A.8.3 — Information Access Restriction

A marketing manager can export the entire customer database including payment details. The HR portal lets any employee view salary data for other departments. A shared drive grants read access to the entire organization by default. A.8.3 tackles these situations: the control requires that access to information is restricted based on the access control policy and enforced at the system level.

While A.5.15 defines who should have access to what, A.8.3 ensures these rules are technically implemented — through role assignments, permission configurations and access restrictions within each system.

What does the standard require?

Enforce the access control policy technically. Every system restricts access based on user identity, role and specific permissions (read, write, delete, execute).
Apply least privilege. Users receive only the minimum permissions needed for their tasks. The default state is no access.
Support dynamic access decisions. Where appropriate, implement real-time access control based on context — time of day, location, device posture, sensitivity of the data.
Restrict data export and sharing. Control actions such as printing, copying, screen capture and data export to prevent unauthorized data leakage.
Protect data shared externally. When information is shared outside the organization, apply encryption and access restrictions that persist beyond the organizational boundary.

In practice

Map roles to permissions. For each application and system, define which roles exist and what each role can do. Document this in a role-permission matrix. Review the matrix with asset owners to ensure it matches business requirements.

Implement RBAC or ABAC consistently. Choose a model and apply it across all systems. In cloud environments, leverage native IAM services (Azure AD roles, AWS IAM policies, GCP IAM). On-premises, use Active Directory groups mapped to application roles.

Enable conditional access where possible. Modern identity platforms support conditional access policies: require MFA from untrusted networks, block access from non-compliant devices, restrict access to sensitive data outside business hours. These policies enforce A.8.3 dynamically.

Audit effective permissions regularly. The permissions a user actually has (effective permissions) can differ from what you intended. Run regular reports showing who has access to what, and compare against the role-permission matrix.

Typical audit evidence

Auditors typically expect the following evidence for A.8.3:

Role-permission matrix — documented mapping of roles to system permissions (see Access Control Policy in the Starter Kit)
System access configuration — screenshots or exports showing access restrictions
Conditional access policies — configuration of dynamic access rules
Effective permission reports — evidence that actual permissions match intended permissions
Exception documentation — approved deviations from the standard role model

KPI

Percentage of systems with enforced role-based information access restrictions

Measured as a percentage: how many of your information-processing systems have documented role-based access restrictions that are technically enforced? Target: 100%.

Supplementary KPIs:

Number of users with permissions exceeding their role definition
Percentage of applications with a documented role-permission matrix
Number of access restriction exceptions pending review

BSI IT-Grundschutz

A.8.3 maps to the BSI identity and access management modules:

ORP.4 (Identity and Access Management) — core module requiring a documented authorization concept, role definitions and enforcement of the least-privilege principle.
APP.2.1–APP.2.3 (Directory Services) — technical enforcement of access restrictions through Active Directory, LDAP and comparable systems.
OPS.1.1.2 (Orderly IT Administration) — restrictions on administrative access to system-level functions.

A.5.15 — Access Control: The organizational policy that A.8.3 enforces technically.
A.8.2 — Privileged Access Rights: Privileged access as a special, tightly controlled subset.
A.8.4 — Access to Source Code: Access restrictions applied specifically to source code repositories.
A.8.5 — Secure Authentication: Authentication as the prerequisite for access restriction.

Sources

ISO/IEC 27001:2022 Annex A, Control A.8.3 — Information access restriction
ISO/IEC 27002:2022 Section 8.3 — Implementation guidance for information access restriction
BSI IT-Grundschutz, ORP.4 — Identity and Access Management

Frequently asked questions

What is the difference between A.5.15 and A.8.3?

A.5.15 defines the organizational rules (the policy), A.8.3 deals with the technical enforcement of those rules within systems and applications. A.5.15 says who should have access; A.8.3 ensures the system actually enforces it.

Is role-based access control (RBAC) mandatory?

ISO 27001 does not prescribe RBAC specifically, but it is the most common and auditor-friendly approach. Attribute-based access control (ABAC) is equally acceptable as long as access decisions are documented and auditable.

How do we handle dynamic access control?

ISO 27002 explicitly mentions dynamic access management — real-time decisions based on context such as time, location, device posture. This is increasingly implemented through zero-trust architectures and conditional access policies in cloud environments.

Responsible	IT Administrator
Accountable	Information Security Officer / (C)ISO
Consulted	Asset Owner, Head of IT, IT Administrator, IT Security Officer, Legal Counsel
Informed	All Employees, Asset Owner, Department Head, Head of IT, Incident Response Team, Internal Auditor, Legal Counsel, Top Management