Only data owners have access to their data. Administrators and suppliers can only access the data through a break-glass procedure that involves business sign-off and consultation with the organisation.
Specification
Apply RBAC (Role Based Access controls).
Administrators group is removed from personal data storage and replace by a group with break the glass accounts.
ISO 27001 & 27002:2022
A8.2,
A8.5,
A8.15
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
ID.03 Super Users
ID.04 Noodtoegang (envelop procedure/breek-het-glasprocedure)