Access directly to a database?

Answer:
If this information is not confidential, I do not see problems, although to give direct access to the Oracle database for me is not a best practice, so would be better to give this information in another way, for example through a web page (in an architectural pattern Model-View-Controller).

Another recommendation is that you define a classification for the information, so this article can be interesting for you “Information classification according to ISO 27001” : https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

And remember that before the implementation of controls, you need to perform the risk assessment in order to determine what kind of security controls are needed. This article can be interesting for you "The basic logic of ISO 27001: How does information security work?" : https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work /

Finally, this online course can be also interesting for you, because we give more information about the classification of the information “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/