Access Rights are the permissions that tell a system exactly what you are allowed to do. Think of it like a key card for a building: your card might let you into the office floor, but not the server room. This rule is about making sure everyone is given only the specific rights they need to do their job, and nothing more.
Table of contents
What is ISO 27001 Annex A 5.18?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Access Rights”.
What is the ISO 27001 Annex A 5.18 control objective?
The formal definition and control objective in the standard is: “Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organisation’s topic-specific policy on and rules for access control.“
The goal is to restrict access to information and system functions. You want to make sure people can’t see, change, or delete things they shouldn’t. By tightly controlling these rights, you reduce the risk of accidents or misuse.
What is the purpose of ISO 27001 Annex A 5.18?
The purpose of ISO 27001 Annex A 5.18 is “To ensures access to information and other associated assets is defined and authorised according to the business requirements.”
It is to implement the Principle of Least Privilege. This means giving users the bare minimum level of access the required to perform their work. This is a critical security measure to prevent unauthorised activities and keep your data safe.
Is ISO 27001 Annex A 5.18 Mandatory?
ISO 27001 Annex A control 5.18 (Access Rights in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 5.18 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Why is ISO 27001 Annex A 5.18 Important?
This is important because it limits damage. If a user’s account gets hacked or if an employee makes a mistake, the impact is confined only to the data and systems they have rights to. It prevents one single point of access from compromising your entire network or all your sensitive data.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. This rule is mainly about having a clear process for:
- Revocation: Promptly removing access rights when someone leaves the organization or no longer needs them.
- Defining Access: Clearly identifying who gets access to what (e.g., “The finance team gets read/write access to the budgeting system”).
- Assignment: Making sure access rights are properly granted and configured for new users or when someone changes roles.
- Periodic Review: Regularly checking (auditing) existing rights to make sure people still need the access they have.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will check:
- The Process: Do you have a documented procedure for requesting, granting, and reviewing access rights?
- The Documentation: Can you show that access rights for key systems are formally approved by the business or data owner?
- Evidence of Review: Can you show records that you regularly review user access to make sure the rights are still appropriate (e.g., quarterly access review reports)?
- Leavers Process: They will check that access was removed immediately for recent employees who have left the company.
