ISO 27002:2022, Control 5.18 – Access Rights

ISO 27002:2022 Revised Controls

Book a demo

coworkers,work,modern,studio.production,managers,team,working,new,project.young,business

Every employee within your organisation will need to have access to certain computers, databases, information systems, and applications to perform their tasks.

For example, while human resources personnel may need access to sensitive health data of employees, your finance department may rely on accessing and using databases containing employee salary details.

However, these access rights should be provided, modified, and revoked in line with your organisation’s access control policy and its access controls so that you can prevent unauthorised access to, modification of, and destruction of information assets.

For instance, if you fail to revoke the access rights of a former employee, that employee may steal sensitive information.

Control 5.18 deals with how organisations should assign, modify and revoke access rights taking into account business requirements.

Purpose of Control 5.18

Control 5.18 enables an organisation to establish and implement appropriate procedures and controls to assign, modify and revoke access rights to information systems in compliance with the organisation’s access control policy and its access controls.

Attributes Table

Control 5.18 is a preventive control that requires organisations to eliminate the risk of unauthorised access to information systems by putting in place robust rules, procedures, and controls.

Control Type Information Security PropertiesCybersecurity ConceptsOperational CapabilitiesSecurity Domains
#Preventive#Confidentiality
#Integrity
#Availability		#Protect #Identity and Access Management#Protection
Jump to Topic
Get a Headstart on ISO 27001
  • All updated with the 2022 control set
  • Make 81% progress from the minute you log in
  • Simple and easy to use
Book your demo
img

Ownership of Control 5.18

An Information security officer should be responsible to establish, implement and review appropriate rules, processes, and controls for provision, modification and revocation of access rights to information systems.

When assigning, modifying, and revoking access rights, the information security officer should consider business needs and should closely work with information asset owners to ensure that rules and processes are adhered to.

Guidance on Granting and Revocation of Access Rights

Organisations should incorporate the following rules and controls into the process for assignment and revocation of access rights to an authenticated individual:

  • Information asset owner should provide its authorisation for access to and use of relevant information assets. Furthermore, organisations should also consider seeking separate approval from the management for granting access rights.

  • Business needs of the organisation and its policy on access control should be taken into account.

  • Organisations should consider segregating duties. For instance, the approval task and the implementation of access rights can be performed by separate individuals.

  • When an individual no longer needs access to information assets, particularly when they are no longer part of the organisation, their access rights should be revoked immediately.

  • Personnel or other staff working for the organisation temporarily can be provided with temporary access rights. These rights should be revoked when they no longer work for the organisation.

  • Level of access provided to an individual should be in line with the organisation’s access control policy and should be reviewed and verified regularly. Furthermore, it should also be in accordance with other information security requirements such as segregation of duties as set out in Control 5.3.

  • Organisations should ensure that access rights are not activated until the appropriate authorisation procedure is completed.

  • Access rights provided to each individual identifier, such as ID or physical, should be logged onto a central access control management system and this system should be maintained.

  • If an individual’s role or duties change, their level of access rights should be updated.

  • Removal or modification of physical or logical access rights can be carried out via the following methods: Removal or replacement of keys, ID cards, or authentication information.

  • Changes to a user’s physical and logical access rights should be logged onto a system and should be maintained.

Supplementary Guidance on Review of Access Rights

Physical and logical access rights should go through periodic reviews taking into account:

  • Changes in each user’s access rights after they are promoted or demoted within the same organisation, or after their employment is terminated.

  • Authorisation procedure for granting privileged access rights.

Get a Headstart
on ISO 27002

The only compliance
solution you need
Book your demo

Updated for ISO 27001 2022
  • 81% of the work done for you
  • Assured Results Method for certification success
  • Save time, money and hassle
Book your demo
img

Guidance on Change or Termination of Employment

Before an employee is promoted or demoted within the same organisation or when his/her employment is terminated, his/her access rights to information processing systems should be evaluated and modified by taking into account the following risk factors:

  • Whether the termination process is initiated by the employee or by the organisation and the reason for termination.

  • Current responsibilities of the employee within the organisation.

  • Criticality and value of information assets accessible to the employee.

Supplementary Guidance

Organisations should consider establishing user access roles based on their business requirements. These roles should include the types and number of access rights to be granted to each user group.

Creating such roles will make it easier to manage and review access requests and rights.

Organisations should include contractual provisions for unauthorised access and sanctions for such access in their employment/service contracts with their staff. This should be in accordance with the controls 5.20, 6.2, 6.4, and 6.6.

Organisations should be cautious against disgruntled employees who are laid off by the management because they may damage information systems on purpose.

If organisations decide to use the cloning techniques to grant access rights, they should perform it on the basis of distinct roles established by the organisation.

It should be noted that cloning comes with the inherent risk of granting excessive access rights.

Changes and Differences from ISO 27002:2013

27002:2022/5.18 replaces 27002:2013/(9.2.2, 9.2.5, 9.2.6).

2022 Version Contains More Comprehensive Requirements for Granting and Revocation of Access Rights

Although Control 9.2.2 in the 2013 version listed six requirements for assigning and revoking access rights, Control 5.18 in 2022 version introduces three new requirements in addition to these six requirements:

  • Personnel or other staff working for the organisation temporarily can be provided with temporary access rights. These rights should be revoked when they no longer perform work for the organisation.

  • Removal or modification of physical or logical access rights can be carried out via the following methods: Removal or replacement of keys, ID cards, or authentication information.

  • Changes to a user’s physical and logical access rights should be logged and maintained.

