How does EchelonGraph detect ISO 27001 A.5.15 violations?

EchelonGraph automatically detects ISO 27001 A.5.15 violations using scanner rule ISO27001-A515. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for ISO 27001 A.5.15?

Show the access control matrix per environment. Is least-privilege enforced in staging + dev as well as production? Quarterly review evidence? How are stale entitlements detected and revoked?

📋ISO 27001 A.5.15Rule: ISO27001-A515high

Access Control

Description

Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.

⚠️ Risk Impact

Access control implemented inconsistently across systems creates gaps adversaries exploit. The weakest-link rule applies: an attacker only needs one over-privileged path.

🔍 How EchelonGraph Detects This

ISO27001-A515Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.

🔧 Remediation

Document role-based access matrix per system. Apply least-privilege everywhere. Quarterly reviews of access grants. Revoke unused entitlements automatically (after 30/60/90 days inactive).

💀 Real-World Attack Scenario

A SaaS company's access matrix existed for production but not for staging. An attacker compromised a staging account, found the database credentials were the same as production (developer convenience), and pivoted into production. Investigation cited A.5.15 deficiency: 'access control rules not consistently applied across environments'.

💰 Cost of Non-Compliance

Access-control gaps as breach contributor: 41% of cloud breaches in 2024 (Mandiant M-Trends). Average breach cost when access control is inconsistent: $5.1M.

📋 Audit Questions

1.Show the access control matrix per environment.
2.Is least-privilege enforced in staging + dev as well as production?
3.Quarterly review evidence?
4.How are stale entitlements detected and revoked?

🎯 MITRE ATT&CK Mapping

T1078 — Valid AccountsT1021 — Remote Services

⚡ Common Pitfalls

⛔Different rules in production vs staging — adversaries exploit the inconsistency
⛔Quarterly reviews scheduled but never completed
⛔No automated stale-entitlement detection — grants accumulate indefinitely

📈 Business Value

Consistent access control is the foundation of every audit. Without it, every other control is undermined by the over-privileged exception.

⏱️ Effort Estimate

Manual

40-80 hours initial matrix + quarterly review

With EchelonGraph

EchelonGraph evaluates access posture continuously across cloud + SaaS

🔗 Cross-Framework References

SOC2-CC6.2NIST-AC-3

Automate ISO 27001 A.5.15 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →