Control 5.15 : Access Control

Summary

Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements. Access must be restricted to authorized users on a need-to-know basis.

Applicability

In-Scope: A fundamental control for all organizations. It is the primary defense against unauthorized data access and a mandatory requirement for almost every regulatory framework.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

• Identity Management: Use Entra ID as the centralized identity provider to manage all user accounts and access rights.

• Conditional Access: Implement Conditional Access Policies to enforce Zero Trust principles, requiring MFA and a healthy device status for all access requests.

• RBAC: Utilize Role-Based Access Control (RBAC) in SharePoint, Teams, and Azure to ensure users only have the permissions necessary for their specific job function.

Evidence Checklist

• Access Control Policy: A documented policy defining the rules for granting, reviewing, and revoking access.

• User Access Lists: Current lists of users and their assigned permissions for sensitive systems.

• Provisioning Records: Evidence of the approval process for granting access to new employees or changing existing permissions.

Practical Audit Advice

Here are some questions the auditor might ask:

• What is the process for ensuring that a user's access is immediately revoked when they change roles or leave the organization?

• How often are user access rights reviewed by asset owners to ensure they remain appropriate?

• Can you demonstrate that privileged accounts (Global Admins) are only used when necessary and are protected by enhanced security?

• How does the organization identify and handle unauthorized or dormant accounts that have not been used for an extended period?