Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook
Academy home
Access Control & MFA (NIS2 21.2): Build A Solid Foundation with ISO 27001 Best Practices

Did you know that multi-factor authentication can block over 99.9% of account compromise attacks? Since this statistics simply should not be ignored, lets put this topic into today's focus and read more about multi-factor authentication (MFA) and how it relates to access control.

Overall, the importance of implementing robust access control measures in compliance with ISO 27001 and NIS2 cannot be overstated. It not only helps protect sensitive information from unauthorized access, access control measures also ensure that only authorized individuals can access specific resources, thereby reducing the risk of data breaches. In this blog post, we are going to delve into those very questions and explore the fundamentals of access control and MFA.

Understanding Access Control and MFA

In the following paragraphs, we will have a look at the exact controls of both, the NIS2 directive and the ISO 27001 standard, which are covering the requirements for access control and MFA.

NIS2 Requirements and Controls

Part 21.2.i and 21.2.j of the directive specifically pertain to access control and multi-factor authentication (MFA) and its necessity to implement suitable measures.

Part 21.2.i of the NIS2 Directive emphasizes the need for entities to implement measures to prevent unauthorized access to network and information systems. This includes the use of secure and robust access control mechanisms. The directive encourages entities to adopt a 'least privilege' approach, where users are granted the minimum levels of access necessary to perform their roles.

Part 21.2.j of the NIS2 Directive focuses on the use of multi-factor authentication (MFA) as a means of verifying the identity of users. MFA is a method of authentication that requires users to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN.

In summary, parts 21.2.i and 21.2.j of the NIS2 Directive highlight the importance of robust access control and the use of multi-factor authentication in protecting network and information systems. These measures are seen as crucial in preventing unauthorized access and ensuring the security of sensitive information. However, the guidance in the NIS2 directive is rather weak in comparison to the requirements of other frameworks such as the ISO 27001. Therefore, the ISO 27001 best practices can be used to achieve the demand for NIS2 compliance.

ISO 27001's Controls for Access Management

The following controls from chapters 5 (Organizational controls) and 8 (Technological controls) are related to access management:

5.15 Access control

In essence, ISO 27001 control '5.15 Access control' is about implementing effective measures to manage and restrict access to information, thereby reducing the risk of unauthorized access and potential data breaches. It is divided into two main sections: 'User Access Management' and 'User Responsibilities'. 'User Access Management' involves the process of granting or revoking access rights to users based on their roles and responsibilities within the organization. This includes the management of privileged access rights, the review of user access rights, and the removal or adjustment of access rights.

'User Responsibilities' under '5.15 Access control' involves making users aware of their responsibilities when accessing the organization's information systems. This includes ensuring that users follow the organization's access control policy and that they understand the consequences of non-compliance.

Furthermore, '5.15 Access control' also emphasizes the importance of using secure log-on procedures, managing passwords effectively, and limiting the use of utility programs that might bypass system and application controls. This control is critical in maintaining the integrity, confidentiality, and availability of an organization's information.

5.16 Identity management

The '5.16 Identity management' control obliges organizations to create a thorough identity management system, involving a formal user registration and de-registration method. The goal is to help assign access rights carefully, controlling access to various information and systems within your enterprise. Implementing regular updates and reviews of user access rights is a necessity, guaranteeing their continued relevance, especially in situations like role changes or employee departure.

Managing special access privileges like those for system administrators is also crucial, with an emphasis on restricted usage and consistent monitoring. All these are to avoid unauthorized access and potential misuse. Furthermore, this control element highlights the significant role of users in maintaining their authentication information security, stressing the importance of password confidentiality and prompt reporting of any suspected breaches.

5.17 Authentication information

The control essentially stresses the importance of attentive management of authentication information. It mandates users to be aware of their roles in maintaining the confidentiality and security of their respective authentication credentials. Automated processes should effectively handle the allocation of passwords, and these passwords should undergo verification for accuracy before use to mitigate the risk of unauthorized access.

The control also necessitates the incorporation of firm safety measures such as robust passwords and two-factor authentication, along with secure log-on procedures, thus ramping up the security quotient. It further calls for timely changes in authentication information at any signs of potential compromise, thereby ensuring unauthorized access is thwarted even if the authentication information is jeopardized.

5.18 Access rights

The ISO 27001 control '5.1.8 Access rights' outlines important aspects of managing access rights. It details necessity of an access control policy; outlines processes for user registration, de-registration, and access provisioning; and emphasizes on managing privileged access rights and secret authentication information.

Regular audits of user access rights and prompt removal or adjustment of rights upon changes in roles or employment termination are also advocated. Effective implementation of '5.1.8 Access rights' fosters information confidentiality, integrity, and compliance with information security mandates.

In the following screenshot, you can see an example of how a tool can be used for instance for ensuring the aspect of regular reviewing of data system access rights. In the tool, the access roles are clearly documented and a process description is telling how the access roles are reviewed on a regular basis. In this case, the tool also allows the user to set a review date/cycle to make sure that the reviews are actually happening.

Example picture of using a tool (Cyberday) for the documentation and monitoring of the access rights.

8.2 Privileged access rights

In delineating access controls, it is crucial to focus on privileged access. By restricting and managing it effectively, an organization ensures only authorized users, software, and processes can access privileged information. The method of assigning privileged access rights hinges on a well-strategized authorization system that aligns with the corresponding access control policy.

This control mandates that the allocation and use of access rights should be restricted and controlled. This means that only a limited number of trusted individuals should be granted these rights, and their use should be monitored and logged. Further, the assignment of privileged access rights should be subject to a formal authorization process.

