root login and empty passwords | |
| ISM-0664 | ISM-0664 requires that any data exported from SECRET and TOP SECRET systems is reviewed and authorised by a trustworthy source before exp... | |
| ISM-0853 | ISM-0853 requires inactive user sessions to be terminated after an appropriate period of inactivity and for workstations to be restarted ... | |
| ISM-1053 | ISM-1053 requires classified servers, network devices and cryptographic equipment to be secured within appropriately classified security ... | |
| ISM-1603 | ISM-1603 requires disabling authentication methods that are susceptible to replay attacks | |
| ISM-1633 | ISM-1633 requires system owners and authorising officers to determine the system boundary, business criticality and security objectives b... | |
| ISM-1748 | ISM-1748 requires that email client security settings cannot be changed by users | |
| ISM-1773 | ISM-1773 mandates national eligibility for administering specific gateways | |
| ISM-1816 | ISM-1816 requires controls to prevent unauthorised changes to the authoritative source for software | |
| ISM-1865 | ISM-1865 requires a precondition for access: personnel must agree to comply with system usage policies before being granted access | |
| ISM-2005 | ISM-2005 requires the board or executive committee to understand critical systems, where they reside, and who has access, including how c... | |
| ISM-2074 | ISM-2074 requires a general-purpose AI usage policy that sets expectations and constraints for using AI tools | |
| ISM-2097 | ISM-2097 requires always on VPN on mobile devices to enforce a protected and controlled network path back to organisational services | |
| ISM-2100 | ISM-2100 addresses a specific confidentiality risk by prohibiting viewing classified information on mobile devices within or near connect... | |
| extension Depends on (3) expand_less | ||
| ISM-0665 | ISM-0665 requires organisations to control who (people/services) is verified and authorised to export SECRET and TOP SECRET data | |
| ISM-1420 | ISM-1420 requires organisations to ensure non-production environments meet production-equivalent security before using production data in... | |
| ISM-1439 | ISM-1439 requires a defined approach to preventing origin IP disclosure and restricting origin server access to CDNs and authorised manag... | |
| link Related (9) expand_less | ||
| ISM-0217 | Annex A 5.15 requires organisations to define and implement physical and logical access control rules for assets | |
| ISM-0269 | Annex A 5.15 requires organisations to define and implement rules controlling access to information based on business and security requir... | |
| ISM-0343 | Annex A 5.15 requires access control rules and procedures for controlling access to information and associated assets | |
| ISM-0405 | Annex A 5.15 requires organisations to establish and implement access control policies and procedures based on business and security requ... | |
| ISM-0447 | Annex A 5.15 requires organisations to establish and implement rules and procedures to control logical and physical access to information... | |
| ISM-1182 | Annex A 5.15 requires rules to control logical and physical access to information and assets based on business need | |
| ISM-1612 | Annex A 5.15 requires defined access control policies and procedures, including rules governing elevated access | |
| ISM-1813 | Annex A 5.15 requires rules and procedures to control logical access to information assets | |
| ISM-1844 | Annex A 5.15 requires rules and procedures that control logical access to systems and associated services | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.