2013 Version Contains More Detailed Requirements for Privileged Access Rights

Control 9.5 in version 2013 explicitly stated that organisations should review the authorisation for privileged access rights at more frequent intervals than other access rights. Control 5.18 in Version 2022, on the contrary, did not contain this requirement.

How ISMS.online Helps

ISMS.online is a cloud-based platform that offers assistance in implementing the ISO 2702 standard efficiently and cost effectively.

It provides organisations with easy access to up-to-date information about their compliance status at all times through its user-friendly dashboard interface which allows managers to monitor their progress towards achieving compliance quickly and easily.

Get in touch today to book a demo.

Are you ready for
the new ISO 27002

We’ll give you an 81% headstart
from the moment you log in
Book your demo

New Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
5.7NewThreat intelligence
5.23NewInformation security for use of cloud services
5.30NewICT readiness for business continuity
7.4NewPhysical security monitoring
8.9NewConfiguration management
8.10NewInformation deletion
8.11NewData masking
8.12NewData leakage prevention
8.16NewMonitoring activities
8.23NewWeb filtering
8.28NewSecure coding

Organisational Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
5.105.1.1, 05.1.2Policies for information security
5.206.1.1Information security roles and responsibilities
5.306.1.2Segregation of duties
5.407.2.1Management responsibilities
5.506.1.3Contact with authorities
5.606.1.4Contact with special interest groups
5.7NewThreat intelligence
5.806.1.5, 14.1.1Information security in project management
5.908.1.1, 08.1.2Inventory of information and other associated assets
5.1008.1.3, 08.2.3Acceptable use of information and other associated assets
5.1108.1.4Return of assets
5.12 08.2.1Classification of information
5.1308.2.2Labelling of information
5.1413.2.1, 13.2.2, 13.2.3Information transfer
5.1509.1.1, 09.1.2Access control
5.1609.2.1Identity management
5.17 09.2.4, 09.3.1, 09.4.3Authentication information
5.1809.2.2, 09.2.5, 09.2.6Access rights
5.1915.1.1Information security in supplier relationships
5.2015.1.2Addressing information security within supplier agreements
5.2115.1.3Managing information security in the ICT supply chain
5.2215.2.1, 15.2.2Monitoring, review and change management of supplier services
5.23NewInformation security for use of cloud services
5.2416.1.1Information security incident management planning and preparation
5.2516.1.4Assessment and decision on information security events
5.2616.1.5Response to information security incidents
5.2716.1.6Learning from information security incidents
5.2816.1.7Collection of evidence
5.2917.1.1, 17.1.2, 17.1.3Information security during disruption
5.30NewICT readiness for business continuity
5.3118.1.1, 18.1.5Legal, statutory, regulatory and contractual requirements
5.3218.1.2Intellectual property rights
5.3318.1.3Protection of records
5.3418.1.4Privacy and protection of PII
5.3518.2.1Independent review of information security
5.3618.2.2, 18.2.3Compliance with policies, rules and standards for information security
5.3712.1.1Documented operating procedures

People Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
6.107.1.1Screening
6.207.1.2Terms and conditions of employment
6.307.2.2Information security awareness, education and training
6.407.2.3Disciplinary process
6.507.3.1Responsibilities after termination or change of employment
6.613.2.4Confidentiality or non-disclosure agreements
6.706.2.2Remote working
6.816.1.2, 16.1.3Information security event reporting

Physical Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
7.111.1.1Physical security perimeters
7.211.1.2, 11.1.6Physical entry
7.311.1.3Securing offices, rooms and facilities
7.4NewPhysical security monitoring
7.511.1.4Protecting against physical and environmental threats
7.611.1.5Working in secure areas
7.711.2.9Clear desk and clear screen
7.811.2.1Equipment siting and protection
7.911.2.6Security of assets off-premises
7.1008.3.1, 08.3.2, 08.3.3, 11.2.5Storage media
7.1111.2.2Supporting utilities
7.1211.2.3Cabling security
7.1311.2.4Equipment maintenance
7.1411.2.7Secure disposal or re-use of equipment

Technological Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
8.106.2.1, 11.2.8User endpoint devices
8.209.2.3Privileged access rights
8.309.4.1Information access restriction
8.409.4.5Access to source code
8.509.4.2Secure authentication
8.612.1.3Capacity management
8.712.2.1Protection against malware
8.812.6.1, 18.2.3Management of technical vulnerabilities
8.9NewConfiguration management
8.10NewInformation deletion
8.11NewData masking
8.12NewData leakage prevention
8.1312.3.1Information backup
8.1417.2.1Redundancy of information processing facilities
8.1512.4.1, 12.4.2, 12.4.3Logging
8.16NewMonitoring activities
8.1712.4.4Clock synchronization
8.1809.4.4Use of privileged utility programs
8.1912.5.1, 12.6.2Installation of software on operational systems
8.2013.1.1Networks security
8.2113.1.2Security of network services
8.2213.1.3Segregation of networks
8.23NewWeb filtering
8.2410.1.1, 10.1.2Use of cryptography
8.2514.2.1Secure development life cycle
8.2614.1.2, 14.1.3Application security requirements
8.2714.2.5Secure system architecture and engineering principles
8.28NewSecure coding
8.2914.2.8, 14.2.9Security testing in development and acceptance
8.3014.2.7Outsourced development
8.3112.1.4, 14.2.6Separation of development, test and production environments
8.3212.1.2, 14.2.2, 14.2.3, 14.2.4Change management
8.3314.3.1Test information
8.3412.7.1Protection of information systems during audit testing
Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

ISMS.online now supports ISO 42001 - the world's first AI Management System. Click to find out more