ISO/IEC 27002 Section 7

The Information Security Standard ISO/IEC 27002 is divided into eleven main sections. Section 7 is Access Control.

Access Control

Access control is about managing direct access to:

• Information
• Computer applications
• Operating system facilities

Effective control ensures that staff have appropriate access to information and applications, and do not abuse it.

Management issues, such as periodic reviews of user accounts, can apply as much to IT systems as to physical access control systems. Confidentiality of information is best achieved by ensuring that people only have access to the information they actually need.

If access rules are too detailed, managing them will be very difficult. If they are too general, people will have access to information or applications that they will never need. A balance must be struck depending on:

• Needs of the business
• Security features provided by the systems
• Trust in staff

Consideration of security issues during system design, development and procurement will greatly enhance effectiveness. Look for:

• Strong password enforcement
• Management of access rights to read, amend, process or delete information
• Analysis of what users require to do their job
• Analysis of the security features each system can provide

Use links below for further information:

ISO/IEC 27002 Section 1 
ISO/IEC 27002 Section 2 
ISO/IEC 27002 Section 3
ISO/IEC 27002 Section 4
ISO/IEC 27002 Section 5
IEC/IEC 27002 Section 6
ISO/IEC 27002 Section 8
ISO/IEC 27002 Section 9 
ISO/IEC 27002 Section 10
ISO/IEC 27002 Section 11
ISO/IEC 27002 Explained

If you would like more background information about information security standards follow this link.