B2. Identity and access control

Created:  28 Jan 2018
Updated:  30 Apr 2018


The organisation understands, documents and manages access to systems and functions supporting the delivery of essential services. Users (or automated functions) that can access data or services are appropriately verified, authenticated and authorised.


It is important that the organisation is clear about who (or what in the case of automated functions) has authorisation to interact with the network and information system of an essential service in any way or access associated sensitive data. Rights granted should be carefully controlled, especially where those rights provide an ability to materially affect the delivery of the essential service. Rights granted should be periodically reviewed and technically removed when no longer required such as when an individual changes role or perhaps leaves the organisation.

Users, devices and systems should be appropriately verified, authenticated and authorised before access to data or services is granted. Verification of a user’s identity (they are who they say they are) is a prerequisite for issuing credentials, authentication and access management. For highly privileged access it might be appropriate to include approaches such as two-factor or hardware authentication.

Unauthorised individuals should be prevented from accessing data or services at all points within the system. This includes system users without the appropriate permissions, unauthorised individuals attempting to interact with any online service presentation or individuals with unauthorised access to user devices (for example if a user device were lost or stolen).


Identity and access management

The Introduction to identity and access management sets out security fundamentals that operators should consider in designing and managing identity and access management systems. Identity and access control should be robust enough that essential services are not disrupted by unauthorised access.

Physical security

In addition to technical security, operators should protect physical access to networks and information systems supporting the essential service, to prevent unauthorised access, tampering or data deletion. Some operators may already have physical security measures in place to comply with other regulatory frameworks. See CPNI guidance for further information.


NCSC Introduction to identity and access management

CPNI Physical Security guidance

BS ISO/IEC 27002

IEC 62443-2-1

NIST Identity and Access Management publications, e.g. SP 800-63 suite "Digital Identity Guidelines"




< Back to Principle B1                              Forward to Principle B3 >

Was this guidance helpful?

We need your feedback to improve this content.

Yes No