1. Framework FAQs

ISO 27001: 2022 A.8.2 Privileged access rights

This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.8.2 Privileged access rights.

ISO 27001: 2022 Control Description

The allocation and use of privileged access rights shall be restricted and managed.

Purpose

To ensure that only authorised users, software components, and services are granted privileged access rights.

Guidance on implementation

To effectively manage and restrict privileged access rights, consider the following:

  1. Identification: Identify users who require privileged access rights for each system or process (e.g., operating systems, database management systems, applications).
  2. Allocation: Grant privileged access rights on an as-needed basis, according to the access control policy. Ensure rights are given only to individuals who are competent and require them for their specific roles.
  3. Authorisation Process: Implement and maintain an authorisation process to approve and record the allocation of privileged access rights. Do not grant these rights until the approval process is complete.
  4. Expiry Requirements: Define and enforce policies for the expiry of privileged access rights.
  5. User Awareness: Ensure users are aware of their privileged access rights and recognise when they are operating in privileged mode. Use specific user identities, interface settings, or dedicated equipment to help with this.
  6. Authentication: Authentication requirements for privileged access can be stricter than those for standard access. Re-authentication or step-up authentication may be necessary before performing privileged tasks.
  7. Regular Reviews: Periodically review and update the list of users with privileged access rights, especially after organisational changes, to confirm that their roles and responsibilities still require such access.
  8. Avoid Generic IDs: Avoid using generic administrative user IDs (e.g., “root”) where possible. Manage and protect authentication details for such identities.
  9. Temporary Access: Grant temporary privileged access only for the time needed to complete specific tasks or changes (e.g., maintenance or critical updates). This is often managed through a 'break glass' procedure, which can be automated with privilege access management tools.
  10. Logging: Log all privileged access to systems for audit purposes.
  11. Unique Identities: Do not share or link privileged access identities among multiple users. Assign separate identities to each user to manage and allocate specific access rights effectively. Group identities (e.g., administrator groups) can simplify management.
  12. Usage Restrictions: Use privileged access identities solely for administrative tasks, not for everyday activities such as checking emails or browsing the web. Users should have separate, non-privileged identities for these general tasks.

Other Information

Privileged access rights allow users, roles, or processes to perform actions that standard users or processes cannot. System administrator roles typically require such access.

Inappropriate use of system administrator privileges can lead to significant system failures or breaches.