A Berechtigungskonzept (access control concept) is a documented schema that defines which persons or roles may access which systems, data, and functions. It forms the basis for operational access management.
ISO 27001 Annex A controls A.5.15 (Access Control) and A.5.18 (Access Rights) require a documented access control concept. Core principles are least privilege (only the minimum necessary rights), need-to-know (access only when required by business need), and segregation of duties. The concept typically defines roles, role profiles, approval and revocation processes, and the frequency of access reviews. In practice, it is implemented through Active Directory, LDAP, or IAM systems.