Every employee within your organisation will need to have access to certain computers, databases, information systems, and applications to perform their tasks.
For example, while human resources personnel may need access to sensitive health data of employees, your finance department may rely on accessing and using databases containing employee salary details.
However, these access rights should be provided, modified, and revoked in line with your organisation’s access control policy and its access controls so that you can prevent unauthorised access to, modification of, and destruction of information assets.
For instance, if you fail to revoke the access rights of a former employee, that employee may steal sensitive information.
Control 5.18 deals with how organisations should assign, modify and revoke access rights taking into account business requirements.
Control 5.18 enables an organisation to establish and implement appropriate procedures and controls to assign, modify and revoke access rights to information systems in compliance with the organisation’s access control policy and its access controls.
Control 5.18 is a preventive control that requires organisations to eliminate the risk of unauthorised access to information systems by putting in place robust rules, procedures, and controls.
Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
---|---|---|---|---|
#Preventive | #Confidentiality #Integrity #Availability | #Protect | #Identity and Access Management | #Protection |
An Information security officer should be responsible to establish, implement and review appropriate rules, processes, and controls for provision, modification and revocation of access rights to information systems.
When assigning, modifying, and revoking access rights, the information security officer should consider business needs and should closely work with information asset owners to ensure that rules and processes are adhered to.
Organisations should incorporate the following rules and controls into the process for assignment and revocation of access rights to an authenticated individual:
Physical and logical access rights should go through periodic reviews taking into account:
Before an employee is promoted or demoted within the same organisation or when his/her employment is terminated, his/her access rights to information processing systems should be evaluated and modified by taking into account the following risk factors:
Organisations should consider establishing user access roles based on their business requirements. These roles should include the types and number of access rights to be granted to each user group.
Creating such roles will make it easier to manage and review access requests and rights.
Organisations should include contractual provisions for unauthorised access and sanctions for such access in their employment/service contracts with their staff. This should be in accordance with the controls 5.20, 6.2, 6.4, and 6.6.
Organisations should be cautious against disgruntled employees who are laid off by the management because they may damage information systems on purpose.
If organisations decide to use the cloning techniques to grant access rights, they should perform it on the basis of distinct roles established by the organisation.
It should be noted that cloning comes with the inherent risk of granting excessive access rights.
27002:2022/5.18 replaces 27002:2013/(9.2.2, 9.2.5, 9.2.6).
Although Control 9.2.2 in the 2013 version listed six requirements for assigning and revoking access rights, Control 5.18 in 2022 version introduces three new requirements in addition to these six requirements:
Control 9.5 in version 2013 explicitly stated that organisations should review the authorisation for privileged access rights at more frequent intervals than other access rights. Control 5.18 in Version 2022, on the contrary, did not contain this requirement.
ISMS.online is a cloud-based platform that offers assistance in implementing the ISO 2702 standard efficiently and cost effectively.
It provides organisations with easy access to up-to-date information about their compliance status at all times through its user-friendly dashboard interface which allows managers to monitor their progress towards achieving compliance quickly and easily.
Get in touch today to book a demo.
We’ll give you an 81% headstart
from the moment you log in
Book your demo
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
5.7 | New | Threat intelligence |
5.23 | New | Information security for use of cloud services |
5.30 | New | ICT readiness for business continuity |
7.4 | New | Physical security monitoring |
8.9 | New | Configuration management |
8.10 | New | Information deletion |
8.11 | New | Data masking |
8.12 | New | Data leakage prevention |
8.16 | New | Monitoring activities |
8.23 | New | Web filtering |
8.28 | New | Secure coding |
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
6.1 | 07.1.1 | Screening |
6.2 | 07.1.2 | Terms and conditions of employment |
6.3 | 07.2.2 | Information security awareness, education and training |
6.4 | 07.2.3 | Disciplinary process |
6.5 | 07.3.1 | Responsibilities after termination or change of employment |
6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
6.7 | 06.2.2 | Remote working |
6.8 | 16.1.2, 16.1.3 | Information security event reporting |
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
7.1 | 11.1.1 | Physical security perimeters |
7.2 | 11.1.2, 11.1.6 | Physical entry |
7.3 | 11.1.3 | Securing offices, rooms and facilities |
7.4 | New | Physical security monitoring |
7.5 | 11.1.4 | Protecting against physical and environmental threats |
7.6 | 11.1.5 | Working in secure areas |
7.7 | 11.2.9 | Clear desk and clear screen |
7.8 | 11.2.1 | Equipment siting and protection |
7.9 | 11.2.6 | Security of assets off-premises |
7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
7.11 | 11.2.2 | Supporting utilities |
7.12 | 11.2.3 | Cabling security |
7.13 | 11.2.4 | Equipment maintenance |
7.14 | 11.2.7 | Secure disposal or re-use of equipment |