ISO 27001:2022 Annex A Control 8.2

General Guidance on ISO 27001:2022 Annex A 8.2

ISO 27001:2022 Annex A 8.2 outlines 12 main guidance points that businesses should follow based on a “topic-specific” policy on access control (see Annex A 5.15) that target specific business functions.

It is crucial for organisations to:

1. Prepare a list of users who require any degree of privileged access – whether to an individual system, an application, or the underlying operating system.
2. Ensure that privileged access rights are assigned to users on an “event by event” basis – users should be granted access rights based on the bare minimum they need to perform their duties.
   

3. Maintain a record of all access rights that have been granted and outline a straightforward authorisation process for all requests for privileged access.
   

4. Access rights must be subject to relevant expiration dates.
   

5. Users should be explicitly informed when they are operating with privileged access to a system.
   

6. When relevant, users are asked to re-authenticate before using privileged access rights to enhance the security of information and data.
   

7. Periodically audit privileged access rights, especially after a period of organisational change. Access rights should be reviewed based on users’ “duties, roles, responsibilities, and competence” (see Annex A 5.18).
   

8. Consider a “break glass” procedure, i.e. granting privileged access rights within tightly-controlled time frames that meet the minimal requirements for an operation to be completed (critical changes, system administration, etc.).
   

9. Make sure that all activities involving privileged access are logged.
   

10. Standardised usernames and passwords (see Annex A 5.17) should not be used for system logins.
    

11. Maintain a policy of assigning users with separate identities to control privileged access rights better. As a result, these identities can be grouped together, with varying levels of access being granted to the associated group.
    

12. Ensure privileged access rights are reserved for tasks critical to the proper functioning of an ICT network, such as network administration and maintenance.

Accompanying Annex A Controls

• ISO 27001:2022 Annex A 5.15

What Are the Changes From ISO 27001:2013?

ISO 27001:2022 Annex A 8.2 replaces ISO 27001:2013 Annex A 9.2.3 (‘Management of Privileged Access Rights’).

Annex A 8.2 of ISO 27001:2022 contains five major guidance points that were not included in its 2013 counterpart:

1. Annex A 8.2 does not explicitly require a different user ID for privileged access.
2. Annex A 8.2 emphasises the need to re-authenticate before receiving privileged access rights.
3. A break glass approach is suggested when performing critical maintenance tasks based on tightly controlled time windows in Annex A 8.2.
4. Annex A 8.2 requires organisations to keep detailed privileged access logs for auditing purposes.
5. Annex A 8.2 requires organisations to limit privileged access rights to administrative tasks.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

How ISMS.online Help

With the help of our cloud-based platform and tools, organisations can set up an information security management system (ISMS) in accordance with ISO 27001:2022.

Among these tools are:

1. Templates for common corporate documents.
2. Policies and procedures that are predefined.
3. Supporting internal audits with an audit tool.
4. An approval workflow for all changes made to policies and procedures.
5. Checklist to ensure that your information security policies and processes follow international standards.

Please find out about the full range of features within our toolkit by booking a demo.