Skip to main contentChat with us

Learn · Information Security

What Is
Access Control?

Access control is the security practice of deciding who can access which systems and data — and what they’re allowed to do with them. It’s one of the most fundamental controls in any security programme.

It combines authentication (proving who you are) with authorisation (what you’re allowed to do), applied through models like RBAC and ABAC and principles like least privilege.

Get a Security AssessmentHow ISO 27001 Covers It
4models: DAC · MAC · RBAC · ABAC
Leastprivilege — the core principle
500+audits delivered by TCSA

Plain-English explainer · Maps to ISO 27001 Annex A / SOC 2 / DPDP · Last reviewed June 2026

Access control is how an organisation regulates who can access its systems and data, and what they can do once in. It has two halves: authentication (confirming a user is who they claim — passwords, MFA) and authorisation (deciding what that authenticated user is permitted to do). Good access control enforces the principle of least privilege: people get only the access their job requires. It’s implemented through models — most commonly RBAC (role-based) and increasingly ABAC (attribute-based) — and it’s a cornerstone of every major framework: a whole theme of ISO 27001’s Annex A controls, a core part of SOC 2’s security criteria, and essential to DPDP protection of personal data.

The Models

Four Ways to Grant Access

DAC — Discretionary

The data owner decides who gets access. Flexible but easy to sprawl; common in file shares and small teams.

MAC — Mandatory

Access is set centrally by policy and classification labels (e.g., Confidential, Secret). Rigid and high-assurance; used in government/defence.

RBAC — Role-Based

Access is granted to roles (e.g., “Finance”, “Engineer”), and people inherit their role’s permissions. The most common model in business systems.

ABAC — Attribute-Based

Access is decided by attributes (user, resource, context — department, location, time). The most granular and dynamic; powers zero-trust setups.

The Principles

Rules That Make Access Control Work

  • Least privilege — give each person the minimum access they need to do their job, nothing more.
  • Need-to-know — access to specific data is limited to those who require it for a task.
  • Separation of duties — split sensitive actions across people so no one can act alone (e.g., request vs approve).
  • Joiner-mover-leaver — provision on hire, adjust on role change, and revoke promptly on exit.
  • Regular access reviews — periodically re-certify who has access to what, and remove what’s stale.

Access Control — Common Questions

The questions people ask most about access control.

What is access control in cyber security?

Access control is the practice of regulating who can access systems and data, and what they can do once authenticated. It combines authentication (verifying identity) with authorisation (granting permissions) and is one of the most fundamental security controls.

What are the types of access control?

The four main models are DAC (discretionary — the owner decides), MAC (mandatory — central policy and classification labels), RBAC (role-based — permissions attached to roles), and ABAC (attribute-based — access decided by user, resource, and context attributes). RBAC is the most common in business; ABAC is the most granular.

What is the difference between RBAC and ABAC?

RBAC grants access based on a user’s role (e.g., everyone in “Finance” gets the finance permissions). ABAC grants access based on attributes and context (user department, resource sensitivity, location, time), making it more granular and dynamic — and the basis for many zero-trust designs.

What is the principle of least privilege?

Least privilege means giving each user, account, or process only the minimum access needed to perform its function — and no more. It limits the damage from compromised accounts or insider error and is a baseline expectation in ISO 27001 and SOC 2.

How does access control relate to ISO 27001 and SOC 2?

Access control is central to both. ISO 27001 Annex A dedicates a set of controls to access management (access policy, user provisioning, privileged access, authentication). SOC 2’s security criteria require logical access controls. Implementing and evidencing access control is a major part of either audit.

Related reading: the Learn hub, what an ISMS is, GRC, and the ISO 27001 Annex A controls. More terms in the compliance glossary.

Written By Expert Auditors

Surendra Pal Singh
Surendra Pal Singh
Chief Information Security Officer & Data Protection Officer
CISODPOCISAMCSEITILISO 27001 Lead AuditorISO 27701 Lead AuditorISO 42001 Lead Auditor
Saundhi Chauhan
Saundhi Chauhan
Lead Auditor
ISO 27001 Lead AuditorISO 27701 Lead Auditor
Last reviewed: June 2026Content verified by certified lead auditors

Get in touch

Book a free consultation or send us your requirements. We respond within 24 hours.

Quick Call

Pick a time slot

Send Requirements

Get a custom quote in 24 hours

We're Online

⚠️ Business inquiries only. Personal email addresses will be rejected.

24hr Response
Free Consultation
No Obligations