Access control
Access control comprises all organisational and technical measures used to define, grant and enforce permissions on IT systems, applications and data, ensuring that only authorised persons can access the resources released to them.
Access control refers to the entirety of rules and mechanisms that determine which identity (user, service or system) may access which resource, in which way (read, write, execute, delete) and under which conditions. It is a central building block of information security and links the assignment of permissions (rights management) with their technical enforcement. Conceptually, a distinction is made between identification, authentication (proving an identity) and authorisation (checking the specific permission). Common models include role-based (RBAC), attribute-based (ABAC) as well as discretionary and mandatory access control.
Effective access control implements fundamental principles such as the principle of least privilege and the need-to-know principle: permissions are granted only to the extent actually required for the respective task and are reviewed regularly (recertification). This is complemented by the segregation of critical functions (separation of duties), special protection of privileged accounts (privileged access management) and comprehensive logging of access events to ensure traceability and the detection of misuse. Strong authentication methods such as multi-factor authentication increase the reliability of identity verification.
Access control is firmly anchored in law and standards. ISO/IEC 27001 dedicates specific controls to it in Annex A (including A.5.15 access control, A.5.18 access rights, A.8.2 privileged access rights). The BSI IT-Grundschutz addresses it in module ORP.4 (identity and access management). For essential and important entities under the NIS2 Directive, access control including multi-factor authentication is among the mandatory risk-management measures (Art. 21 NIS2). In data protection, it is required as a technical and organisational measure under Art. 32 GDPR to safeguard the confidentiality and integrity of personal data.
Legal Basis
Art. 21(2) NIS2 Directive (EU) 2022/2555; ISO/IEC 27001:2022 Annex A (incl. A.5.15, A.5.18, A.8.2); BSI IT-Grundschutz module ORP.4; Art. 32 GDPR
Practical Example
A mid-sized company that qualifies as an important entity under NIS2 discovers during an internal audit that former employees still hold active accounts and that several staff members have administrator rights they do not need for their work. In response, the information security officer introduces a role-based authorisation concept, links account management to the HR process for automatic deprovisioning, enables multi-factor authentication for all privileged access, and establishes a half-yearly recertification of access rights by the respective business owners. The measures and evidence are documented so that compliance with the risk-management obligations can be demonstrated to the supervisory authority.