Access Control

Access control is the set of security mechanisms that determine who is authorized to access specific information assets, systems, or physical locations — and what actions they are permitted to perform. It is one of the most fundamental security controls and appears as a requirement in virtually every compliance framework.

Types of Access Control

• Role-Based Access Control (RBAC) — Permissions are assigned to roles, and users are assigned to roles. This is the most common model in enterprise environments.
• Attribute-Based Access Control (ABAC) — Access decisions are based on attributes of the user, resource, and environment. More flexible but more complex than RBAC.
• Mandatory Access Control (MAC) — A strict model where access is determined by security labels assigned by a central authority. Common in government and military environments.
• Discretionary Access Control (DAC) — Resource owners control who has access. Common in file systems where users can share their own files.

Why It Matters for Compliance

ISO 27001 Annex A includes multiple controls related to access management, including access control policies, user registration, privilege management, and access reviews. Auditors will verify that access is granted based on business need and the principle of least privilege.

SOC 2 Common Criteria CC6.1 through CC6.3 address logical access controls, including how access is provisioned, reviewed, and revoked. Evidence of regular access reviews is a standard audit request.

HIPAA requires that covered entities implement access controls to ensure that only authorized personnel can access protected health information. PCI DSS Requirement 7 mandates that access to cardholder data is restricted by business need-to-know.

Best Practices

Implement least privilege. Users should have only the minimum access necessary to perform their job functions. Overly broad permissions are a common audit finding.

Conduct regular access reviews. Review user access at least quarterly. Promptly revoke access when employees change roles or leave the organization.

Enforce multi-factor authentication. MFA significantly reduces the risk of unauthorized access from compromised credentials. Most frameworks now expect MFA for privileged access at minimum.