Annex A 8.3 ISO/IEC 27001:2022
Restrict access to information and assets
Limit access to information based on set policies to prevent unauthorised use.
🏛️ Framework
ISO/IEC 27001:2022
🧭 Control effect
Preventative
🧱 ISO 27001 domain
Organisational controls
🔐 Classifications
N/A
🗓️ Official last update
24 Oct 2022
✏️ Control Stack last updated
19 Mar 2026
🎯 Maturity levels
N/A
Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control.
Source: ISO/IEC 27001:2022
Plain language
This control is all about making sure that only the right people can get their hands on sensitive company information. Imagine if just anyone could walk into a bank vault; that would be chaos! If we don't limit access, our valuable information could fall into the wrong hands, leading to data breaches or even legal troubles.
Why it matters
Unrestricted access can lead to data leaks, financial loss, and reputational damage by exposing confidential assets to unauthorised users.
Operational notes
Perform scheduled access recertification for key systems, enforce least privilege via roles, and promptly remove/adjust access on joiner-mover-leaver events.
Implementation tips
- The IT manager should ensure that access permissions are set correctly. This means setting up user accounts so that employees only have access to the information they need to do their jobs. This can be done by configuring permissions in software applications and using tools to manage these rights effectively.
- The HR department should maintain an up-to-date list of employees and their access needs. They should regularly review and update who can access which information resources, especially when there are changes in staff roles or when someone leaves the company, as per the guidance in ISO 27002:2022.
- The board should establish clear policies on who can access what types of information. This involves drafting and approving an access control policy that defines the levels of access based on the sensitivity of the information, referencing the Privacy Act 1988 for handling personal data.
- Supervisors should perform regular checks to ensure compliance with the access policies. They can do this by conducting access reviews and confirming that staff are complying with the rules outlined in the access control policy, ensuring alignment with CPS 234.
- The security officer should set up alarms for unauthorised access attempts. This involves using software that can alert you to any unusual access attempts to sensitive information, allowing immediate investigation as suggested by the ISO 27002:2022 guidance.
Audit / evidence tips
-
Ask: Request the documented access control policy.
-
Ask: Ask for logs of access rights assignments and changes.
-
Ask: Request recent access audit reports.
-
Ask: Ask to see security alert logs for unauthorised access attempts.
-
Ask: Request a demonstration of dynamic access management tools in use.
Cross-framework mappings
How Annex A 8.3 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
E8
| Control | Notes | Details |
|---|---|---|
| Partially meets (2) | ||
| E8-RB-ML3.1 | E8-RB-ML3.1 requires that unprivileged accounts cannot access their own backups | |
| E8-RM-ML3.3 | E8-RM-ML3.3 restricts modification rights to Trusted Locations to authorised privileged users for macro-related content | |
| Related (3) | ||
| E8-RA-ML1.4 | Annex A 8.3 requires access to information and associated assets to be restricted in accordance with an access control policy | |
| E8-RB-ML1.5 | Annex A 8.3 requires access to information and associated assets to be restricted in accordance with an access control policy | |
| E8-RA-ML3.1 | Annex A 8.3 requires restricting access to information and other assets according to a topic-specific access control policy | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially meets (48) | ||
| ISM-0217 | ISM-0217 mandates concrete controls like physical barriers and PV-only access for cabinets containing both non-TOP SECRET and TOP SECRET ... | |
| ISM-0267 | ISM-0267 requires blocking access to non-approved webmail services | |
| ISM-0343 | ISM-0343 requires organisations to disable write access to removable media and devices where there is no business requirement, implemente... | |
| ISM-0382 | ISM-0382 requires that unprivileged users cannot uninstall or disable approved applications | |
| ISM-0409 | ISM-0409 requires restrictions on access by foreign nationals to systems handling AUSTEO or REL data | |
| ISM-0411 | ISM-0411 requires that foreign nationals are not granted access to AGAO data on systems unless effective controls prevent their access to... | |
| ISM-0443 | ISM-0443 prohibits temporary access to secure systems that handle caveated or sensitive compartmented information | |
| ISM-0488 | ISM-0488 requires restricting SSH key-based remote access by enforcing a specific command and validating parameters to prevent unauthoris... | |
| ISM-0530 | ISM-0530 requires restricting VLAN administrative access so that management occurs only from the most trusted security domain | |
| ISM-0551 | ISM-0551 requires only authorised IP phones to be permitted to register and access the telephony network, with unauthorised devices block... | |
| ISM-0558 | ISM-0558 requires that public area IP phones are restricted from accessing organisational data networks and telephony services such as vo... | |
| ISM-0611 | ISM-0611 requires gateway administrators to have only the minimum privileges necessary for their duties | |
| ISM-0622 | ISM-0622 requires IT equipment authentication to other networks accessed via gateways, ensuring only identified devices can traverse the ... | |
| ISM-0694 | ISM-0694 requires an explicit prohibition on privately-owned devices accessing SECRET and TOP SECRET systems or data | |
| ISM-0854 | ISM-0854 requires that access to AUSTEO and AGAO data is restricted to Australian Government solely controlled systems located in authori... | |
| ISM-1006 | ISM-1006 requires security measures to prevent unauthorised access to network management traffic | |
| ISM-1249 | ISM-1249 requires that server applications run under separate accounts with only the permissions they need | |
| ISM-1250 | ISM-1250 addresses access control by limiting what server application user accounts can do on the server’s file system | |
| ISM-1256 | ISM-1256 requires file-based access controls (e.g | |
| ISM-1323 | ISM-1323 requires certificates for devices and users accessing wireless networks, restricting who/what can join the WLAN | |
