AC – Access Control
NIST CSF Function PR.AA
In Identity and Access Management (IAM) and access control, normative documents are crucial for defining how users, devices, and applications are authenticated, authorized, and audited. Standards such as ISO/IEC 27001 and ISO/IEC 27002 provide guidance on access control policies, user lifecycle management, and segregation of duties, while NIST SP 800-63 outlines digital identity guidelines and authentication frameworks. Regulatory frameworks like the EU NIS2 Directive or sector-specific laws such as HIPAA in healthcare require organizations to enforce strict access controls to protect sensitive data. By following these standards and regulations, organizations can prevent unauthorized access, enforce least-privilege principles, and maintain compliance with legal and industry expectations.