Access Control
Manage identities and access to physical and logical assets.
9 of 9 frameworks cover this control
Framework Mappings
How Access Control maps to each of the 6 cybersecurity frameworks tracked by ControlMap.
| Framework | Status | Control IDs |
|---|---|---|
| NIST CSF 2.0 | Covered | PR.AA-01 PR.AA-03 |
| ISO 27001 | Covered | A.5.15 A.8.2 A.8.3 |
| CIS v8 | Covered | CIS 5.1 CIS 6.1 CIS 6.2 |
| SOC 2 | Covered | CC6.1 CC6.2 CC6.3 |
| PCI DSS | Covered | 7.2.1 7.2.2 7.2.4 8.2.1 |
| CMMC | Covered | AC.L2-3.1.1 AC.L2-3.1.2 |
| 800-53 | Covered | AC-1 AC-2 AC-3 AC-6 |
| HIPAA | Covered | §164.312(a)(1) §164.312(a)(2)(i) |
| GDPR | Covered | Art.32(1)(b) Art.25(2) |
About Access Control
Access Control is a cybersecurity control in the Protect domain. Manage identities and access to physical and logical assets. Access control ensures that only authorized users, devices, and processes can access organizational resources by implementing the principle of least privilege and need-to-know. Core implementation elements include identity lifecycle management, role-based access control (RBAC), regular access reviews and recertification campaigns, and automated provisioning and deprovisioning workflows. Strong access control reduces the attack surface by limiting lateral movement opportunities and preventing unauthorized access to sensitive systems and data.
This control is recognized by 9 of the 6 major frameworks: NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR. It has full coverage across all ${FW_KEYS.length} frameworks.