Scribd
Upload
79 views

Access Control Policy

The document outlines the key aspects that should be covered in an access control policy according to Annex A.9.1.1 of ISO 27001. The policy should establish, document, and regularly review access control rules and rights based on business and information security risk requirements. Access controls can be both digital and physical, and the policy should address security requirements, user access needs, management of access rights including privileged access, and reviews of access rights. Access control also needs to be reviewed when user roles change or upon employee exits.

Uploaded by

Taimoor Hasan
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
79 views

Access Control Policy

The document outlines the key aspects that should be covered in an access control policy according to Annex A.9.1.1 of ISO 27001. The policy should establish, document, and regularly review access control rules and rights based on business and information security risk requirements. Access controls can be both digital and physical, and the policy should address security requirements, user access needs, management of access rights including privileged access, and reviews of access rights. Access control also needs to be reviewed when user roles change or upon employee exits.

Uploaded by

Taimoor Hasan
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

A.9.1.

1 Access Control Policy

An access control policy must be established, documented and reviewed regularly taking into account the
requirements of the business for the assets in scope.
Access control rules, rights and restrictions along with the depth of the controls used should reflect the information
security risks around the information and the organisation’s appetite for managing them. Put simply access control
is about who needs to know, who needs to use and how much they get access to.
Access controls can be digital and physical in nature, e.g. permission restrictions on user accounts as well as
limitations on who can access certain physical locations (aligned with Annex A.11 Physical and Environment
Security). The policy should take into account:
• Security requirements of business applications and align with the information classification scheme in use as per A.8
Asset Management;
• Clarify who needs to access, know, who needs to use the information – supported by documented procedures and
responsibilities;
• Management of the access rights and privileged access rights (more power – see below) including adding, in life
changes (e.g. super users/administrators controls) and periodic reviews (e.g. by regular internal audits in line
with requirement 9.2.
• Access control rules should be supported by formal procedures and defined responsibilities;
Access control needs to be reviewed based on change in roles and in particular during exit, to align with Annex A.7
Human Resource Security.

A.9.1.2 Access to Networks and Network Services

The principle of least access is the general approach favoured for protection, rather than unlimited access and
superuser rights without careful consideration.
As such users should only get access to the network and network services they need to use or know about for their
job. The policy therefore needs to address; The networks and network services in scope for access; Authorisation
procedures for showing who (role based) is allowed to access to what and when; and Management controls and
procedures to prevent access and monitor it in life. This also needs to be considered during onboarding and
offboarding, and is closely related to the access control policy itself.

What is the objective of Annex A.9.2 of ISO 27001?

Annex A.9.2 is about user access management. The objective in this Annex A control is to ensure users are authorised
to access systems and services as well as prevent unauthorised access.

A.9.2.1 User Registration and Deregistration

A formal user registration and deregistration process needs to be implemented. A good process for user ID
management includes being able to associate individual IDs to real people, and limit shared access IDs, which should
be approved and recorded where done.
A good on-boarding and exit process ties in with A7 Human Resource Security to show quick and clear
registration/deregistration along with avoidance of reissuing old IDs. A regular review of ID’s will illustrate good
control and reinforces ongoing management. That can be tied in with the internal audits noted above for access
control audits, and periodic reviews by the information asset or processing application owners.

A.9.2.2 User Access Provisioning

A process (however simple and documented) must be implemented to assign or revoke access rights for all user
types to all systems and services. Done well it ties in with the points above as well as the broader HR Security work.
Provisioning and revoking process should include; Authorization from the owner of the information system or service
for the use of the information system or service; Verifying that the access granted is relevant to the role being done;
and protecting against provisioning being done before authorization is complete.
.

You might also like