What is ISO 27001 Annex A 5.18 in ISO 27001?
ISO 27001 Annex A 5.18 is a documented process for managing the lifecycle of access rights. It requires formal provisioning, periodic review, and timely revocation of permissions. This control must integrate into internal tools like SharePoint and Jira. It ensures that only authorised users hold active permissions for assets.
Auditor’s Eye: The Shortcut Trap
Many organisations rely on automated SaaS platforms to track access. These tools often show a green tick but hide the lack of management ownership. Auditors find that managers often do not know why rights were granted. We prefer seeing the evidence within your native document repositories. Jira tickets provide a better audit trail than external portals. SharePoint versioning proves that managers actually reviewed the lists. “Black box” software decouples security from your daily operations. This leads to non-conformities during deep-dive audits. Always maintain your primary records within tools your staff use every day.
Transition Table: 2013 vs 2022
| 2013 Control Reference | 2022 Control Reference | Primary Changes |
|---|---|---|
| A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.5, A.9.2.6 | 5.18 Access Rights | Consolidated five user-related controls into one comprehensive organisational control. |
How to Implement ISO 27001 Annex A 5.18 (Step-by-Step)
The core requirement is a formal lifecycle for all user permissions. You must document this process within your Document-Based Management System. This approach ensures cultural change rather than mere software installation. Follow these steps using your existing infrastructure.
- Define Access Rules: Document job roles and associated permissions in a SharePoint matrix.
- Provision via Jira: Use Jira tickets for all new access requests. Require asset owner approval before IT action.
- Review Regularly: Export user lists from systems into SharePoint quarterly. Record management approval in meeting minutes.
- Automate Revocation: Trigger account deletions through HR offboarding tickets in Jira. Check this against the SharePoint register.
- Audit the Trail: Conduct internal spot checks on permissions. Use internal wiki pages to track these audit results.
ISO 27001 Annex A 5.18 Audit Evidence Checklist
Focus on manual records and meeting minutes. These prove human oversight and intent within the organisation. Auditors look for a continuous chain of authority.
- Jira tickets showing the business justification for specific access.
- Owner approval timestamps within the provisioning workflow.
- Dated SharePoint documents containing exported user permission lists.
- Minutes from access review meetings signed by department heads.
- HR records showing the exact time access was revoked.
Relational Mapping
Annex A 5.18 depends on Clause 5.15 (Access Control) for its policy foundation. It supports Clause 5.16 (Identity Management) by linking rights to verified identities. This control also interacts with Clause 8.2 (Privileged Access Rights). Each permission granted must also satisfy the “need-to-know” principle defined in Clause 5.10.
Auditor Interview
Auditor: How do you manage the granting of new access rights?
User: We use a Jira workflow where the manager must approve the request.
Auditor: How do you prove that you review these rights?
User: We save quarterly review minutes and approved lists in SharePoint.
Auditor: What happens when someone leaves the company?
User: The HR offboarding ticket in Jira alerts IT to revoke all permissions.
Common Non-Conformities
| Failure Mode | Description |
|---|---|
| Automated Complacency | Relying on a platform’s report without documented manager validation in SharePoint. |
| Orphaned Accounts | Finding active accounts for staff who left months ago. |
| Missing Approvals | Permissions granted without an associated Jira ticket or owner signature. |
Frequently Asked Questions
What is the primary requirement of ISO 27001 Annex A 5.18?
Bottom Line Up Front: The core requirement involves provisioning, reviewing, and revoking access rights to information and assets. Organisations must implement a formal process for granting permissions. Rights must align with business needs. Management must review these rights at regular intervals to ensure continued relevance.
How does A 5.18 differ from A 5.15?
Bottom Line Up Front: Annex A 5.15 sets the high-level policy rules for access control. Annex A 5.18 manages the actual lifecycle of those rights. 5.15 defines who should have access. 5.18 handles the technical granting and removal of those specific permissions.
What constitutes valid audit evidence for access rights?
Bottom Line Up Front: Valid evidence includes approved Jira tickets and signed access review minutes. Auditors look for a clear link between a request and a permission. Revocation records in HR files are also necessary. Documented version history in SharePoint proves management oversight of the process.