- See ISO 27002:2022 Control 5.18 for more information.
- See ISO 27001:2013 Annex A 9.2.2 for more information.
- See ISO 27001:2013 Annex A 9.2.5 for more information.
- See ISO 27001:2013 Annex A 9.2.6 for more information.
Understanding ISO 27001 Annex A 5.18: Best Practices for Access Rights
Every employee within your organisation must have access to specific computers, databases, information systems, and applications to perform their duties.
For example, your human resources department may need access to sensitive health information about employees. In addition, your finance department may need access to and use databases containing employee salary information.
You should provide, modify, and revoke access rights per the company’s access control policy and access control measures. This will prevent unauthorised access to, modification of, and destruction of information assets.
If you do not revoke your former employee’s access rights, that employee may steal sensitive data.
According to ISO 27001:2022, Annex A Control 5.18 addresses how access rights should be assigned, modified, and revoked based on business requirements.
What Is The Purpose of ISO 27001:2022 Annex A 5.18?
According to Annex A Control 5.18, an organisation can implement procedures and controls to assign, modify, and revoke access rights to information systems consistent with its access control policy.
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
Who Has Ownership of Annex A 5.18?
The Information Security Officer should be responsible for establishing, implementing, and reviewing the appropriate rules, processes, and controls for the provision, modification, and revocation of access rights to information systems.
It is the responsibility of the information security officer to carefully consider business needs when assigning, modifying, and revoking access rights. In addition, the information security officer should work closely with information asset owners to ensure that policies and procedures are followed.
Access Rights – Guidance on Granting and Revocation
To assign or revoke access rights for all types of users to all systems and services, a process must be implemented (however simple and documented it may be). Ideally, it would tie in with the points above and the broader HR Security initiative.
An information system or service should be provisioned or revoked based on the following criteria: Authorisation from the owner of the information system or service, verification that access is appropriate to the role being performed, and protection against provisioning occurring before authorisation has been obtained.
Users should always be granted access per business requirements as part of a business-led approach. While this might sound bureaucratic, it does not have to be. By implementing effective procedures with role-based access to systems and services, this problem can be addressed effectively.
Review of User Access Rights
Asset owners must review users’ access rights regularly during individual changes (on boarding, role changes, and exits) and during broader audits of system access.
Authorisations should be reviewed more frequently in light of the higher risk associated with privileged access rights. As with 9.2, this should be done at least annually or whenever significant changes have been made.
Remove or Adjust Access Rights
It is necessary to remove the access rights of all employees and external party users to information and information processing facilities upon the termination of their employment, contract or agreement (or to adjust their access rights upon change of role if necessary).
If exit policies and procedures are well designed and aligned with A.7, this will also be achieved and demonstrated for audit purposes when employees leave.
For the assignment and revocation of access rights to authenticated individuals, organisations must incorporate the following rules and controls:
- To access and use relevant information assets, the owner of the information asset must authorise access and use. Additionally, organisations should consider requesting separate approval from management before granting access rights.
- Consideration must be given to the business needs of the organisation and its policy regarding access control.
- Organisations should consider the separation of duties. As an example, approval and implementation of access rights can be handled by separate individuals.
- A person’s access rights should be immediately revoked when they no longer require access to information assets, especially if they have departed the organisation.
- A temporary access right can be granted to employees or other staff working for the organisation temporarily. When they cease to be employed by the organisation, their rights should be revoked.
- The organisation’s access control policy should determine an individual’s access level and be reviewed and verified regularly. Further, it should adhere to other information security requirements, such as ISO 27001:2022 Control 5.3, which specifies the segregation of duties.
- The organisation should ensure access rights are activated once the appropriate authorisation process has been completed.
- The access rights associated with each identification, such as an ID or physical, should be maintained in a central access control management system.
- It is imperative to update an individual’s level of access rights if their role or duties change.
- The following methods can be utilised to remove or modify physical or logical access rights: Removal or replacement of keys, ID cards, or authentication information.
- Log and maintain changes to a user’s physical and logical access rights are mandatory.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
Supplementary Guidelines for the Review of Access Rights
Periodic reviews of physical and logical access rights should take into account the following:
- When a user is promoted or demoted within the same organisation or when their employment ends, their access rights may change.
- Privilege access authorisation procedure.
Guidance on Changes in Employment or Termination of Employment
Risk factors should be considered when evaluating and modifying an employee’s access rights to information processing systems. This is before they are promoted or demoted within the same organisation:
- This includes determining whether the employee initiated the termination process or the organisation initiated it and the reason for termination.
- A description of the employee’s current responsibilities within the organisation.
- Employees’ access to information assets and their importance and value.
Further Supplement Guidance
It is recommended that organisations establish user access roles in accordance with their business requirements. In addition to the types and numbers of access rights to be granted to each user group, these roles should specify the type of access rights.
Creating such roles will make access requests and rights to be managed and reviewed easier.
It is recommended that organisations include provisions in their employment/service contracts with their staff that address unauthorised access to their systems and sanctions for such access. Annex A controls 5.20, 6.2, 6.4, and 6.6 should be followed.
Organisations must be cautious when dealing with disgruntled employees laid off by management since they may intentionally damage information systems.
Organisations that decide to use cloning techniques to grant access rights should do so based on the roles that the organisation has defined.
There is a risk associated with cloning in that excessive access rights may be granted.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
What Are the Changes and Differences From ISO 27001:2013?
ISO 27001:2022 Annex A 5.18 replaces ISO 27001:2013 Annex A Controls 9.2.2, 9.2.5, and 9.2.6.
The 2022 Version Contains More Comprehensive Requirements for Granting and Revoking Access Rights
The 2013 version of Annex A Control 9.2.2 outlined six requirements for assigning and revoking access rights; however, Annex A Control 5.18 introduces three additional requirements in addition to these six:
- Temporary access rights may be temporarily granted to employees or other staff working for the organisation. As soon as they cease to work for the organisation, these rights should be revoked.
- Removing or modifying physical or logical access rights can be accomplished in the following ways: Removal or replacing keys, identification cards, or authentication information.
- Changing a user’s physical or logical access rights should be logged and documented.
Privileged Access Rights Requirements Are More Detailed in the 2013 Version
According to ISO 27001:2013, Annex A Control 9.5 explicitly states that organisations should review the authorisation for privileged access rights more frequently than other access rights. This requirement was not included in Annex A Control 5.18 in Version 2022.
Table of All ISO 27001:2022 Annex A Controls
In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Organisational Controls | Annex A 5.1 |
Annex A 5.1.1 Annex A 5.1.2 |
Policies for Information Security |
| Organisational Controls | Annex A 5.2 | Annex A 6.1.1 | Information Security Roles and Responsibilities |
| Organisational Controls | Annex A 5.3 | Annex A 6.1.2 | Segregation of Duties |
| Organisational Controls | Annex A 5.4 | Annex A 7.2.1 | Management Responsibilities |
| Organisational Controls | Annex A 5.5 | Annex A 6.1.3 | Contact With Authorities |
| Organisational Controls | Annex A 5.6 | Annex A 6.1.4 | Contact With Special Interest Groups |
| Organisational Controls | Annex A 5.7 | NEW | Threat Intelligence |
| Organisational Controls | Annex A 5.8 |
Annex A 6.1.5 Annex A 14.1.1 |
Information Security in Project Management |
| Organisational Controls | Annex A 5.9 |
Annex A 8.1.1 Annex A 8.1.2 |
Inventory of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.10 |
Annex A 8.1.3 Annex A 8.2.3 |
Acceptable Use of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.11 | Annex A 8.1.4 | Return of Assets |
| Organisational Controls | Annex A 5.12 | Annex A 8.2.1 | Classification of Information |
| Organisational Controls | Annex A 5.13 | Annex A 8.2.2 | Labelling of Information |
| Organisational Controls | Annex A 5.14 |
Annex A 13.2.1 Annex A 13.2.2 Annex A 13.2.3 |
Information Transfer |
| Organisational Controls | Annex A 5.15 |
Annex A 9.1.1 Annex A 9.1.2 |
Access Control |
| Organisational Controls | Annex A 5.16 | Annex A 9.2.1 | Identity Management |
| Organisational Controls | Annex A 5.17 |
Annex A 9.2.4 Annex A 9.3.1 Annex A 9.4.3 |
Authentication Information |
| Organisational Controls | Annex A 5.18 |
