Access control is not just a technical configuration — it is a documented, managed process that ISO 27001 auditors examine closely. In virtually every Stage 2 audit, auditors will sample access rights: they pick a handful of users, ask what systems they have access to, and check whether that access is appropriate and documented. If you cannot demonstrate a structured process for granting, reviewing, and revoking access, this becomes a finding.
The Core Access Control Principles
Annex A.5.15 sets the policy foundation. Three principles underpin all access control requirements in the standard:
Least Privilege
Users should have access to only the systems and data required for their specific role — no more. Access should be role-based, not person-based where possible.
Need-to-Know
Access to sensitive information should be granted only to those who need it to perform their function. Access to all data by default is not acceptable.
Separation of Duties
Critical or sensitive functions should be split across multiple roles so that no single individual can complete a sensitive action without oversight.
The Joiner / Mover / Leaver Process
The most practical way to implement A.5.15, A.5.16, and A.5.18 is through a documented joiner/mover/leaver (JML) process. This process defines exactly what access actions occur at each employment lifecycle stage.
Joiner
- — Role-based access provisioned
- — MFA configured
- — Access documented and approved
- — Device enrolled
Mover
- — Previous access reviewed
- — No-longer-needed access revoked
- — New role access provisioned
- — Change documented
Leaver
- — All access revoked on last day
- — Accounts disabled/deleted
- — Devices recovered
- — Revocation documented
Auditors commonly ask: "Show me the last three leavers and evidence that their access was revoked."
Access Reviews: How Often and What to Record
A.5.18 requires that access rights are reviewed at regular intervals. For most organisations, quarterly reviews of privileged access and semi-annual reviews of standard access is a practical and defensible cadence. What matters to auditors is not the frequency itself — it is that reviews are documented, that findings are acted on, and that inappropriate access is revoked.
Your access review record should show: the date of the review, who conducted it, which systems were reviewed, what was found (including any access that was revoked or changed as a result), and who approved the review outcome.
Privileged Access Management
Privileged accounts — administrator accounts, root access, database credentials, service accounts — carry higher risk and require stricter controls. A.5.15 and A.8.2 address this. Auditors will ask how many users have privileged access, how that access is authorised, and whether it is regularly reviewed. Generic shared admin accounts with no individual accountability are a common finding.
What Satisfies Auditors vs What Fails
Satisfies audit
- ✓Documented access control policy referencing least privilege and JML
- ✓Joiner onboarding checklist with access provisioning sign-off
- ✓Leaver process with dated evidence of access revocation
- ✓Access review records from the past 12 months with findings
- ✓MFA enforced for all systems containing sensitive data
Fails audit
- ✗No documented access control policy
- ✗Departed employees still have active accounts
- ✗No records of access reviews — "we review it informally"
- ✗Shared admin credentials used by multiple people
- ✗Access provisioning done ad hoc without documented approval
Remote access
If your organisation has remote or hybrid workers — which is most organisations now — you also need to address remote access specifically. A.6.7 requires a dedicated remote working policy. This should cover VPN requirements, acceptable devices, screen privacy, secure home network requirements, and what to do if a device is lost or suspected compromised. Auditors will ask whether remote access to sensitive systems requires MFA and whether remote sessions are logged.
If you want help documenting and evidencing your access control implementation, our ISO 27001 consulting service covers Annex A control implementation as part of a guided ISMS build.