The principle of least privilege states that every user and system should receive only the access rights strictly necessary for their specific task. Excess permissions increase the attack surface and the potential damage from a compromise. ISO 27001 Annex A.5.15 and A.8.2 require implementation of this principle. In practice, this means role-based access control (RBAC), regular access reviews, and consistent removal of permissions that are no longer needed. Pay special attention to privileged accounts (admin accounts), where a violation of least privilege can have particularly severe consequences.