Annex A 9.2.2 Annex A 9.2.5 Annex A 9.2.6 |
Access Rights |
| Organisational Controls | Annex A 5.19 | Annex A 15.1.1 | Information Security in Supplier Relationships |
| Organisational Controls | Annex A 5.20 | Annex A 15.1.2 | Addressing Information Security Within Supplier Agreements |
| Organisational Controls | Annex A 5.21 | Annex A 15.1.3 | Managing Information Security in the ICT Supply Chain |
| Organisational Controls | Annex A 5.22 |
Annex A 15.2.1 Annex A 15.2.2 |
Monitoring, Review and Change Management of Supplier Services |
| Organisational Controls | Annex A 5.23 | NEW | Information Security for Use of Cloud Services |
| Organisational Controls | Annex A 5.24 | Annex A 16.1.1 | Information Security Incident Management Planning and Preparation |
| Organisational Controls | Annex A 5.25 | Annex A 16.1.4 | Assessment and Decision on Information Security Events |
| Organisational Controls | Annex A 5.26 | Annex A 16.1.5 | Response to Information Security Incidents |
| Organisational Controls | Annex A 5.27 | Annex A 16.1.6 | Learning From Information Security Incidents |
| Organisational Controls | Annex A 5.28 | Annex A 16.1.7 | Collection of Evidence |
| Organisational Controls | Annex A 5.29 |
Annex A 17.1.1 Annex A 17.1.2 Annex A 17.1.3 |
Information Security During Disruption |
| Organisational Controls | Annex A 5.30 | NEW | ICT Readiness for Business Continuity |
| Organisational Controls | Annex A 5.31 |
Annex A 18.1.1 Annex A 18.1.5 |
Legal, Statutory, Regulatory and Contractual Requirements |
| Organisational Controls | Annex A 5.32 | Annex A 18.1.2 | Intellectual Property Rights |
| Organisational Controls | Annex A 5.33 | Annex A 18.1.3 | Protection of Records |
| Organisational Controls | Annex A 5.34 | Annex A 18.1.4 | Privacy and Protection of PII |
| Organisational Controls | Annex A 5.35 | Annex A 18.2.1 | Independent Review of Information Security |
| Organisational Controls | Annex A 5.36 |
Annex A 18.2.2 Annex A 18.2.3 |
Compliance With Policies, Rules and Standards for Information Security |
| Organisational Controls | Annex A 5.37 | Annex A 12.1.1 | Documented Operating Procedures |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| People Controls | Annex A 6.1 | Annex A 7.1.1 | Screening |
| People Controls | Annex A 6.2 | Annex A 7.1.2 | Terms and Conditions of Employment |
| People Controls | Annex A 6.3 | Annex A 7.2.2 | Information Security Awareness, Education and Training |
| People Controls | Annex A 6.4 | Annex A 7.2.3 | Disciplinary Process |
| People Controls | Annex A 6.5 | Annex A 7.3.1 | Responsibilities After Termination or Change of Employment |
| People Controls | Annex A 6.6 | Annex A 13.2.4 | Confidentiality or Non-Disclosure Agreements |
| People Controls | Annex A 6.7 | Annex A 6.2.2 | Remote Working |
| People Controls | Annex A 6.8 |
Annex A 16.1.2 Annex A 16.1.3 |
Information Security Event Reporting |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Physical Controls | Annex A 7.1 | Annex A 11.1.1 | Physical Security Perimeters |
| Physical Controls | Annex A 7.2 |
Annex A 11.1.2 Annex A 11.1.6 |
Physical Entry |
| Physical Controls | Annex A 7.3 | Annex A 11.1.3 | Securing Offices, Rooms and Facilities |
| Physical Controls | Annex A 7.4 | NEW | Physical Security Monitoring |
| Physical Controls | Annex A 7.5 | Annex A 11.1.4 | Protecting Against Physical and Environmental Threats |
| Physical Controls | Annex A 7.6 | Annex A 11.1.5 | Working In Secure Areas |
| Physical Controls | Annex A 7.7 | Annex A 11.2.9 | Clear Desk and Clear Screen |
| Physical Controls | Annex A 7.8 | Annex A 11.2.1 | Equipment Siting and Protection |
| Physical Controls | Annex A 7.9 | Annex A 11.2.6 | Security of Assets Off-Premises |
| Physical Controls | Annex A 7.10 |
Annex A 8.3.1 Annex A 8.3.2 Annex A 8.3.3 Annex A 11.2.5 |
Storage Media |
| Physical Controls | Annex A 7.11 | Annex A 11.2.2 | Supporting Utilities |
| Physical Controls | Annex A 7.12 | Annex A 11.2.3 | Cabling Security |
| Physical Controls | Annex A 7.13 | Annex A 11.2.4 | Equipment Maintenance |
| Physical Controls | Annex A 7.14 | Annex A 11.2.7 | Secure Disposal or Re-Use of Equipment |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Technological Controls | Annex A 8.1 |
