Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first

ISO 27001:2022 Annex A Control 5.18

Access rights

Annex A control 5.18 of the 2022 version of the ISO27001 standard can be mapped to ISO27001:2013 Annex A 9.2.2, ISO27001:2013 Annex A 9.2.5, and ISO27001:2013 Annex A 9.2.6.

From HR and sensitive health data to finance and salary information, access to specific applications, information systems and databases is key to any organisational role. To maintain cybersecurity, control 5.18 outlines how access rights should be provided, modified and revoked as per the company’s access control policy and measures. This should work to prevent unauthorised access to, and modification of, information assets.

Granting and revoking access rights

How access rights are assigned, modified and revoked should be based on clear procedures and policies, according to control 5.18. The key criteria determining the process should include authorisation from the system or service owner.

Verification is necessary to ensure that access is indeed necessary for the role being performed, to protect against pre-authorisation provisioning.

There should be a business-led access approach in place, outlining how role-based access should be granted.

Reviewing user access rights

Annex 5.18 states that asset owners must regularly review user access rights during system audits and individual changes like exits and role changes. Frequent reviews of who has authorisation should be carried out at least once per year, especially for those with more privileged access rights.

Removing or adjusting access rights

If an employment, contract, or agreement is terminated, it is vital that access rights be removed through well designed exit procedures. Annex 5.18 outlines rules and controls for adjusting, assigning, and revoking access rights. These include:

  • Access to and use of information assets must be authorised by their owners when necessary. Organisations should also consider requiring separate approval from management before granting access rights.
  • The organisation's business needs and its access control policy must be taken into account.
  • Separation of duties should be considered, allowing the approval and implementation of access rights to be managed by different individuals.
  • Access rights should be promptly revoked when users no longer need information assets, particularly if they have left the organisation.
  • Temporary access rights can be granted to temporary staff, but these should be revoked once their employment period ends.
  • Access control policies should define individual access levels and should be reviewed and verified regularly.
  • Organisations should ensure access rights are activated only after the appropriate authorisation process is completed.
  • Access rights for each identification should be maintained in a central access control management system.
  • An individual’s access level should be updated if their roles or duties change.
  • Keys, ID cards, or authentication information should be removed or replaced to modify or revoke physical or logical access rights.
  • All changes to a user’s physical and logical access rights should be logged.
  • Risk factors should be considered when evaluating and modifying an employee’s access rights to information systems.

What are the changes from ISO 27001:2013?

Control 5.18 replaces Annex A Controls 9.2.2, 9.2.5, and 9.2.6 from ISO 27001:2013. While 2013’s control 9.2.2 outlined six requirements for access right assignment and revocation, 2022’s control 5.18 has added three more requirements, which are:

  • Temporary access rights may be granted to employees working for the organisation, but these rights must be revoked as soon as employment ends.
  • Physical or logical access rights can be removed or modified by revoking keys, identification cards, or authentication information.
  • Any changes to a user's physical or logical access rights should be documented.

2013’s control 9.5 states that organisations must review privileged access authorisation more frequently than other access rights, which was not included in the 2022 version.