Skip to main content
Informationssicherheit / NIS2

Need to know

The need-to-know principle grants access to information only to those people who demonstrably require that access to carry out a specific job-related task.

The need-to-know principle is a foundational building block of information security. It states that a person may access only the information they genuinely require to perform their specific task. What matters is not hierarchical position or a general authorisation, but a demonstrable, case-by-case business need. By enforcing this, the principle limits the attack surface, reduces the risk of data leakage and insider threats, and is closely related to the principle of least privilege.In practice, the need-to-know principle is implemented through access controls, role-based access concepts (RBAC) and a sound information classification scheme. Access rights are granted restrictively (deny by default), reviewed regularly through recertification, and revoked once the need disappears, for example when an employee changes roles or positions. Complete logging ensures that access remains traceable and that violations can be detected.The need-to-know principle is firmly embedded in law and standards. ISO/IEC 27001 requires need-based access control in its Annex A, the BSI IT-Grundschutz addresses it in the module on identity and authorisation management, and the NIS2 Directive demands risk-appropriate access control measures. The GDPR likewise presupposes the principle indirectly through its principles of data minimisation and integrity and confidentiality (Art. 5(1)(f), Art. 32 GDPR) as well as through confidentiality obligations.

Legal Basis

ISO/IEC 27001 Annex A (A.5.15 Access control); BSI IT-Grundschutz ORP.4; Art. 21 NIS2 Directive; Art. 5(1)(f) and Art. 32 GDPR

Practical Example

An HR officer needs access to the salary data of the employees she looks after, but not to that of the entire workforce. The information security officer therefore configures a role-based authorisation profile in the HR software that restricts access to her assigned group of people. If the officer moves to another department, her HR permissions are revoked automatically, and the next periodic recertification documents that no orphaned access remains.

FAQ

Need-to-know concerns access to information: who needs which data for their task? Least privilege extends the idea to rights and system functions in general and grants only the minimum permissions required. The two principles complement each other and are implemented together in practice.
Common measures include role-based access concepts (RBAC), restrictive provisioning following a deny-by-default approach, and an upstream information classification scheme. Access rights are recertified regularly, revoked once the need disappears, and logged consistently to ensure traceability.
It is embedded in several frameworks, such as ISO/IEC 27001, the BSI IT-Grundschutz, and indirectly in the security requirements of the NIS2 Directive. The GDPR principles of data minimisation and confidentiality also create a data protection obligation to restrict access according to actual need.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Least privilege Access control Role-based access control Information classification Identity and access management
Back to Glossary