Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first

ISO 27001 Annex A.9: Access Control

ISO 27001 restricts employees to view only the information relevant to their role. This reduces the chance of data reaching unauthorised hands and risking leakage.


A.9.1 Business requirements of access control

As part of this control, ISO standards restrict access to certain information and information facilities from all involved parties.

A.9.1.1: Access control policy

The access control policy defines who has permission to use various data with those allowed to access information still limited to how much they can obtain depending on their user profile with only specific roles having exposure to confidential files.

The same goes for all other data classifications. The higher you are in the system, the more access you receive. In addition, further security measures can apply, for instance, asset owners may need to sign off on any data passed on to other employees.

This aspect can slow down the process of data retrieval, but the two-step process regulates the number of users with access to passwords, encryptions and other essential data forms. And lowers risks.

The policy must keep the following in mind:

  • Security requirements for business applications.
  • Information, authorisation, procedures and responsibilities.
  • Management processes to maintain, review and remove access rights.
  • Standards for privileged access.

A.9.1.2: Access to networks and network services

Access permissions in terms of networks must be formalised and controlled with the company having strong network controls in places (i.e., VPN networks, encrypted transmissions, network segmentations) that facilitates transfers.

Access will be on a need-to-know basis with all other individuals being restricted from these areas, using public networks instead. Human resources should ensure that all workers and contractors are educated on these restrictions.

A.9.2 User access management

To control access to data all users must meet authorisation standards.

A.9.2.1: User registration and de-registration

This process helps regulate permission to access company files and services and ensures that there is a formal process governing how users are given access and how their access is revoked.

Some staff will have privileged access to certain files as their position grants them this authority. Executives often need to use confidential company records to complete reports and strategic documents.

Workers who are terminating their contract must relinquish their access to all company services which should be implemented as a mandatory aspect of de-registration.

For each scenario to work effectively, your system must be updated to support authentication techniques with software solutions helping accelerate and improve the process.

A.9.2.2: User access provisioning

There must be a system, preferably automated, to assign and revoke access rights which is consistently applied throughout the entire organisation. The system operators or asset owners must authorise users to verify if the person has a legitimate reason position or purpose to request this access. Protective measures also come into play here to avoid access being granted to users before their review process is complete.

A.9.2.3: Management of privileged access rights

Privileged access rights often grant system administrators and those with authority the keys to sensitive information that could have a big impact if unauthorised access and/or loss occurred using these keys so the controls for these privileges need to be strict.

Those with special access should not abuse their rights and must be made aware of the importance of the controls and their behaviour. Privileges are granted separately from normal access to avoid conflicts of interest and ensure data protection in alignment with the access control policy.

There must be regular review of administrator accounts and a log for all privileged rights to serve as a history for the control.

A.9.2.4: Management of secret authentication information of users

Secret authentication information needs to be highly encrypted and use additional mechanisms to support the security (i.e. multi Factor authentication, tokens).

These authentication systems must be efficiently managed and remain confidential, or significant legal, financial or medical information run the risk of being leaked.

A.9.2.5: Review of user access rights

Asset owners need to review their list of authorised personnel on a regular basis and maintain updated records for reference due to changes occurring which can impact on access rights (i.e. role changes, restructures or merges).

This is even more important for persons with privileged access rights as sensitive data needs constant protection. ISO recommends reviewing the accounts more regularly, at least quarterly.

A.9.2.6: Removal or adjustment of access rights

All exiting employees and interested parties must have their rights removed upon termination. Implementing an exit policy here will help outline all the necessary procedures involved in termination

For adjustments such as changing positions within the firm rights must be removed and correctly assigned to prevent access issues.

A.9.3 User responsibilities

Every user is responsible for safeguarding their credentials and authentication data and the company policy should be written and security awareness training aimed at ensuring this.

A.9.3.1: Use of secret authentication information

Human Resources is encouraged to work together with management to conduct education and training on best practices to maintain valid authentication identities.

A solid IT security policy will highlight all the essential guidelines for this control which should include implementing controls to promote password confidentiality and advise users about unsecured storage of this type of information.

A.9.4 System and application access control

These controls aim to prevent all unauthorised access to software applications and systems by following access control policy standards.

A.9.4.1: Information access restriction

The access control policy must apply to all systems within the company, measures must be set to reflect different levels of access restrictions across the organisation.

Consider features like:

  • role-based access control,
  • tiered levels of access,
  • specially designed application menu systems,
  • Permissions for read-only, write, edit and delete options,
  • Limits for displayed information, and
  • systematic access, controls for sensitive information.

These small steps will come together to help enforce access controls for users based on their background, duties and objectives in the system.

A.9.4.2: Secure log-on procedures

Log on procedures, help verify the identities of all users on any company database or application. Passwords are only one option in the process, but other biometrics and encryption methods can be used as reinforcement. End to end, encryption is becoming increasingly popular to secure the data shared with users on the system at any point, with both passwords and data output protected in this manner.

Any system access point should also include a notice indicating that only authorised personnel will be allowed entry. The standard has been designed to comply with various cyber security laws that may apply within your country or jurisdiction.

For a more secure log on, policy access can be denied to users depending on their time or location when attempting to enter. Some systems can restrict access to only company working hours to ensure the data is only released within the business setting. This may not be possible or fit in with your business objectives but should be considered for high-risk environments.

As part of your reports, all successful and failed login attempts should be recorded in the event of security breach. These reports will help narrow down the offenders and investigate the events of the incident in a timely manner.

A.9.4.3: Password management system

Password management systems are helpful for both the company and users.

  • Firstly, they help generate and enforce strong codes that reduce the likelihood of your accounts getting hacked.
  • They also assist in recovery procedures, like if users forget their password or need to change it suddenly.

A.9.4.4: Use of privileged utility programs

How often do you get pop up ads on the latest software to clean up your computer or repair broken entry codes? The Internet is bombarded with different utility programs, all seeking to help you stay organised. Yet many of these software programs are viruses and malware that hacker’s prey on to get into your system and even target your antivirus software and before you know it, they have access to confidential files.

ISO 27001 warns against downloading random utility programs to your system. Those you used must be verified by competent staff and checked for any possible spyware, malware or insecure code. If the program is required, then only a small group of personnel should have privileged access rights to the software and its use monitored.

A.9.4.5: Access control to programme source code

Program source codes are another risk which hackers target to steal, sell and. or use to try to get into company systems as they often contain critical information to databases, designs and plans. It’s then easy for unauthorised users to manipulate them to access major files.

Access control to programme source code should therefore be restricted in the following manner:

  • Limiting access to only a few skilled company personnel,
  • Including only compiled codes in operational systems,
  • Restricting source code access as much as possible,
  • Logging all access to source codes,
  • Frequently reviewing access logs,
  • Implementing strict change control procedures,
  • Frequently conducting internal audits and reviews.