What's the difference between Zutrittskontrolle, Zugangskontrolle, and Zugriffskontrolle in German information-security terminology?
Three nested layers: Zutritt = physical (room/building), Zugang = logical system (login), Zugriff = data/operations (RWED on files).
The three German terms map to different layers of defence:
| Term | Layer | Example | English (rough) |
|---|---|---|---|
| Zutrittskontrolle | Physical access | Server room, badge readers, locks | Physical access control |
| Zugangskontrolle | Logical-system access | Logging in to an OS or application | Authentication / system access |
| Zugriffskontrolle | Data/operation access | Read/Write/Execute/Delete on a file | Authorisation / data access |
Why three distinct words exist: German information-security law and standards (e.g. older BDSG, BSI Grundschutz) historically distinguished these three because they need different controls — a guard at the data-centre door is a different control category than file ACLs. English collapses all three into "access control" and relies on context.
The bigger nesting: physical contains logical contains data — Zugriff can only happen if Zugang worked, Zugang only if Zutritt worked.
Tip: The three As of access control map straight onto the inner two layers plus oversight: Authentication (the Zugang/login check), Authorisation (the Zugriff/rights check), and Auditing/Logging (recording what was actually done).