diff --git a/app/controllers/concerns/boards_responses.rb b/app/controllers/concerns/boards_responses.rb
index 3cdf4ddf8bb08b8d8fef7adc31d4622e7ce6bade..8b191c86397ffbb7ec9793bda537d8e93d4e5ed6 100644
--- a/app/controllers/concerns/boards_responses.rb
+++ b/app/controllers/concerns/boards_responses.rb
@@ -34,15 +34,11 @@ module BoardsResponses
   end
 
   def authorize_read_list
-    ability = board.group_board? ? :read_group : :read_list
-
-    authorize_action_for!(board.parent, ability)
+    authorize_action_for!(board, :read_list)
   end
 
   def authorize_read_issue
-    ability = board.group_board? ? :read_group : :read_issue
-
-    authorize_action_for!(board.parent, ability)
+    authorize_action_for!(board, :read_issue)
   end
 
   def authorize_update_issue
@@ -57,7 +53,7 @@ module BoardsResponses
   end
 
   def authorize_admin_list
-    authorize_action_for!(board.parent, :admin_list)
+    authorize_action_for!(board, :admin_list)
   end
 
   def authorize_action_for!(resource, ability)
diff --git a/app/policies/board_policy.rb b/app/policies/board_policy.rb
new file mode 100644
index 0000000000000000000000000000000000000000..46db008421fe7c2f3f72db7c97265b8e6d86d3ad
--- /dev/null
+++ b/app/policies/board_policy.rb
@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+class BoardPolicy < BasePolicy
+  delegate { @subject.parent }
+
+  condition(:is_group_board) { @subject.group_board? }
+
+  rule { is_group_board ? can?(:read_group) : can?(:read_project) }.enable :read_parent
+
+  rule { is_group_board & can?(:read_group) }.policy do
+    enable :read_milestone
+    enable :read_issue
+  end
+end
diff --git a/spec/controllers/boards/issues_controller_spec.rb b/spec/controllers/boards/issues_controller_spec.rb
index 8657fc2ebc0fa5cfc4da1aea32d71c7008c05116..725ea2bf1ab26f13282e4989a14914833e476c4a 100644
--- a/spec/controllers/boards/issues_controller_spec.rb
+++ b/spec/controllers/boards/issues_controller_spec.rb
@@ -1,7 +1,7 @@
 require 'spec_helper'
 
 describe Boards::IssuesController do
-  let(:project) { create(:project) }
+  let(:project) { create(:project, :private) }
   let(:board)   { create(:board, project: project) }
   let(:user)    { create(:user) }
   let(:guest)   { create(:user) }
@@ -127,14 +127,10 @@ describe Boards::IssuesController do
     end
 
     context 'with unauthorized user' do
-      before do
-        allow(Ability).to receive(:allowed?).and_call_original
-        allow(Ability).to receive(:allowed?).with(user, :read_project, project).and_return(true)
-        allow(Ability).to receive(:allowed?).with(user, :read_issue, project).and_return(false)
-      end
+      let(:unauth_user) { create(:user) }
 
       it 'returns a forbidden 403 response' do
-        list_issues user: user, board: board, list: list2
+        list_issues user: unauth_user, board: board, list: list2
 
         expect(response).to have_gitlab_http_status(403)
       end
diff --git a/spec/controllers/boards/lists_controller_spec.rb b/spec/controllers/boards/lists_controller_spec.rb
index 700338571684c2f829b6b6198c9b5303230b14f5..e5b8aa2e6785dcf564111068bb9c66d883228853 100644
--- a/spec/controllers/boards/lists_controller_spec.rb
+++ b/spec/controllers/boards/lists_controller_spec.rb
@@ -31,13 +31,10 @@ describe Boards::ListsController do
     end
 
     context 'with unauthorized user' do
-      before do
-        allow(Ability).to receive(:allowed?).with(user, :read_project, project).and_return(true)
-        allow(Ability).to receive(:allowed?).with(user, :read_list, project).and_return(false)
-      end
+      let(:unauth_user) { create(:user) }
 
       it 'returns a forbidden 403 response' do
-        read_board_list user: user, board: board
+        read_board_list user: unauth_user, board: board
 
         expect(response).to have_gitlab_http_status(403)
       end