In the Access Control Policy, do we really need to list down EVERY SINGLE network (firewall, switches, monitoring apps, etc), system (on-prem, cloud-based, backup,etc), outsourced services, physical area (office, datacentre) that we use? We probably have around 100+ of those and that would take us a lot of time. Is there any other way to simplify this?
Assign topic to the user
You need to include in the Access Control Policy only assets you control.
To make management easier, you can list high-level assets that share common access rules, instead of separated elements. For example, you can include “ users' network”, and “development network” instead of listing individual firewalls, switches, and monitoring apps that belong to a network. The same idea applies to systems and physical areas.
For further information, see:
- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
Comment as guest or Sign in
Mar 15, 2023