Annex A 6.2.1 Annex A 11.2.8 |
User Endpoint Devices |
| Technological Controls | Annex A 8.2 | Annex A 9.2.3 | Privileged Access Rights |
| Technological Controls | Annex A 8.3 | Annex A 9.4.1 | Information Access Restriction |
| Technological Controls | Annex A 8.4 | Annex A 9.4.5 | Access to Source Code |
| Technological Controls | Annex A 8.5 | Annex A 9.4.2 | Secure Authentication |
| Technological Controls | Annex A 8.6 | Annex A 12.1.3 | Capacity Management |
| Technological Controls | Annex A 8.7 | Annex A 12.2.1 | Protection Against Malware |
| Technological Controls | Annex A 8.8 |
Annex A 12.6.1 Annex A 18.2.3 |
Management of Technical Vulnerabilities |
| Technological Controls | Annex A 8.9 | NEW | Configuration Management |
| Technological Controls | Annex A 8.10 | NEW | Information Deletion |
| Technological Controls | Annex A 8.11 | NEW | Data Masking |
| Technological Controls | Annex A 8.12 | NEW | Data Leakage Prevention |
| Technological Controls | Annex A 8.13 | Annex A 12.3.1 | Information Backup |
| Technological Controls | Annex A 8.14 | Annex A 17.2.1 | Redundancy of Information Processing Facilities |
| Technological Controls | Annex A 8.15 |
Annex A 12.4.1 Annex A 12.4.2 Annex A 12.4.3 |
Logging |
| Technological Controls | Annex A 8.16 | NEW | Monitoring Activities |
| Technological Controls | Annex A 8.17 | Annex A 12.4.4 | Clock Synchronization |
| Technological Controls | Annex A 8.18 | Annex A 9.4.4 | Use of Privileged Utility ProgramsAccess Rights |
| Technological Controls | Annex A 8.19 |
Annex A 12.5.1 Annex A 12.6.2 |
Installation of Software on Operational Systems |
| Technological Controls | Annex A 8.20 | Annex A 13.1.1 | Networks Security |
| Technological Controls | Annex A 8.21 | Annex A 13.1.2 | Security of Network Services |
| Technological Controls | Annex A 8.22 | Annex A 13.1.3 | Segregation of Networks |
| Technological Controls | Annex A 8.23 | NEW | Web filtering |
| Technological Controls | Annex A 8.24 |
Annex A 10.1.1 Annex A 10.1.2 |
Use of Cryptography |
| Technological Controls | Annex A 8.25 | Annex A 14.2.1 | Secure Development Life Cycle |
| Technological Controls | Annex A 8.26 |
Annex A 14.1.2 Annex A 14.1.3 |
Application Security Requirements |
| Technological Controls | Annex A 8.27 | Annex A 14.2.5 | Secure System Architecture and Engineering PrinciplesLearning From Information Security Incidents |
| Technological Controls | Annex A 8.28 | NEW | Secure Coding |
| Technological Controls | Annex A 8.29 |
Annex A 14.2.8 Annex A 14.2.9 |
Security Testing in Development and Acceptance |
| Technological Controls | Annex A 8.30 | Annex A 14.2.7 | Outsourced Development |
| Technological Controls | Annex A 8.31 |
Annex A 12.1.4 Annex A 14.2.6 |
Separation of Development, Test and Production Environments |
| Technological Controls | Annex A 8.32 |
Annex A 12.1.2 Annex A 14.2.2 Annex A 14.2.3 Annex A 14.2.4 |
Change Management |
| Technological Controls | Annex A 8.33 | Annex A 14.3.1 | Test Information |
| Technological Controls | Annex A 8.34 | Annex A 12.7.1 | Protection of Information Systems During Audit Testing |
[case_study_slider ids=”88859,101932,92016″ autoplay=”true” autoplay_speed=”5000″]
How ISMS.online Help
ISO 27001:2022, Annex A 5.18, is one of the most discussed clauses. Many argue that it is the most significant clause in the whole document.
This is because the entire Information Security Management System (ISMS) is based on ensuring the appropriate people have access to the correct information at the right time. Achieving success requires getting it right, but it can severely impact your business.
For example, imagine if you accidentally revealed confidential employee information to the wrong person, such as each employee’s pay.
A mistake here could have significant consequences, so it’s worth taking the time to think it through thoroughly.
Our platform can be extremely helpful in this regard. As a result, it adheres to the whole structure of ISO 27001 and allows you to adopt, adapt, and add to the content we provide. This gives you a significant advantage. Why not schedule a demo to learn more?
