If you have been navigating the transition from the old ISO 27001:2013 standard to the new ISO 27001:2022 version, you’ve likely noticed that the Annex A controls have had a significant makeover. One of the most critical shifts involves how we handle the “keys to the kingdom”, specifically, privileged access rights. In the new 2022 iteration, this is addressed under Annex A 8.18.
Understanding these changes isn’t just about passing an audit; it’s about modernising your security posture to deal with a world where identity is the new perimeter. Let’s dive into what has actually changed and how you can stay ahead of the curve.
Table of contents
From 9.2.3 to 8.18: More Than Just a Number
In the 2013 version of the standard, privileged access was managed under control 9.2.3 (Management of privileged access rights). In the 2022 update, this has been consolidated and moved into a new theme. It is now Annex A 8.18. While the core intent, restricting high-level access, remains the same, the 2022 version is much more focused on the lifecycle of that access.
The new structure categorises 8.18 as a “Technical” control. This is a vital distinction. According to Hightable.io, the 2022 version places a stronger emphasis on the technical enforcement of these rights, rather than just having a written policy that says people “shouldn’t” have too much access. It’s about ensuring the systems themselves prevent over-privileged accounts from existing in the first place.
The Introduction of Attributes
One of the biggest changes in the 2022 version across the board is the introduction of “Attributes.” For Annex A 8.18, these attributes help organisations classify the control as Preventive. This means the primary goal is to stop a security incident before it happens by ensuring that only the absolute minimum number of people have administrative powers.
The guidance now aligns more closely with the principle of “Least Privilege.” While this was implied in 2013, the 2022 version makes it explicit. You are expected to strictly control the allocation and use of privileged access rights, ensuring they are only used when absolutely necessary and for a limited duration.
Key Differences in Implementation
So, what does this look like in practice compared to the 2013 version? The 2022 version pushes for a more dynamic approach to access. Here is what has evolved:
- Just-In-Time (JIT) Access: While the 2013 version focused on who has access, the 2022 version encourages looking at when they have it. Technical experts at Hightable.io suggest that modern compliance now leans toward JIT access, where privileges are granted for a specific task and then revoked immediately.
- Strict Authentication: The 2022 version reinforces the need for stronger authentication for privileged accounts. If you are accessing a root or admin account, multi-factor authentication (MFA) is essentially a non-negotiable requirement under the new framework.
- Logging and Monitoring: There is a much tighter link between Annex A 8.18 and the logging controls. Every time a privileged account is used, it should leave a clear, unalterable trail.
Why the Change Matters for Your Organisation
The shift to Annex A 8.18 reflects the reality of modern cyber threats. Most major breaches involve the compromise of a privileged account. By tightening the requirements from the 2013 version, the 2022 standard forces organisations to move away from “perpetual admin rights”, where a user has admin access 24/7 just because it’s convenient.
The 2022 version is designed to be more compatible with cloud environments and automated workflows. It recognises that “users” aren’t just people anymore; they are services, APIs, and automated scripts, all of which might require privileged access that needs to be managed just as strictly as a human IT manager.
How to Transition Smoothly
If you are currently certified under the 2013 standard, don’t panic. The transition to 8.18 is an opportunity to clean up your access lists. You should start by performing a fresh audit of everyone who holds administrative privileges. Ask yourself: do they need this access every day? Could they perform 90% of their job with a standard user account?
Updating your Statement of Applicability (SoA) is the first formal step, but the real work happens in the configuration of your IAM (Identity and Access Management) tools. By adopting the more rigorous technical stance of the 2022 version, you are building a much more resilient organisation that is better equipped to handle the complexities of the modern digital landscape.