Access controls are a fundamental aspect of any organization’s security infrastructure, and they’re crucial for achieving SOC 2 and ISO 27001 certifications. In the digital age, where software as a service (SaaS) is common, implementing robust identity and access management (IAM) solutions is essential.
For example, a SaaS access management platform can help control access to services, monitor usage, and ensure that access is revoked when an employee leaves or changes roles. This not only maintains security but also aids in managing costs and improving efficiency.
However, earning SOC 2 and ISO 27001 certifications isn’t just about meeting a set of criteria, preventing unauthorized access, or securing data. It’s also about demonstrating a commitment to security and data protection — and access controls are a critical part of this commitment.
In addition, it’s about fostering a culture of security within your organization — an environment where every individual understands their role in protecting information.
Access controls are mechanisms that limit access to information and information processing environments. They are a fundamental part of your organization’s security infrastructure, ensuring that only authorized individuals can access specific data or systems.
Implementing access controls for certification can be challenging. Organizations often struggle with understanding the specific access control requirements of the certification, with ensuring that access controls are consistently implemented across the organization, and with managing the complexity of access rights for different users and systems. Furthermore, maintaining up-to-date access controls as employees join, move within, or leave an organization can be difficult.
For both ISO 27001 and SOC 2 certifications, access controls are defined within the certification’s requirements. For ISO 27001, access controls are addressed under Annex A.9, while for SOC 2, access controls form a part of the Common Criteria related to logical and physical access controls. But it’s important to note that neither set of requirements prescribes any specific processes to implement — this is not commonly understood. Instead, they are simply lists of criteria that your processes need to satisfy.
Given that this is a frequent misconception about these certifications, let’s dive deeper into what these criteria and clauses actually mean.
The requirements for SOC 2 and ISO 27001 certifications involve a broad spectrum of information security particulars. You’ll need to implement frameworks such as a comprehensive information security management system (ISMS), conduct regular risk assessments, and establish controls to mitigate identified risks. Understanding why to implement access controls — and which ones to implement — is crucial before looking into helpful tools.
A SOC 2 certification audit evaluates one or more of the five Trust Services Criteria (TSC): security, availability, confidentiality, privacy, and processing integrity. When you’re defining the scope of your audit, you’ll pick which TSCs to evaluate against, with security being mandatory for all audits, as stated in paragraph .08 of the TSC:
“The practitioner may report on any of the trust services categories of security, availability, processing integrity, confidentiality, or privacy, either individually or in combination with one or more of the other trust services categories.”
Please note that the above does not mean you can choose which TSC to include in the audit’s scope. Your auditor will help determine the exact scope of your audit.
An ISO 27001 certification audit works in much the same way, differing mainly in that the TSC are defined as “clauses.”
Organizations often grapple with understanding the specific access control requirements of the certification, approaching certifications as a list of requirements that need to be met. But as mentioned previously, it’s not just about ticking boxes or meeting a set of criteria. It’s about demonstrating, to an auditor, a commitment to security and data protection. Proper access controls are a critical part of this commitment.
In other words, certification criteria/clauses determine the effectiveness of your implementation, while access controls are your implementation. So, whenever “access controls” are mentioned from this point on, know that it’s in relation to principles and processes that you can implement.
Access controls are a critical part of your organization’s security infrastructure. They regulate who can access your data and systems, and to what extent. Implementing effective access controls is not only a requirement for certifications like SOC 2 and ISO 27001, but also a crucial step in safeguarding your organization’s sensitive information.
This guide will explain some of the access controls that can help your organization pass SOC 2 and ISO 27001 audits.
But remember that the access controls highlighted here are not exhaustive. Your organization’s specific needs will depend on various factors, including the nature of your business, the type of data you handle, and your existing security infrastructure.
Use this guide to understand the principles behind effective access controls and to apply these principles when you’re preparing your organization for the certification process.
Shared accounts, especially those with powerful system or service privileges, are a common feature in many organizations. However, if they’re not managed correctly, these accounts can pose a significant security risk.
To meet the access control requirements of certifications like SOC 2 and ISO 27001, authorize individual users — for example, through a password vault. This approach aligns with several Common Criteria (CC) under the TSC, including CC6.1, which emphasizes the need for logical access security measures, and CC6.2, which mandates the registration and authorization of new users before granting system access.
To implement this access control, first identify all shared accounts within your organization. This could include service accounts, administrator accounts, and any other accounts used by multiple individuals. Then, once accounts are identified, implement measures to restrict direct user authentication, such as setting up a password vault.
To meet the “shared accounts” criteria, establish a process for authorizing and registering new users, ensuring that only those with the necessary permissions can access these shared accounts. Regularly review access credentials, and remove access when it is no longer required. In some cases, an account can be shared without sharing the password — an example would be assigning a Gmail alias to multiple employees. However, in cases where the account password is being shared, make sure that your process includes a reset of the password when someone leaves the organization.
Admin access is a critical aspect of access control, and one that directly impacts your organization’s security posture. It’s the highest level of access, allowing individuals to make significant changes to systems, data, and other resources.
As such, restrict admin access to people who absolutely need it, such as application owners or IT staff. This principle is often referred to as the “least privilege” approach, which minimizes the risk of unauthorized access or changes to your systems.
Admin access control satisfies several CC. For instance, CC6.1 emphasizes the need for logical access security measures, including restricting logical access to information assets and identifying and authenticating users. Similarly, CC6.3 focuses on authorizing, modifying, or removing access based on roles and responsibilities, and CC6.6 underscores the importance of implementing security measures to protect against external threats.
