“Limit information system access to the types of transactions and functions that authorized users are permitted to execute.” - NIST SP 800-171 Rev. 2, 3.1.2
When it comes to access control, most leaders understand the idea of “least privilege”—that employees should only have access to what they need to do their jobs.
But understanding it is one thing. Documenting it, enforcing it, and owning it within the shared responsibility model is another.
Control 3.1.2 requires you, the Organization Seeking Certification (OSC), to ensure users are limited to only the transactions and functions necessary for their roles.
This is a subtle but important distinction: it’s not enough to restrict who has access—you also need to define what they can do once they’re in.
What the C3PAO Is Looking For
During an assessment, the C3PAO will review how your organization enforces access control based on user roles and job functions. We’ll look for evidence that:
- User roles have been defined and mapped to access levels.
- Those access levels are actually enforced by your IT systems.
- Changes to access are approved and documented.
- The process is repeatable, not ad hoc.
We’ll also look at who makes the decisions about those roles and access levels. That’s where leadership comes in.
It’s common to see MSPs or consultants managing user accounts and permissions, but they can only act based on what your organization decides. If everyone in your company is set up as a “Global Admin” or if access levels don’t align with job duties, that’s not a technical failure- it’s an organizational one.
The assessor’s role is to confirm that your internal process drives those access decisions, not the convenience of an external provider.
How Leadership Defines Access
Access control begins with role definition, not configuration.
Leadership decides:
- What systems employees use to perform their work.
- Which actions or functions they need access to.
- Who approves elevated privileges.
- How and when access is reviewed or revoked.
Those decisions should be captured in policy and mirrored in your IT configurations. If your MSP or IT provider maintains your systems, your Shared Responsibility Matrix (SRM) should clearly show that you define access roles and they enforce them.
That clarity is critical during an assessment. When we see mismatches, like the OSC saying IT “handles access” while IT says “we follow what HR tells us” it’s a sign that responsibilities aren’t clearly documented.
As a leader, your role is to make sure those boundaries are visible, agreed upon, and accurate.
Bringing “Least Privilege” to Life
The principle of least privilege isn’t just a technical rule, it’s a risk management decision.
Too much access can lead to accidents, breaches, or insider threats. Too little access can disrupt productivity and morale. Your leadership team’s challenge is to find that balance—and to document how those decisions are made.
Good access control policies should answer these questions:
- Who approves new access or privilege changes?
- How often are roles and permissions reviewed?
- What happens when a role changes or an employee's terms?
- Who owns the process of validating access lists?
When your C3PAO sees those answers reflected in both policy and evidence, it demonstrates maturity—not just compliance.
Why This Matters to Leaders
This control shows the heart of shared responsibility. Your provider can configure permissions, but your organization defines what’s right.
If your access model doesn’t match your structure or policies, it’s a signal that decisions are happening without oversight. And in compliance, that’s where findings appear.
When leadership actively participates in defining roles, approving access, and reviewing privileges, your organization moves beyond “checking boxes” to building a sustainable compliance culture.
The takeaway:
Your IT team enforces controls, but your leadership defines the rules.
That distinction might sound small, but it’s what C3PAOs look for first.
Don't forget to share this post!
