This standard ensures access control is reviewed whenever system boundaries change, maintaining secure-by-design principles as systems evolve. It helps teams proactively manage risk and uphold least-privilege access.
Aligned to our "Zero Trust Architecture" policy, this standard reduces the likelihood of unauthorised access and strengthens system resilience. Without it, access models drift, vulnerabilities grow, and trust is compromised.
Clearly defined impacts of meeting this standard include improved delivery flow, reduced risk, higher system resilience, and better alignment to business needs. Over time, teams will see reduced rework, faster time to value, and stronger system integrity.
Level 1 – Initial: Access is based on static roles and often overly broad.
Level 2 – Managed: Some context-aware access controls exist but are inconsistently applied.
Level 3 – Defined: Zero trust principles are applied across identity, device, and network layers.
Level 4 – Quantitatively Managed: Access patterns are monitored and used to detect anomalies.
Level 5 – Optimising: Access control adapts dynamically based on real-time context and behaviour.Identity, device posture, and session context are used to validate all access attempts across services.