| ISM-1386 | ISM-1386 requires that network management traffic can only originate from administrative infrastructure | |
| ISM-1392 | ISM-1392 requires enforcing that only approved users can modify approved files and write to approved folders under application control pa... | |
| ISM-1403 | ISM-1403 mandates a specific response to failed login attempts by locking accounts after five failures, excluding break glass accounts | |
| ISM-1422 | ISM-1422 requires that unauthorised access to the authoritative source for software, such as the source code repository, is prevented | |
| ISM-1439 | ISM-1439 requires restricting access to origin web servers so only CDNs and authorised management networks can reach them, and avoiding d... | |
| ISM-1604 | ISM-1604 requires hardening of the virtual isolation mechanism and restricting access to its administrative interface | |
| ISM-1611 | ISM-1611 limits the use of break glass accounts to emergencies when standard authentication is unavailable | |
| ISM-1612 | ISM-1612 requires that break glass accounts are only used for specific authorised activities | |
| ISM-1649 | ISM-1649 requires just-in-time administration to restrict administrative access temporally for systems and resources | |
| ISM-1705 | ISM-1705 requires that privileged user accounts (excluding backup administrator accounts) cannot access backups belonging to other user a... | |
| ISM-1812 | ISM-1812 requires a specific access restriction: unprivileged users must not be able to access backups belonging to other users | |
| ISM-1813 | ISM-1813 requires that unprivileged user accounts cannot access their own backup data | |
| ISM-1814 | ISM-1814 requires that unprivileged user accounts are prevented from modifying and deleting backups | |
| ISM-1815 | ISM-1815 requires that event logs are protected from unauthorised modification and deletion | |
| ISM-1817 | ISM-1817 requires that API clients are authenticated and authorised when calling internet-accessible APIs that expose non-public data | |
| ISM-1839 | ISM-1839 requires organisations to prevent passwords being stored in Active Directory account properties accessible by unprivileged users | |
| ISM-1841 | ISM-1841 requires that only authorised users can add computers to the domain, preventing unprivileged accounts from joining machines | |
| ISM-1846 | ISM-1846 requires removal/prevention of user accounts in the **Pre-Windows 2000 Compatible Access** group to restrict unintended access a... | |
| ISM-1927 | ISM-1927 requires restricting access to AD DS domain controllers, AD CS CA servers, AD FS servers and Entra Connect servers to privileged... | |
| ISM-1933 | ISM-1933 requires that service accounts configured with an SPN are not granted DCSync permissions (i.e | |
| ISM-1936 | ISM-1936 requires that sIDHistory is not used for user accounts, which helps prevent access being granted through historical identifiers ... | |
| ISM-1985 | ISM-1985 requires event logs to be protected from unauthorised access | |
| ISM-2009 | ISM-2009 requires authenticated and authorised API clients for network API operations that modify data, enforcing least-privilege access ... | |
| ISM-2014 | ISM-2014 requires organisations to authenticate and authorise clients calling internal network APIs that expose non-public data | |
| ISM-2048 | ISM-2048 requires that non-administrative users cannot alter their own permissions or privileges where multiple user roles exist | |
| ISM-2092 | ISM-2092 requires restricting AI application use through fine-grained permissions enforced by access control policies | |
| ISM-2093 | ISM-2093 requires RBAC for AI applications to restrict access to sensitive AI data | |
| ISM-2095 | ISM-2095 restricts granting unapproved AI agents access to OFFICIAL: Sensitive or PROTECTED systems or data when accessed via privately-o... | |
| Partially overlaps (3) | ||
| ISM-0133 | Annex A 8.3 requires organisations to restrict access to information and associated assets in accordance with an access control policy | |
| ISM-0462 | ISM-0462 requires that when a user authenticates to encryption on IT equipment or media, the equipment/media is treated at its original s... | |
| ISM-1833 | ISM-1833 requires Active Directory user accounts to be provisioned with the minimum privileges required | |
| Supports (8) | ||
| ISM-0428 | ISM-0428 requires services to enforce secure session locking after defined inactivity or maximum session duration, blocking session conte... | |
| ISM-0485 | ISM-0485 requires SSH access to be authenticated using public keys, reducing the likelihood of unauthorised access via brute force or cre... | |
| ISM-0870 | ISM-0870 requires mobile devices to be carried or stored in a secured state when not being actively used to prevent unauthorised access | |
| ISM-1449 | ISM-1449 requires encryption/passphrase protection for SSH private keys to reduce the impact of key theft or copying | |
| ISM-1816 | ISM-1816 requires that the authoritative software source, such as source code repositories and release artefacts, is protected to prevent... | |
| ISM-1838 | ISM-1838 requires that the Active Directory (AD) UserPassword attribute for user accounts is not used, preventing creation or use of a di... | |
| ISM-1888 | ISM-1888 requires mobile devices to be configured with secure lock screens to reduce the likelihood of unauthorised access to the device ... | |
| ISM-2046 | ISM-2046 requires systems with impersonation capability to prevent sensitive data from being logged and to enforce appropriate permission... | |
| Related (7) | ||
| ISM-0520 | Annex A 8.3 requires restricting access to information and associated assets according to an access control policy | |
| ISM-0555 | ISM-0555 mandates authentication and authorisation for IP telephony actions such as device registration and voicemail access | |
| ISM-1175 | Annex A 8.3 requires restricting access to information and assets per an established access control policy | |
| ISM-1255 | Annex A 8.3 requires access to information and associated assets to be restricted in line with access control policy | |
| ISM-1268 | Annex A 8.3 requires restricting access to information and assets based on an established access control policy | |
| ISM-1327 | Annex A 8.3 requires access to information and associated assets to be restricted in accordance with an established access control policy | |
| ISM-1862 | Annex A 8.3 requires restricting access to information and associated assets in line with an access control policy | |