Didn’t we cover this already in A5.15 Access Control? Sort of! This is one of the controls that probably should have been merged into an earlier control. Therefore this control is subtly different.

What does the standard require?

The standard states that “Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organisations topic-specific policy on, and rules for access control.” (A5.18 Access Rights)

Why is this required?

If you’ve ever worked in a large company, and moved from one department to another, you’ll know why this is important.  Someone might start working in Marketing, then move to finance and finally into a senior position in Operations.  But just because they are in Operations, and a senior role, does this mean they should have the ‘right’ to access information in the Finance department? Maybe, but maybe not.

You need to ensure access rights are reviewed, modified or removed in a controlled manner.

What the auditor is looking for

If you have done the hard work under A5.15, you should be well on your way to complying with A5.18. However, there are a couple of areas which you need to be conscious of, so that you do not miss them.

In accordance with your Access Control policy, this control requires that access rights shall be;

• Provisioned

• Reviewed

• Modified

• Removed

The auditor will want to know how often you review your access controls (and rights) across your business, and how these are changed.  Again, there is no requirement to have a documented process for this, but you should be able to evidence that an audit of your access has been undertaken. How often you do this will depend on your business and how many changes happen.  If you are a smaller business, then it's unlikely to happen often, so an annual review might be sufficient. If you have many people coming and going, then more regular access reviews might be necessary.

Q & A

Do I need a written policy?

You should already have an Access Control Policy, so you do not need a specific policy related to Access Rights.

Is it possible to get this wrong?

If you can’t evidence an audit of your access rights then this would be a miss, and could lead you into minor non-conformity.  Ensure you have an Access Control Policy, and add an access rights review to your annual audit plan and you will be satisfying this control requirements.

Difficulty rating

We rate this a 1 out of 5 difficulty rating. This means that it requires little if any technical skill to understand the requirement. You need to conduct an audit of your Access Control Policy, which should include a review access rights to your logical and physical processing facilities, therefore it’s a relatively low technically difficult control to implement.

More questions?

Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused by how to implement an RBAC process or identify the key roles in your organisation, just get in touch and we’ll be happy to help.

For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001” which is available on Amazon.