Need-to-know and need-to-use are access principles that restrict information and system access to individuals who genuinely require it for their current task. Even if someone holds the appropriate security clearance, access is granted only when the need is demonstrated. These principles complement the principle of least privilege and are anchored in ISO 27001 Annex A.5.10. In practice, you implement need-to-know by assigning permissions at the project level and regularly reviewing whether the need still exists.