All data is fictional

Insufficient access control on admin APIs

20 CriticalIn ProgressTreat
Risk Information
R-001
ISO 27001 Risk Register
Technical
Insufficient access control on admin APIs
Admin API endpoints lack proper authentication and authorisation checks, allowing authenticated users with lower privileges to access management functions. This could enable privilege escalation and unauthorised data access.
Basic API authentication is in place. Rate limiting configured. No role-based access control implemented on admin routes.
4 / 5
5 / 5
20 Critical
12 High
Treat
In Progress
31 May 2026
Implement RBAC on all admin API endpoints. Conduct code review of authentication middleware. Add automated security testing to CI/CD pipeline. Review and restrict admin API access to named IP ranges.
Risk Owner
T
Thomas Richards
Head of Engineering
Risk Heatmap Position
5
10
15
20
25
4
8
12
16
20
3
6
9
12
15
2
4
6
8
10
1
2
3
4
5
This risk — Likelihood 4, Impact 5 → Score 20
Linked Controls
A.5.15Access control A.8.2Privileged access rights