ISO 27002:2022 – Control 5.18 – Access Rights

Ensuring Secure Access: ISO 27002 Control 5.18 Explained

Every employee within your organisation will need to have access to certain computers, databases, information systems, and applications to perform their tasks.

For example, while human resources personnel may need access to sensitive health data of employees, your finance department may rely on accessing and using databases containing employee salary details.

However, these access rights should be provided, modified, and revoked in line with your organisation’s access control policy and its access controls so that you can prevent unauthorised access to, modification of, and destruction of information assets.

For instance, if you fail to revoke the access rights of a former employee, that employee may steal sensitive information.

Control 5.18 deals with how organisations should assign, modify and revoke access rights taking into account business requirements.

Purpose of Control 5.18

Control 5.18 enables an organisation to establish and implement appropriate procedures and controls to assign, modify and revoke access rights to information systems in compliance with the organisation’s access control policy and its access controls.

Attributes of Control 5.18

Control 5.18 is a preventive control that requires organisations to eliminate the risk of unauthorised access to information systems by putting in place robust rules, procedures, and controls.

Ownership of Control 5.18

An Information security officer should be responsible to establish, implement and review appropriate rules, processes, and controls for provision, modification and revocation of access rights to information systems.

When assigning, modifying, and revoking access rights, the information security officer should consider business needs and should closely work with information asset owners to ensure that rules and processes are adhered to.

Guidance on Granting and Revocation of Access Rights

Organisations should incorporate the following rules and controls into the process for assignment and revocation of access rights to an authenticated individual:

• Information asset owner should provide its authorisation for access to and use of relevant information assets. Furthermore, organisations should also consider seeking separate approval from the management for granting access rights.
• Business needs of the organisation and its policy on access control should be taken into account.
• Organisations should consider segregating duties. For instance, the approval task and the implementation of access rights can be performed by separate individuals.
• When an individual no longer needs access to information assets, particularly when they are no longer part of the organisation, their access rights should be revoked immediately.
• Personnel or other staff working for the organisation temporarily can be provided with temporary access rights. These rights should be revoked when they no longer work for the organisation.
• Level of access provided to an individual should be in line with the organisation’s access control policy and should be reviewed and verified regularly. Furthermore, it should also be in accordance with other information security requirements such as segregation of duties as set out in Control 5.3.
• Organisations should ensure that access rights are not activated until the appropriate authorisation procedure is completed.
• Access rights provided to each individual identifier, such as ID or physical, should be logged onto a central access control management system and this system should be maintained.
• If an individual’s role or duties change, their level of access rights should be updated.
• Removal or modification of physical or logical access rights can be carried out via the following methods: Removal or replacement of keys, ID cards, or authentication information.
• Changes to a user’s physical and logical access rights should be logged onto a system and should be maintained.

Supplementary Guidance on Review of Access Rights

Physical and logical access rights should go through periodic reviews taking into account:

• Changes in each user’s access rights after they are promoted or demoted within the same organisation, or after their employment is terminated.
• Authorisation procedure for granting privileged access rights.

Guidance on Change or Termination of Employment

Before an employee is promoted or demoted within the same organisation or when his/her employment is terminated, his/her access rights to information processing systems should be evaluated and modified by taking into account the following risk factors:

• Whether the termination process is initiated by the employee or by the organisation and the reason for termination.
• Current responsibilities of the employee within the organisation.
• Criticality and value of information assets accessible to the employee.

Supplementary Guidance

Organisations should consider establishing user access roles based on their business requirements. These roles should include the types and number of access rights to be granted to each user group.

Creating such roles will make it easier to manage and review access requests and rights.

Organisations should include contractual provisions for unauthorised access and sanctions for such access in their employment/service contracts with their staff. This should be in accordance with the controls 5.20, 6.2, 6.4, and 6.6.

Organisations should be cautious against disgruntled employees who are laid off by the management because they may damage information systems on purpose.

If organisations decide to use the cloning techniques to grant access rights, they should perform it on the basis of distinct roles established by the organisation.

It should be noted that cloning comes with the inherent risk of granting excessive access rights.

Changes and Differences from ISO 27002:2013

27002:2022/5.18 replaces 27002:2013/(9.2.2, 9.2.5, 9.2.6).

2022 Version Contains More Comprehensive Requirements for Granting and Revocation of Access Rights

Although Control 9.2.2 in the 2013 version listed six requirements for assigning and revoking access rights, Control 5.18 in 2022 version introduces three new requirements in addition to these six requirements:

• Personnel or other staff working for the organisation temporarily can be provided with temporary access rights. These rights should be revoked when they no longer perform work for the organisation.
• Removal or modification of physical or logical access rights can be carried out via the following methods: Removal or replacement of keys, ID cards, or authentication information.
• Changes to a user’s physical and logical access rights should be logged and maintained.

2013 Version Contains More Detailed Requirements for Privileged Access Rights

Control 9.5 in version 2013 explicitly stated that organisations should review the authorisation for privileged access rights at more frequent intervals than other access rights. Control 5.18 in Version 2022, on the contrary, did not contain this requirement.

New ISO 27002 Controls

How ISMS.online Helps

ISMS.online is a cloud-based platform that offers assistance in implementing the ISO 2702 standard efficiently and cost effectively.

It provides organisations with easy access to up-to-date information about their compliance status at all times through its user-friendly dashboard interface which allows managers to monitor their progress towards achieving compliance quickly and easily.

Get in touch today to book a demo.