Description
Establish procedures to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement.
Supplemental Guidance
Access control decisions (also known as authorization decisions) occur when authorization information is applied to specific accesses. In contrast, access control enforcement occurs when systems enforce access control decisions. While it is common to have access control decisions and access control enforcement implemented by the same entity, it is not required, and it is not always an optimal implementation approach.
Changes from Rev 4
No significant changes from Rev 4.
Compliance Mappings
ISO 27001:2022
A.5.15
ISO 27002:2022
5.158.3
COBIT 2019
DSS05
CIS Controls v8
CIS 6CIS 6.7
NIST CSF 2.0
PR.AA-05
NIS2 Directive
Art. 21(2)(i)
MAS TRM
9
BSI IT-Grundschutz
ORP.4
BIO2
5.158.3
RBI CSF
Annex1.8ITGRCA.19
FISC Security Guidelines
FISC.T2
HKMA TM-E-1
TME1.8.1
MLPS 2.0
8.1.4.2
SAMA CSF
3.1
NCA ECC
2-2
UAE IA
T9
CBB TM
TM-6
Qatar NIA
AC
CBUAE
CR-4
CBE CSF
CTO-1
SA JS2
JS2-7.1
CBN CSF
Part3.2
BoM CTRM
3.3
IOSCO Cyber Resilience
PROT-1
FFIEC IS
II.C.15(b)II.C.7(b)
HIPAA Security Rule
§164.308(a)(4)(i)§164.308(a)(4)(ii)(B)§164.312(a)(1)
ECB CROE
CROE.2.3.1
EBA ICT Guidelines
3.4.2
SEBI CSCRF
PR.AA
BOT Cyber Resilience
Ch2.2
CMMC 2.0
AC
Common Criteria
CC Part 2 — FDP
Lloyd's Minimum Standards
BP2.1MS8.3
PRA SS1/23
P-IT.1
FDA 21 CFR Part 11
§11.10(g)
FDA Cybersecurity Guidance
SA-1
ISO 27799
9.1
NHS DSPT
NDG-4.1NDG-4.4