ISO 27001:2022 Annex A Control 5.18

Access Rights – Guidance on Granting and Revocation

To assign or revoke access rights for all types of users to all systems and services, a process must be implemented (however simple and documented it may be). Ideally, it would tie in with the points above and the broader HR Security initiative.

An information system or service should be provisioned or revoked based on the following criteria: Authorisation from the owner of the information system or service, verification that access is appropriate to the role being performed, and protection against provisioning occurring before authorisation has been obtained.

Users should always be granted access per business requirements as part of a business-led approach. While this might sound bureaucratic, it does not have to be. By implementing effective procedures with role-based access to systems and services, this problem can be addressed effectively.

Review of User Access Rights

Asset owners must review users’ access rights regularly during individual changes (on boarding, role changes, and exits) and during broader audits of system access.

Authorisations should be reviewed more frequently in light of the higher risk associated with privileged access rights. As with 9.2, this should be done at least annually or whenever significant changes have been made.

Remove or Adjust Access Rights

It is necessary to remove the access rights of all employees and external party users to information and information processing facilities upon the termination of their employment, contract or agreement (or to adjust their access rights upon change of role if necessary).

If exit policies and procedures are well designed and aligned with A.7, this will also be achieved and demonstrated for audit purposes when employees leave.

For the assignment and revocation of access rights to authenticated individuals, organisations must incorporate the following rules and controls:

• To access and use relevant information assets, the owner of the information asset must authorise access and use. Additionally, organisations should consider requesting separate approval from management before granting access rights.
• Consideration must be given to the business needs of the organisation and its policy regarding access control.
• Organisations should consider the separation of duties. As an example, approval and implementation of access rights can be handled by separate individuals.
• A person’s access rights should be immediately revoked when they no longer require access to information assets, especially if they have departed the organisation.
• A temporary access right can be granted to employees or other staff working for the organisation temporarily. When they cease to be employed by the organisation, their rights should be revoked.
• The organisation’s access control policy should determine an individual’s access level and be reviewed and verified regularly. Further, it should adhere to other information security requirements, such as ISO 27001:2022 Control 5.3, which specifies the segregation of duties.
• The organisation should ensure access rights are activated once the appropriate authorisation process has been completed.
• The access rights associated with each identification, such as an ID or physical, should be maintained in a central access control management system.
• It is imperative to update an individual’s level of access rights if their role or duties change.
• The following methods can be utilised to remove or modify physical or logical access rights: Removal or replacement of keys, ID cards, or authentication information.
• Log and maintain changes to a user’s physical and logical access rights are mandatory.

Supplementary Guidelines for the Review of Access Rights

Periodic reviews of physical and logical access rights should take into account the following:

• When a user is promoted or demoted within the same organisation or when their employment ends, their access rights may change.
• Privilege access authorisation procedure.

Guidance on Changes in Employment or Termination of Employment

Risk factors should be considered when evaluating and modifying an employee’s access rights to information processing systems. This is before they are promoted or demoted within the same organisation:

• This includes determining whether the employee initiated the termination process or the organisation initiated it and the reason for termination.
• A description of the employee’s current responsibilities within the organisation.
• Employees’ access to information assets and their importance and value.

Further Supplement Guidance

It is recommended that organisations establish user access roles in accordance with their business requirements. In addition to the types and numbers of access rights to be granted to each user group, these roles should specify the type of access rights.

Creating such roles will make access requests and rights to be managed and reviewed easier.

It is recommended that organisations include provisions in their employment/service contracts with their staff that address unauthorised access to their systems and sanctions for such access. Annex A controls 5.20, 6.2, 6.4, and 6.6 should be followed.

Organisations must be cautious when dealing with disgruntled employees laid off by management since they may intentionally damage information systems.

Organisations that decide to use cloning techniques to grant access rights should do so based on the roles that the organisation has defined.

There is a risk associated with cloning in that excessive access rights may be granted.

What Are the Changes and Differences From ISO 27001:2013?

ISO 27001:2022 Annex A 5.18 replaces ISO 27001:2013 Annex A Controls 9.2.2, 9.2.5, and 9.2.6.

The 2022 Version Contains More Comprehensive Requirements for Granting and Revoking Access Rights

The 2013 version of Annex A Control 9.2.2 outlined six requirements for assigning and revoking access rights; however, Annex A Control 5.18 introduces three additional requirements in addition to these six:

1. Temporary access rights may be temporarily granted to employees or other staff working for the organisation. As soon as they cease to work for the organisation, these rights should be revoked.
2. Removing or modifying physical or logical access rights can be accomplished in the following ways: Removal or replacing keys, identification cards, or authentication information.
3. Changing a user’s physical or logical access rights should be logged and documented.

Privileged Access Rights Requirements Are More Detailed in the 2013 Version

According to ISO 27001:2013, Annex A Control 9.5 explicitly states that organisations should review the authorisation for privileged access rights more frequently than other access rights. This requirement was not included in Annex A Control 5.18 in Version 2022.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

How ISMS.online Help

ISO 27001:2022, Annex A 5.18, is one of the most discussed clauses. Many argue that it is the most significant clause in the whole document.

This is because the entire Information Security Management System (ISMS) is based on ensuring the appropriate people have access to the correct information at the right time. Achieving success requires getting it right, but it can severely impact your business.

For example, imagine if you accidentally revealed confidential employee information to the wrong person, such as each employee’s pay.

A mistake here could have significant consequences, so it’s worth taking the time to think it through thoroughly.

Our platform can be extremely helpful in this regard. As a result, it adheres to the whole structure of ISO 27001 and allows you to adopt, adapt, and add to the content we provide. This gives you a significant advantage. Why not schedule a demo to learn more?