This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.5.18 Access rights.
ISO 27001: 2022 Control Description
Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organisation’s topic-specific policy on and rules for access control.
Purpose
To ensure that access to information and other associated assets is defined and authorised according to business requirements.
Guidance on implementation
The process for assigning or revoking physical and logical access rights granted to an entity’s authenticated identity should include:
a) Obtaining authorisation from the owner of the information and other associated assets for their use. Separate approval for access rights by management may also be appropriate;
b) Considering the business requirements and the organisation’s topic-specific policy and rules on access control;
c) Considering the segregation of duties, including separating the roles of approval and implementation of access rights, and preventing conflicting roles;
d) Ensuring that access rights are removed when they are no longer needed, particularly ensuring that the access rights of users who have left the organisation are removed in a timely manner;
e) Considering the provision of temporary access rights for a limited period and revoking them at the expiration date, particularly for temporary personnel or temporary access required by personnel;
f) Verifying that the level of access granted aligns with the topic-specific policies on access control and is consistent with other information security requirements, such as the segregation of duties;
g) Ensuring that access rights are activated (e.g. by service providers) only after authorisation procedures are successfully completed;
h) Maintaining a central record of access rights granted to a user identifier (ID, logical or physical) for accessing information and other associated assets;
i) Modifying access rights for users who have changed roles or jobs;
j) Removing or adjusting physical and logical access rights, which can be done by the removal, revocation, or replacement of keys, authentication information, identification cards, or subscriptions;
k) Maintaining a record of changes to users’ logical and physical access rights.
Review of Access Rights
Regular reviews of physical and logical access rights should consider the following:
a) Users’ access rights after any change within the same organisation (e.g. job change, promotion, demotion) or termination of employment;
b) Authorisations for privileged access rights.
Consideration Before Change or Termination of Employment
A user’s access rights to information and other associated assets should be reviewed and adjusted or removed before any change or termination of employment, based on the evaluation of risk factors such as:
a) Whether the termination or change is initiated by the user or by management, and the reason for termination;
b) The current responsibilities of the user;
c) The value of the assets currently accessible.
Other Information
Consideration should be given to establishing user access roles based on business requirements that summarise several access rights into typical user access profiles. Access requests and reviews of access rights are easier to manage at the level of such roles than at the level of particular rights.
Consideration should be given to including clauses in personnel contracts and service contracts that specify sanctions if unauthorised access is attempted by personnel.
In cases of management-initiated termination, disgruntled personnel or external party users may deliberately corrupt information or sabotage information processing facilities. In cases of persons resigning or being dismissed, they may be tempted to collect information for future use.
Cloning is an efficient way for organisations to assign access to users. However, it should be done with care based on distinct roles identified by the organisation rather than simply cloning an identity with all associated access rights. Cloning carries an inherent risk.