Access ControlISO 27001 Annex A.9
A.9 Access control
A.9.1 Business requirements of access control
Objective: To limit access to information and information processing facilities.
A.9.1.1 Access control policy
An access control policy shall be established, documented and reviewed based on business and information security requirements.
A.9.1.2 Access to networks and network services
Users shall only be provided with access to the network and network services that they have been specifically authorized to use.
A.9.2 User access management
Objective: To ensure authorized user access and to prevent unauthorized access to systems and services.
A.9.2.1 User registration and de-registration
A formal user registration and de-registration process shall be implemented to enable assignment of access rights.
A.9.2.2 User access provisioning
A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services.
A.9.2.3 Management of privileged access rights
The allocation and use of privileged access rights shall be restricted and controlled.
A.9.2.4 Management of secret authentication information of users
The allocation of secret authentication information shall be controlled through a formal management process.
A.9.2.5 Review of user access rights
Asset owners shall review users’ access rights at regular intervals.
A.9.2.6 Removal or adjustment of access rights
The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change.
A.9.3 User responsibilities
Objective: To make users accountable for safeguarding their authentication information.
A.9.3.1 Use of secret authentication information
Users shall be required to follow the organization’s practices in the use of secret authentication information.
A.9.4 System and application access control
Objective: To prevent unauthorized access to systems and applications.
A.9.4.1 Information access restriction
Access to information and application system functions shall be restricted in accordance with the access control policy.
A.9.4.2 Secure log-on procedures
Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure.
A.9.4.3 Password management system
Password management systems shall be interactive and shall ensure quality passwords.
A.9.4.4 Use of privileged utility programs
The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled.
A.9.4.5 Access control to program source code
Access to program source code shall be restricted.
Discover how you can save time & reduce management resource using ISMS.online to achieve & maintain your ISO 27001 ISMS
The ISO 27001 requirements are listed below:
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication (read 7.1 – 7.4 here)
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- (read 9.1 – 9.3 here)
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement (read 10.1 – 10.2 here)
The ISO 27001 Annex A Controls are listed below:
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
Need a set of ISO 27001 policies for your ISMS?
ISMS.online includes practical policies and controls for your organisation to easily adopt, adapt and add to, giving you a
77% head start with ISO 27001