GRCWatch
Sign inStart free trial

ISO 27001 5.15: Access Control for Physical and Logical Assets

Access control is the cornerstone of information security. ISO 27001 5.15 requires organizations to establish and enforce rules governing who can access physical and logical assets—protecting sensitive data from unauthorized exposure. Without structured access controls, you're vulnerable to insider threats, data breaches, and compliance failures.

What this means

This control requires you to develop and implement rules that limit access to information and related assets based on legitimate business needs and security risk assessment. Access controls apply to both physical locations (offices, data centers, server rooms) and logical systems (applications, databases, networks). Your access policy must define who gets access, what they can access, under what conditions, and for how long. The control covers authentication (verifying identity), authorization (granting permissions), and accountability (tracking who accessed what and when).

How to comply

  1. 1.Document your access control policy specifying rules for physical and logical access based on business requirements and security risk
  2. 2.Classify information and assets by sensitivity level to determine appropriate access restrictions
  3. 3.Implement role-based access control (RBAC) so employees only access systems and data needed for their job function
  4. 4.Establish authentication mechanisms (passwords, multi-factor authentication, biometrics) to verify user identity
  5. 5.Deploy authorization controls (file permissions, database privileges, network segmentation) to enforce least privilege principle
  6. 6.Conduct access reviews quarterly or semi-annually to remove unnecessary permissions and detect inappropriate access
  7. 7.Implement logging and monitoring to track all access attempts, changes, and data handling activities
  8. 8.Establish procedures for granting, modifying, and revoking access promptly when roles change or employment ends
  9. 9.Enforce physical access controls such as badges, key cards, visitor logs, and restricted area policies
  10. 10.Test and validate access controls through penetration testing and security assessments

Evidence auditors look for

  • Access control policy document aligned with organizational security requirements
  • Asset classification matrix showing sensitivity levels and corresponding access rules
  • Role definitions with associated system and data permissions for each role
  • Active Directory or IAM system configurations showing implemented RBAC
  • Multi-factor authentication (MFA) deployment documentation and user enrollment records
  • Access approval forms and authorization records for system accounts and logical access
  • Quarterly access review reports with documented approvals and removals
  • System access logs showing authentication events, failed login attempts, and permission changes
  • Physical access control records including badge swipes, visitor logs, and door lock audit trails
  • Segregation of duties matrix demonstrating conflicting access restrictions
  • Onboarding and offboarding checklists documenting access provisioning and deprovisioning
  • Security assessment or penetration test reports validating control effectiveness

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates quarterly access reviews, detects orphaned accounts, and generates compliance evidence by continuously monitoring your IAM system—eliminating manual spreadsheets and ensuring ISO 27001 5.15 compliance without the overhead.

See how GRCWatch handles this control automatically

Start free trial

Related controls

ISO 27001 5.16 — CryptographyISO 27001 5.17 — Physical and Environmental SecurityISO 27001 6.1 — Information Security PoliciesISO 27001 6.2 — Information Security Roles and ResponsibilitiesISO 27001 8.1 — Supplier Relationships