Understanding Annex A.9
Annex A.9 is all about access control procedures. The aim of Annex A.9 is to safeguard access to information and ensure that employees can only view information that’s relevant to their work. This is a key part to get right in your journey to ISO 27001 certification and one where a lot of companies find they need support. If you’re looking for a simplified way to get certified then we suggest taking a look at our ISMS.online platform which will give you a 77% head start.
What is the objective of Annex A.9.1 of ISO 27001?
Annex A.9.1 is about business requirements of access control. The objective in this Annex A control is to limit access to information and information processing facilities.
It’s an important part of the information security management system (ISMS) especially if you’d like to achieve ISO 27001 certification. Lets understand those requirements and what they mean in a bit more depth.
A.9.1.1 Access Control Policy
An access control policy must be established, documented and reviewed regularly taking into account the requirements of the business for the assets in scope.
Access control rules, rights and restrictions along with the depth of the controls used should reflect the information security risks around the information and the organisation’s appetite for managing them. Put simply access control is about who needs to know, who needs to use and how much they get access to.
Access controls can be digital and physical in nature, e.g. permission restrictions on user accounts as well as limitations on who can access certain physical locations (aligned with Annex A.11 Physical and Environment Security). The policy should take into account:
- Security requirements of business applications and align with the information classification scheme in use as per A.8 Asset Management;
- Clarify who needs to access, know, who needs to use the information – supported by documented procedures and responsibilities;
- Management of the access rights and privileged access rights (more power – see below) including adding, in life changes (e.g. super users/administrators controls) and periodic reviews (e.g. by regular internal audits in line with requirement 9.2.
- Access control rules should be supported by formal procedures and defined responsibilities;
Access control needs to be reviewed based on change in roles and in particular during exit, to align with Annex A.7 Human Resource Security.
A.9.1.2 Access to Networks and Network Services
The principle of least access is the general approach favoured for protection, rather than unlimited access and superuser rights without careful consideration.
As such users should only get access to the network and network services they need to use or know about for their job. The policy therefore needs to address; The networks and network services in scope for access; Authorisation procedures for showing who (role based) is allowed to access to what and when; and Management controls and procedures to prevent access and monitor it in life. This also needs to be considered during onboarding and offboarding, and is closely related to the access control policy itself.
Achieve your first ISO 27001
Download your free guide to fast and sustainable certification
What is the objective of Annex A.9.2 of ISO 27001?
Annex A.9.2 is about user access management. The objective in this Annex A control is to ensure users are authorised to access systems and services as well as prevent unauthorised access.
A.9.2.1 User Registration and Deregistration
A formal user registration and deregistration process needs to be implemented. A good process for user ID management includes being able to associate individual IDs to real people, and limit shared access IDs, which should be approved and recorded where done.
A good on-boarding and exit process ties in with A7 Human Resource Security to show quick and clear registration/deregistration along with avoidance of reissuing old IDs. A regular review of ID’s will illustrate good control and reinforces ongoing management. That can be tied in with the internal audits noted above for access control audits, and periodic reviews by the information asset or processing application owners.
A.9.2.2 User Access Provisioning
A process (however simple and documented) must be implemented to assign or revoke access rights for all user types to all systems and services. Done well it ties in with the points above as well as the broader HR Security work.
Provisioning and revoking process should include; Authorisation from the owner of the information system or service for the use of the information system or service; Verifying that the access granted is relevant to the role being done; and protecting against provisioning being done before authorisation is complete.
User access should always be business led and access based around the requirements of the business. This might sound bureaucratic but it doesn’t need to be and effective simple procedures with role based access by systems and services can address it.
We’ve made more ISO 27001 progress in the last 2 weeks using ISMS.online than we have in the past year. We looked at a few other solutions and none came anywhere near to delivering the pragmatic processes needed for the complete ISMS.Tom WoolrychThe Workforce Development Trust
A.9.2.3 Management of Privileged Access Rights
A.9.2.3 is about managing usually more powerful and higher ‘privileged’ levels of access e.g. systems administration permissions versus normal user rights.
The allocation and use of privileged access rights has to be tightly controlled given the extra rights usually conveyed over information assets and the systems controlling them. For example the ability to delete work or fundamentally affect the integrity of the information. It should align with the formal authorisation processes alongside the access control policy.
That could include; system by system clarity on privileged access rights (which can be managed inside the application); allocation on a need-to-use basis not a blanket approach; A process and record of all privileges allocated should be maintained (alongside the information asset inventory or as part of the A.9 evidence; and the competence of users granted the rights must be reviewed regularly to align with their duties. This is another good area to include in the internal audit to demonstrate control.
One of the biggest contributory factors to failures or breaches of systems is inappropriate and blanket use of system administration privileges with human error leading to more damage or loss than if a ‘least access’ approach were taken. Other good practice relating to this area includes the separation of the systems administrator role from the day to day user role and having a user with two accounts if they perform different jobs on the same platform.