Home · Synthesis · cl-access-restriction

Logical and physical access restriction — least privilege baseline

ISO 27001 PCI DSS SOC 2 CIS Controls v8.1 IRDAI 2026

Primary statement

Access restriction per ISO A.8.3 (information access restriction) + A.8.5 (secure authentication) + A.8.4 (source code access) + SOC 2 CC6.1 (logical and physical) + CC6.6 (communications channel boundary) + IRDAI access controls. Layered with cl-access-rights for full lifecycle.

Audit-fatigue payoff

A unified access restriction matrix — per information class, with documented least-privilege and authentication strength — satisfies access restriction requirements across all 5 contributing frameworks.

Strictness matrix

Scope

Scope: access to information AND other associated assets restricted per topic-specific access control policy. Universal scope across information assets. Ceiling source: iso27001:A.8.3 Rationale: ISO 27001 A.8.3 universal scope is the audit-defensible specification.

Threshold

Threshold: secure authentication technologies and procedures BASED ON information access restrictions and topic-specific access control policy. Authentication strength matches information sensitivity. Ceiling source: iso27001:A.8.5 Rationale: ISO 27001 A.8.5 sensitivity-matched authentication is the audit-defensible threshold.

Method

Method: topic-specific access control policy + information classification linkage (cl-data-classification) + secure authentication per A.8.5 + source code access management per A.8.4 + logical access security per SOC 2 CC6.1 + communications channel boundary protection per CC6.6. Ceiling source: iso27001:A.8.3 Rationale: ISO 27001 A.8.3 + A.8.4 + A.8.5 + SOC 2 CC6.x combined are the most prescriptive.

Frequency

Access policy review: annual + on material change. Access matrix review: quarterly (cl-access-rights). Authentication policy review: annual. Ceiling source: iso27001:A.8.3 Rationale: Annual policy + quarterly access matrix review is the cadence.

Evidence

Evidence: topic-specific access control policy + access matrix per system + authentication policy + source code access controls + sample access events. Ceiling source: iso27001:A.8.3 Rationale: ISO 27001 A.8.3 evidence is the audit-defensible specification.

Auditor test pattern

Step 1: Inspect topic-specific access control policy. Step 2: Verify access matrix per system. Step 3: Sample one high-sensitivity asset; verify authentication strength matches. Step 4: Verify source code access controls.

Common findings

Common findings: (1) Access policy generic; not topic-specific; (2) Authentication strength uniform regardless of sensitivity; (3) Source code access permissive; (4) Communications channel boundary controls absent.