Control Detail – Salvinta GRC Demo

All data is fictional

A.5.15 — Access Control

Implemented ISO 27001:2022 Organisational

Control Information

Control ID

A.5.15

Framework

ISO 27001:2022

Domain

Organisational

Status

Implemented

Control Title

Access Control

Control Definition

Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.

Implementation Notes

RBAC implemented across all major systems. Quarterly access reviews conducted. Privileged access managed via PAM solution.

Maturity Level

4 / 5 — Managed

Last Tested

15 Jan 2026

Next Test Due

15 Jul 2026

Test Frequency

Semi-Annual

Owner

IT Operations

Control Effectiveness

50% Maturity + 30% Evidence + 20% Test Recency

Maturity (50%)80%

Evidence (30%)93%

Test Recency (20%)83%

Linked Risks (3)

R-001Admin API access control R-004Employee credential sharing R-007Loss of key personnel

Clause	Requirement	Status	Notes
A.5.15.a	Access control rules based on business requirements	Met	RBAC policy documented and approved
A.5.15.b	Rules for granting, reviewing and revoking access	Met	Quarterly access reviews completed
A.5.15.c	Need-to-know principle applied	Partial	Some legacy systems still use broad groups
A.5.15.d	Segregation of duties considered	Met	Dual approval on financial transactions

Person	Role	Department
David Chen	Responsible	IT Operations
Jane Cooper	Accountable	Management
Thomas Richards	Consulted	Engineering
Sarah Lin	Informed	Legal & Compliance

A.5.15 — Access Control

Control Information

Control Effectiveness

Linked Risks (3)

ISO 27001:2022 Requirements Tracker

RACI Assignments

Risks (3)

Evidence (4)

A.5.15 — Access Control

Control Information

Control Effectiveness

Linked Risks (3)

ISO 27001:2022 Requirements Tracker

RACI Assignments

Risks (3)

Evidence (4)

This Feature Requires a Plan