An Access Control Question

I came across this question in Luke’s group. It is a good question worthy of thinking and discussion. The suggested answer is B, but I can’t entirely agree with it because options B and C of this question (accountability and authentication) are the means, not the ends.


  • An objective is the “result to be achieved.” (ISO 22301)
  • A control objective is a “statement describing what is to be achieved as a result of implementing controls.” (ISO 27000:2018)
  • Effectiveness is a “measure of the degree to which given objectives are achieved.” (ISO 16439:2014)

Access Control

Access control is about mediating subjects’ access to objects (assets) through authentication, authorization, and accounting to enforce security policies and achieve control objectives and security objectives (CIA).

Effective Access Control

An effective access control process shall enforce security policies and achieve objectives. Security controls should be considered across the system life cycle and integrated into business functions and activities and applied in terms of assets.

However, there are different types of access control that have different control objectives. Control objectives direct the planning, implementation, and evaluation of security controls. They provide specific targets for auditors to evaluate the effectiveness of security controls.

Control Objectives Vary

Not all access controls require user-based identification or all user activities be uniquely identifiable. It depends on the control objective. For example:

  • An access control policy (administrative access control) mandates and directs a group of people, but it doesn’t uniquely identify users or people.
  • A firewall is a technical access control which typically filters traffic without uniquely identifying and authenticating users.
  • A lock is physical access control that blocks unauthorized people from accessing certain areas without uniquely identifying them.
Image Credit: City Store


Access controls are implemented to achieve control objectives and hence the CIA security objectives to protect assets. Identification is crucial, but it is the means, not the ends, and may not always be required or be part of the control objective as the examples mentioned above.

2 thoughts on “An Access Control Question

  1. Wentz – I would think B, C, and D are the means to achieve A. A would be incomplete if any one of the other three are missing as elements. Am I thinking right?

    • I agree with you, Sridhar. That’s what I’m thinking. I posted this question (not mine, I just shared it) because it’s a good one worthy of thinking and discussion.

Leave a Reply