To meet the “admin access” criteria, establish a process to keep track of who has access to what, regularly evaluating permissions. Also, make sure to have clear requirements that define who is permitted admin access — for instance, by implementing Role-Based Access Control (RBAC).
User provisioning and deprovisioning are essential components of proper access control. User provisioning involves granting users the appropriate access rights to systems, data, and resources based on their role within the organization. This process should be governed by the principle of least privilege.
Conversely, deprovisioning is the process of revoking these access rights when they are no longer needed. Both processes are crucial for maintaining a secure environment and satisfying CC6.2, which emphasizes the importance of authorizing and managing user access.
To meet the “user provisioning and deprovisioning” criteria, you’ll need a clearly defined process to follow when someone joins the organization and when someone leaves. In terms of onboarding, your process should ensure that access is given only to necessary data and systems, and nothing more. In terms of offboarding, it has to ensure that the former employee cannot and has not retained any access after leaving.
Access reviews — also known as user access reviews — are a crucial part of maintaining robust access controls. They involve regular audits of active user accounts, to ensure that each individual has the appropriate level of access to your systems and data.
This process is vital for identifying and resolving access-related issues and plays a significant role in meeting the criteria for both SOC 2 and ISO 27001 certifications.
Implementing access reviews manually can be a daunting task, especially for larger organizations. However, there are some Identity Governance and Administration (IGA) platforms available that can automate this process. These platforms can provide detailed reports on user access, flagging any potential issues such as excessive permissions or inactive accounts.
To meet the “access reviews” criteria, you’ll once again need a comprehensive overview of how permissions are spread out across your organization. This overview should define who has access to what, what level of access they have, and any identifiers used when granting access (like role or seniority).
You can then use this overview as a basis for the process of access reviews. Outside of simply validating permissions, you also need to document crucial information such as who carried out the access review, when it was performed, what — if anything — has changed, what the results of the review were, and so on.
Access to deploy changes is a critical control; it restricts production environment changes to authorized personnel. This control is crucial in maintaining the integrity and security of your systems, as it ensures that only approved and tested changes are implemented.
It aligns with CC6.1, which emphasizes the implementation of logical access security over protected information assets. By restricting access to deploy changes, you are effectively managing your inventory of information assets, restricting logical access, and managing points of access.
This control also satisfies CC8.1, which focuses on the authorization, design, development, and implementation of changes to meet your organization’s objectives. By having a robust process for deploying changes, you are managing changes throughout the system lifecycle, authorizing changes, tracking system changes, and deploying system changes effectively.
To meet the “access to deploy changes” criteria, establish clear procedures for deploying changes, including a process for authorizing, testing, and approving changes before they are implemented. This also requires regular monitoring and review to ensure that only authorized personnel are deploying changes and that all changes are properly documented and tracked. This aligns with CC6.3, which emphasizes the authorization, modification, or removal of access based on roles and responsibilities.
This implementation could benefit from RBAC, to ensure that access to deploy changes is limited to people with the necessary authority and responsibility, thereby supporting the segregation of incompatible functions.
While the previous sections have focused on principles and processes for implementing access controls manually, it’s important to highlight the significant benefits of automation. Achieving certification without automation is possible — automation is not a strict requirement — however, it will likely present many more difficulties to surmount.
For any organization, tracking who has access to what can be challenging, leading to potential security vulnerabilities. Regular audits are typically conducted to ensure that access rights are appropriate and that no unauthorized access has been granted. However, these manual methods can be time-consuming and may not meet the documentation standards required for SOC 2 or ISO 27001 certification.
Automation can significantly improve the efficiency and accuracy of managing access controls. By automatically tracking and documenting access rights, automation reduces the risk of human error and provides robust documentation, making it easier to achieve and maintain SOC 2 or ISO 27001 certification, while also saving time.
Automation tools, such as AccessOwl, provide a centralized platform for managing access rights. This includes automating access requests and approvals, conducting regular audits, and providing robust documentation.
Moreover, these tools can improve your internal workflow as a whole, like how Khalifah Alsadah (a product manager at Sary) no longer receives direct access requests — in an organization with 600-plus employees, 20 people joining or leaving every month, and more than 100 SaaS tools in use.
When deciding whether to invest in access control automation, you should consider several factors, including the size of your organization, the complexity of your access control needs, and the resources required to manage access controls manually. You should also consider the benefits of automation, such as improved efficiency, accuracy, and documentation.
Clear indicators that you might benefit from automation:
Securing and maintaining your SOC 2 and ISO 27001 certifications is a significant achievement that underscores your commitment to data security and integrity. Access control plays a pivotal role in this process, ensuring that only authorized individuals can access your systems and data.
Access controls should evolve with your organization; they require regular reviews to identify any gaps or weaknesses, and then they require updates as necessary.
Learning from others can also provide valuable insights. For instance, viafintech used AccessOwl to automate the de-provisioning process, eliminating the risk of former employees retaining access, while Drieam migrated from a manual system to a single source of truth for all access, saving time and reducing access anxiety.
Keep in mind that the journey to certification is not a one-time event but an ongoing process. Regular audits and updates to your access controls are essential to ensure that they remain effective and relevant. With careful planning and execution, you can successfully navigate this process and demonstrate your commitment to data security and integrity.