ISO 27001:2022 Annex A Control 5.18

Access Rights

Book a demo

close up,of,teenager,with,dark,skin,hands,on,keyboard,typing

Every employee within your organisation must have access to specific computers, databases, information systems, and applications to perform their duties.

For example, your human resources department may need access to sensitive health information about employees. In addition, your finance department may need access to and use databases containing employee salary information.

You should provide, modify, and revoke access rights per the company’s access control policy and access control measures. This will prevent unauthorised access to, modification of, and destruction of information assets.

If you do not revoke your former employee’s access rights, that employee may steal sensitive data.

According to ISO 27001:2022, Annex A Control 5.18 addresses how access rights should be assigned, modified, and revoked based on business requirements.

What Is The Purpose of ISO 27001:2022 Annex A 5.18?

According to Annex A Control 5.18, an organisation can implement procedures and controls to assign, modify, and revoke access rights to information systems consistent with its access control policy.

Who Has Ownership of Annex A 5.18?

The Information Security Officer should be responsible for establishing, implementing, and reviewing the appropriate rules, processes, and controls for the provision, modification, and revocation of access rights to information systems.

It is the responsibility of the information security officer to carefully consider business needs when assigning, modifying, and revoking access rights. In addition, the information security officer should work closely with information asset owners to ensure that policies and procedures are followed.

Updated for ISO 27001 2022
  • 81% of the work done for you
  • Assured Results Method for certification success
  • Save time, money and hassle
Book your demo
img

Access Rights – Guidance on Granting and Revocation

To assign or revoke access rights for all types of users to all systems and services, a process must be implemented (however simple and documented it may be). Ideally, it would tie in with the points above and the broader HR Security initiative.

An information system or service should be provisioned or revoked based on the following criteria: Authorisation from the owner of the information system or service, verification that access is appropriate to the role being performed, and protection against provisioning occurring before authorisation has been obtained.

Users should always be granted access per business requirements as part of a business-led approach. While this might sound bureaucratic, it does not have to be. By implementing effective procedures with role-based access to systems and services, this problem can be addressed effectively.

Review of User Access Rights

Asset owners must review users’ access rights regularly during individual changes (on boarding, role changes, and exits) and during broader audits of system access.

Authorisations should be reviewed more frequently in light of the higher risk associated with privileged access rights. As with 9.2, this should be done at least annually or whenever significant changes have been made.

Remove or Adjust Access Rights

It is necessary to remove the access rights of all employees and external party users to information and information processing facilities upon the termination of their employment, contract or agreement (or to adjust their access rights upon change of role if necessary).

If exit policies and procedures are well designed and aligned with A.7, this will also be achieved and demonstrated for audit purposes when employees leave.

For the assignment and revocation of access rights to authenticated individuals, organisations must incorporate the following rules and controls:

  • To access and use relevant information assets, the owner of the information asset must authorise access and use. Additionally, organisations should consider requesting separate approval from management before granting access rights.
  • Consideration must be given to the business needs of the organisation and its policy regarding access control.
  • Organisations should consider the separation of duties. As an example, approval and implementation of access rights can be handled by separate individuals.
  • A person’s access rights should be immediately revoked when they no longer require access to information assets, especially if they have departed the organisation.
  • A temporary access right can be granted to employees or other staff working for the organisation temporarily. When they cease to be employed by the organisation, their rights should be revoked.
  • The organisation’s access control policy should determine an individual’s access level and be reviewed and verified regularly. Further, it should adhere to other information security requirements, such as ISO 27001:2022 Control 5.3, which specifies the segregation of duties.
  • The organisation should ensure access rights are activated once the appropriate authorisation process has been completed.
  • The access rights associated with each identification, such as an ID or physical, should be maintained in a central access control management system.
  • It is imperative to update an individual’s level of access rights if their role or duties change.
  • The following methods can be utilised to remove or modify physical or logical access rights: Removal or replacement of keys, ID cards, or authentication information.
  • Log and maintain changes to a user’s physical and logical access rights are mandatory.

Supplementary Guidelines for the Review of Access Rights

Periodic reviews of physical and logical access rights should take into account the following:

  • When a user is promoted or demoted within the same organisation or when their employment ends, their access rights may change.
  • Privilege access authorisation procedure.

Guidance on Changes in Employment or Termination of Employment

Risk factors should be considered when evaluating and modifying an employee’s access rights to information processing systems. This is before they are promoted or demoted within the same organisation:

  • This includes determining whether the employee initiated the termination process or the organisation initiated it and the reason for termination.
  • A description of the employee’s current responsibilities within the organisation.
  • Employees’ access to information assets and their importance and value.

Further Supplement Guidance

It is recommended that organisations establish user access roles in accordance with their business requirements. In addition to the types and numbers of access rights to be granted to each user group, these roles should specify the type of access rights.

Creating such roles will make access requests and rights to be managed and reviewed easier.

It is recommended that organisations include provisions in their employment/service contracts with their staff that address unauthorised access to their systems and sanctions for such access. Annex A controls 5.20, 6.2, 6.4, and 6.6 should be followed.

Organisations must be cautious when dealing with disgruntled employees laid off by management since they may intentionally damage information systems.

Organisations that decide to use cloning techniques to grant access rights should do so based on the roles that the organisation has defined.

There is a risk associated with cloning in that excessive access rights may be granted.

What Are the Changes and Differences From ISO 27001:2013?

ISO 27001:2022 Annex A 5.18 replaces ISO 27001:2013 Annex A Controls 9.2.2, 9.2.5, and 9.2.6.

The 2022 Version Contains More Comprehensive Requirements for Granting and Revoking Access Rights

The 2013 version of Annex A Control 9.2.2 outlined six requirements for assigning and revoking access rights; however, Annex A Control 5.18 introduces three additional requirements in addition to these six:

  1. Temporary access rights may be temporarily granted to employees or other staff working for the organisation. As soon as they cease to work for the organisation, these rights should be revoked.
  2. Removing or modifying physical or logical access rights can be accomplished in the following ways: Removal or replacing keys, identification cards, or authentication information.
  3. Changing a user’s physical or logical access rights should be logged and documented.

Privileged Access Rights Requirements Are More Detailed in the 2013 Version

According to ISO 27001:2013, Annex A Control 9.5 explicitly states that organisations should review the authorisation for privileged access rights more frequently than other access rights. This requirement was not included in Annex A Control 5.18 in Version 2022.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

How ISMS.online Help

ISO 27001:2022, Annex A 5.18, is one of the most discussed clauses. Many argue that it is the most significant clause in the whole document.

This is because the entire Information Security Management System (ISMS) is based on ensuring the appropriate people have access to the correct information at the right time. Achieving success requires getting it right, but it can severely impact your business.

For example, imagine if you accidentally revealed confidential employee information to the wrong person, such as each employee’s pay.

A mistake here could have significant consequences, so it’s worth taking the time to think it through thoroughly.

Our platform can be extremely helpful in this regard. As a result, it adheres to the whole structure of ISO 27001 and allows you to adopt, adapt, and add to the content we provide. This gives you a significant advantage. Why not schedule a demo to learn more?

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo

Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

Streamline your workflow with our new Jira integration! Learn more here.