top of page
Search

ISO27001:2022 A8.2 – Privileged access rights




When discussing ISO27001 Annex A control (A5.18 - Access Rights), we discussed the importance of allocating appropriate access to systems.  This control, however, is asking us to consider the allocation and management of privileged access rights.  Ordinarily, people in specific roles and with specific responsibilities will receive restricted allocation that gives them elevated control which could lead to risks and issues arising.


 

Therefore, this control ensures that only allowed users, software components, and services have privileged access to systems and services that could pose a threat to your business.

 

What does the standard require?

The standard states that “The allocation and use of privileged access rights shall be restricted and managed.” (A8.2 – Privileged access rights.)

 

Keep in mind that if something is a privilege, it means that it is something which is not normally afforded to the main population. For example, organisations often grant systems administrators or those in senior positions with privileged access. This can be on a permanent or temporary basis, dependent on need.

 

Why is this required?

When discussing Access Controls (A5.15 – Access Control) and Access Rights (A5.18 – Access Rights), we established the importance of ensuring only permitted individuals have access to your premises and systems.

 

But that importance increases when looking at roles where the access could lead to an increased risk of a data breach or security incident. 

 

For example, you might have two people working in the finance team, where one of them has privileged access that gives them the ability to access the company bank accounts and make payments on behalf of the business. Developers and IT support teams will have privileged access to systems, which allow them to update software and implement technical controls.  This kind of privileged access should be tightly controlled and allocated based on need.


 

What the auditor is looking for

The ISO27001 auditor will look for evidence of security measures including;

 

 

What do you need to do?

Take a close look at your organisation chart and identify those in positions that require elevated access to systems and services.  What kind of access do they have, and is it allocated to only a distinct group?  For example, would everyone in your finance team need access to your company bank accounts, with the right to move money in and out of the accounts?  This would present a significant risk to your business, and therefore you should restrict this level of privilege to a small group.

 

Develop your onboarding process to ensure that you provide access to systems based on the role someone plays in your business, and give them the levels of access they need.

 

If you are a small business, you may find this difficult to achieve, in which case you should note this within your risk register and address it through additional controls, such as conducting regular external audits.


 

Q & A

Should privileged access be restricted to one person?

No, because you are trading one risk for another. For example, if only one person has access to your bank account, or can make system changes, their departure could leave you with systems or services you can’t access. It is better to restrict privileged access to a small group of at least two people, who will act as a back-up for each other.

 

Difficulty rating

We rate this a 2.5 out of 5 difficulty rating. This control requires careful consideration of the access needs of your business. It also requires regular review in line with your access rights review process.

 

More questions?

Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.

 

For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.

 

 

2 views

Comments


bottom of page