When it comes to information security, knowing “who can do what” is just as important as knowing “who is on the system.” While identity management tells us who a user is, access rights define their powers. In the jump from ISO 27001:2013 to the 2022 version, this critical area was reshaped into Annex A 5.18, titled “Access Rights.”
The 2022 update is all about making security more fluid and less about static checklists. If you are transitioning your ISMS, understanding the consolidation of these controls is key to staying compliant. Let’s break down the evolution from the fragmented 2013 approach to the unified 2022 standard.
Table of contents
Consolidation: Three Controls Merged into One
In the 2013 version of the standard, the management of access rights was spread across three separate sub-controls. This often led to repetitive documentation and a “siloed” view of the user lifecycle. The 2022 version has streamlined this by merging the following legacy controls into Annex A 5.18:
- A.9.2.2: User access provisioning
- A.9.2.5: Review of user access rights
- A.9.2.6: Removal or adjustment of access rights
By combining these, ISO 27001:2022 treats access rights as a single, continuous process: you grant it, you check it, and you take it away when it’s no longer needed. According to the experts at Hightable.io, this merger simplifies the audit process because you can now present a single, end-to-end “Access Rights Management” procedure rather than three separate files.
The “Business-Led” Approach to Access
One of the more subtle but important shifts in Annex A 5.18 is the emphasis on business requirements. In the 2013 version, provisioning was often seen as a purely technical IT task. The 2022 update makes it clear that access rights should be “provisioned, reviewed, modified, and removed” based on the organisation’s specific business and security needs.
This means that “Asset Owners” (those who actually own the data or the system) are now more accountable for who has access. It isn’t just about IT clicking a button; it’s about the business verifying that the access is necessary for the role. As noted by Hightable.io, this aligns perfectly with the “Principle of Least Privilege,” ensuring users only have the bare minimum access required to do their jobs.
What’s New in the 2022 Requirements?
While the core intent of managing access remains similar, the 2022 version of Annex A 5.18 introduces a few modern nuances that weren’t as explicit in 2013:
- Lifecycle Triggers: There is a stronger focus on “events” rather than just “dates.” Instead of just doing a yearly review, you are expected to trigger a review or removal of rights based on role changes, project completions, or terminations.
- Physical and Logical Alignment: The 2022 version more clearly bridges the gap between digital access (passwords and permissions) and physical access (key cards and office entry). If a user leaves, both must be revoked in tandem.
- Evidence of Authorisation: Auditors are now looking for “living evidence.” It’s no longer enough to have a policy that says you review access; you need to show the logs or sign-offs that prove the review actually happened and that adjustments were made.
The Disappearing “Privileged Access” Split
In the 2013 version, there was a specific mention in A.9.2.5 that privileged access rights should be reviewed more frequently than regular rights. Interestingly, this specific “frequency” mention was removed in the 2022 text for Annex A 5.18. However, don’t let that fool you into relaxing your standards.
The modern standard expects a risk-based approach. While the text is less prescriptive about “how often,” the expectation is that higher-risk (privileged) access will naturally require more frequent oversight as part of your risk treatment plan. Hightable.io suggests that keeping a separate, more rigorous schedule for admin-level access is still best practice for passing an audit under the new standard.
Practical Impact: Modernising Your ISMS
For organisations moving to the 2022 version, the biggest task for Annex A 5.18 is updating your “Topic-Specific Policy on Access Control.” You should aim to replace your old, separate procedures with a unified lifecycle process.
Key areas to focus on during your transition include:
- Automation: Wherever possible, use system triggers to revoke access automatically when an HR record is updated.
- Role-Based Access Control (RBAC): Use “profiles” to manage access rights collectively rather than assigning individual permissions, which makes reviews much easier.
- Centralised Logging: Ensure all changes to access rights—whether provisioning or removal—are captured in an audit log that can be easily exported for your Stage 2 audit.
Why This Change Matters for Your Security
Ultimately, the transition to Annex A 5.18 reflects the reality of the modern workplace. We no longer live in a world where an employee stays in the same role with the same permissions for a decade. People move, projects change, and “access drift” (the slow accumulation of unneeded permissions) is a major security risk.
By consolidating these controls, ISO 27001:2022 forces organisations to look at access as a dynamic, risk-based process. If you’re looking to get a head start on your mapping, using the transition toolkits and expert-led templates at Hightable.io can help you move from the old 2013 silos to a more robust, integrated 2022 framework.