In the Access Control Policy, do we really need to list down EVERY SINGLE network (firewall, switches, monitoring apps, etc), system (on-prem, cloud-based, backup,etc), outsourced services, physical area (office, datacentre) that we use? We probably have around 100+ of those and that would take us a lot of time. Is there any other way to simplify this?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
You need to include in the Access Control Policy only assets you control.
To make management easier, you can list high-level assets that share common access rules, instead of separated elements. For example, you can include “ users' network”, and “development network” instead of listing individual firewalls, switches, and monitoring apps that belong to a network. The same idea applies to systems and physical areas.
For further information, see:
- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
Comment as guest or Sign in
Mar 15, 2023