Get 4 FREE months of Conformio to implement ISO 27001

Expert Advice Community

Access Control Policy

  Quote
Created:   Mar 13, 2023 Last commented:   Mar 15, 2023

Access Control Policy

In the Access Control Policy, do we really need to list down EVERY SINGLE network (firewall, switches, monitoring apps, etc), system (on-prem, cloud-based, backup,etc), outsourced services, physical area (office, datacentre) that we use? We probably have around 100+ of those and that would take us a lot of time. Is there any other way to simplify this? 

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Mar 15, 2023

You need to include in the Access Control Policy only assets you control.

To make management easier, you can list high-level assets that share common access rules, instead of separated elements. For example, you can include “ users' network”, and “development network” instead of listing individual firewalls, switches, and monitoring apps that belong to a network. The same idea applies to systems and physical areas.

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 13, 2023

Mar 15, 2023

Suggested Topics