Users with privileged access rights should receive appropriate training, meaning they should be made aware of the risks associated with their rights and the responsibilities they carry. They should also be trained on how to use their rights safely and effectively. Finally, these rights should be reviewed at regular intervals. This is to ensure that these rights are still necessary and are being used appropriately.

8.3 Information access restriction

The control '8.3 Information access restriction' outlines the rules for granting and revoking access rights and mandates the protection of networked services and the implementation of secure log-on procedures.

In essence, it is designed to ensure that access to information is restricted to authorized users only, and that these access rights are managed, reviewed, and updated regularly to maintain the integrity and confidentiality of the information.

8.4 Access to source code

The primary purpose of this control is to ensure that access to the source code is restricted to authorized personnel only. This is to prevent unauthorized modifications, which could lead to system vulnerabilities or malicious activities. It also aims to protect the intellectual property rights of the organization.

Moreover, the control requires that the access rights to the source code should be reviewed at regular intervals and updated as necessary. This is to ensure that only those who need access to perform their job functions have it, and that former employees or those who have changed roles within the organization do not retain unnecessary access.

8.5 Secure authentication

Secure Authentication, in the context of ISO 27001, means verifying the identity of a user, system, or application before granting access to information or resources. This is typically achieved through the use of passwords, biometrics, or other forms of credentials.

The control requires organizations to implement a secure authentication process that is suitable for the nature of the system or application. This could involve multi-factor authentication (MFA), which uses two or more different types of credentials for added security.

Furthermore, the control stipulates that the authentication information should be protected to prevent its disclosure to unauthorized parties. This could involve encrypting the data, regularly updating passwords, or using secure channels for transmitting authentication information.

ISO 27001 Controls for MFA

As already mentioned above, ISO 27001 mandates the control of access to network services. This involves the use of MFA to ensure that only authorized users can access the network. This is particularly important for remote access, where the risks of unauthorized access are higher.

Multi-Factor Authentication (MFA) is a vital security protocol requiring users to verify their identities via two or more forms of authentication before accessing sensitive data. The methods of MFA include the following:

  • knowledge-based (passwords, PINs)
  • possession-based (smart cards, mobile devices)
  • inherence-based factors (biometrics)

Biometric authentication, one-time passwords (OTPs), push notifications, and hardware or software tokens are commonly used MFA techniques today.

The primary goal of MFA is to create a layered defense, making it harder for unauthorized individuals to gain access even if one authentication factor is compromised.

Examples of ISMS sections related to implementing Access Control and MFA

Nowadays, you can find tools to make your work more efficient for literally anything. That can make you working life much easier when it comes to compiling with access right and MFA requirements. Let's have for instance a look at how you could keep track of the access rights for important data systems. In the following screenshot, you can see a task in a tool, which is focusing on the "Regular reviewing of data system access rights". For that purpose, all of the important data systems are linked as documentation.

In this tool, you can then simply jump to the documented data systems and you will find a list of all of the data systems, which could look as the following:

Overview of documented data systems in a tool (Cyberday) as an example.

With an overview like this, you can not only keep track of all the data systems, to which you want to have an eye on the access right to, you can also link more information. For example, with the help of this tool, each of the listed documentation items has as separate information card with all of the important information about each of the data sets. In the following screenshot, you can see an example of how the collection of the system permission (using MFA) is being used.

Challenges and Considerations

One of the common challenges when using Multi-Factor Authentication (MFA) or access controls in relation to ISO 27001 compliance is the complexity of implementation. MFA and access control systems can be complex to set up and manage, especially for organizations with a large number of users or complex IT infrastructure. This can lead to errors or vulnerabilities if not properly managed.

Another challenge is user resistance. MFA adds an extra step to the login process, which some users may find inconvenient. This can lead to resistance to adoption, especially if the benefits of MFA are not clearly communicated to the users.

Cost is also a significant challenge. Implementing MFA and robust access control systems can be expensive, especially for small and medium-sized businesses. The cost includes not only the initial setup but also ongoing maintenance and management.

Moreover, there is the challenge of maintaining compliance with evolving standards. ISO 27001 and other cyber security standards are regularly updated to reflect new threats and best practices. Organizations must stay up-to-date with these changes and ensure their access control and MFA systems remain compliant. Certain tools may help you to stay up to date and let you know in an efficient way what has changed in an update of a framework and what additional work do you potentially have to invest.

Lastly, there is the challenge of balancing security with usability. While MFA and robust access controls can significantly enhance security, they can also make systems more difficult to use. Organizations must find a balance that provides strong security without negatively impacting user experience.


In conclusion, the importance of robust access control and multi-factor authentication (MFA) measures cannot be overstated when aiming for ISO 27001 (or NIS2) compliance. These security measures are essential in protecting sensitive information and preventing unauthorized access to systems and data. They form the backbone of any effective cyber security strategy.

ISO 27001 and NIS2 standards provide guidelines for implementing these measures and further emphasize the need for a well-defined access control policy, effective user access management, clear user responsibilities, and strong authentication mechanisms. Adherence to these standards not only enhances an organization's security posture but also demonstrates its commitment to maintaining high levels of data protection.

Ultimately, mastering access control and MFA is a continuous journey. It requires ongoing efforts to stay ahead of evolving threats and adapt security measures accordingly. But the rewards - enhanced security, compliance with international standards, and peace of mind - make these efforts worthwhile. Check out our other Academy blog posts if you are interested in learning more about best practices when it comes to building your ISMS.


Share article