A.5.15 — Access Control · Cenedril Wiki

A new employee joins the IT department and receives the same admin rights as the colleague who left — including access to finance systems, HR records and the production database. Six months later, those rights have never been reviewed. A.5.15 exists to prevent exactly this kind of access sprawl.

Access control is one of the most fundamental security controls. It determines who may access which information and systems, under what conditions. The principle sounds simple; the implementation requires disciplined processes across the entire organisation.

Purpose: To ensure authorized access and to prevent unauthorized access to information and other associated assets.
Direction: Preventive
Protection goals: Confidentiality, Integrity, Availability
Theme: Organisational
BSI modules: ORP.4, APP.2.1, APP.2.2, APP.2.3, NET.1.1, NET.1.2, NET.2.1, NET.2.2, NET.3.2, NET.3.3, NET.3.4, INF.1.A7
KPI: % of systems with documented and enforced access control rules

Responsible	Information Security Officer / (C)ISO
Accountable	Information Security Officer / (C)ISO
Consulted	Asset Owner, Data Protection Officer, Department Head, Facility Manager, HR Manager, Head of IT, IT Administrator, IT Security Officer, Information Security Officer / (C)ISO, Internal Auditor, Legal Counsel, Software Developer / Architect
Informed	All Employees, IT Administrator, Information Security Officer / (C)ISO, Top Management

What does the standard require?

Define an access control policy. The organisation must establish rules for granting, modifying and revoking access to information and associated assets. These rules must be based on business and security requirements.
Apply need-to-know and least privilege. Users receive access only to the information and systems they need for their current role. Default access is “deny all”; permissions are granted explicitly.
Cover physical and logical access. The policy must address both physical access to facilities and logical access to systems, applications and data.
Consider segregation of duties. Access rights must prevent any single person from controlling all phases of a critical process without independent oversight.
Review access rules regularly. Access control rules must be reviewed when roles change, when systems are modified and at planned intervals.

In practice

Write a clear access control policy. The policy defines the principles: least privilege, need-to-know, default-deny. It assigns responsibility for access decisions to asset owners and describes the request-approve-provision workflow.

Implement role-based access. Map job functions to access profiles. Each profile bundles the permissions needed for a specific role. Maintain a central catalogue of roles and their associated permissions, and review it at least annually.

Automate provisioning and deprovisioning. Integrate your identity management system with HR processes. When HR records a new hire, a role change or a departure, the IAM system adjusts access rights automatically. Manual processes are error-prone and slow — particularly for deprovisioning, where delays create security gaps.

Conduct regular access reviews. At least annually, asset owners must verify that the users who hold access to their systems still need it. Document the review outcome, including any rights that were revoked.

Enforce access controls technically. Firewalls, network segmentation, application-level permissions and operating system controls implement what the policy prescribes. Configuration must match policy — a mismatch is a finding in any audit.

Typical audit evidence

Auditors typically expect the following evidence for A.5.15:

Access control policy — the overarching document governing access decisions
Role catalogue — mapping of roles to permissions
Access review records — documented periodic reviews by asset owners
Provisioning/deprovisioning logs — evidence of timely access changes upon joiners, movers and leavers
Technical configuration — firewall rules, group policies, IAM settings that enforce access restrictions
Exception register — documented deviations from standard access rules with risk acceptance

KPI

% of systems with documented and enforced access control rules

This KPI measures how many systems have formal access rules in place and whether those rules are actually enforced through technical controls. Systems without documented rules or with rules that exist only on paper reduce the score.

Supplementary KPIs:

Percentage of access reviews completed on schedule
Average time to deprovision access after an employee departure (target: under 24 hours)
Number of dormant accounts detected per quarterly sweep

BSI IT-Grundschutz

A.5.15 maps to a broad set of BSI modules covering access at all levels:

ORP.4 (Identity and access management) — the central module for access control policies, role definitions and access reviews.
APP.2.1 / APP.2.2 / APP.2.3 (Directory services) — technical implementation of access rules in LDAP, Active Directory and similar systems.
NET.1.1 / NET.1.2 (Network architecture) — network segmentation and firewall rules that enforce access boundaries.
INF.1.A7 (Building access) — physical access control for facilities.

A.5.15 is the central policy control for the access management cluster:

A.5.14 — Information transfer: Transfer channels must align with access control rules so that only authorised parties can receive information.
A.5.16 — Identity management: Provides the unique identities against which access rules are enforced.
A.5.17 — Authentication information: Secures the credentials that prove identity before access is granted.
A.5.18 — Access rights: Operationalises access control through the lifecycle of granting, reviewing and revoking specific rights.

Sources

ISO/IEC 27001:2022 Annex A, Control A.5.15 — Access control
ISO/IEC 27002:2022 Section 5.15 — Implementation guidance
BSI IT-Grundschutz, ORP.4 — Identity and access management

Frequently asked questions

What is the difference between access control and identity management?

Identity management (A.5.16) ensures every user has a unique, verifiable identity. Access control (A.5.15) determines what that identity is allowed to do -- which systems, data and functions it may access. Identity management answers 'who are you?', access control answers 'what may you do?'.

Does A.5.15 apply to physical access as well?

Yes. The control covers both logical access (systems, applications, data) and physical access (buildings, server rooms, archives). The access control policy must address both dimensions.

What does least privilege mean in practice?

Every user receives only the minimum access rights necessary for their current role. A payroll clerk needs access to the payroll system, not to the CRM. When the role changes, the rights change with it.