Least privilege means that every user, process, and system receives only the access rights actually required for their task. Excess rights are revoked. The principle significantly reduces the attack surface: if an account is compromised, the attacker can only access the resources assigned to that account. For your ISMS, least privilege is a foundational requirement that runs through the entire access control framework — from user accounts to service accounts to API keys. Regular recertifications ensure that once-granted rights do not persist beyond actual need.