RBAC (Role-Based Access Control) assigns access rights to roles, which are then granted to users. For example, you define a role “Accounting” with read permissions on financial data and assign it to all department members. When a permission changes, you only update the role once. RBAC significantly reduces administrative overhead and minimises the risk of excessive privileges. In an ISMS, RBAC is a key control under ISO 27001 Annex A 5.15 (Access Control). Regular recertification reviews ensure that role assignments remain current.