ISO 27001 Annex A 8.2 is about privileged access rights, which means a company must restrict access to privileged accounts and manage them.
Table of contents
What are Privileged Access Rights?
There are users that will be granted privileged access such as administer (admin) accounts, super user accounts, global admin accounts and even service accounts. ISO 27001 Privileged Access Rights is the control of those accounts.
You need to carefully think about and control these accounts. They are important because they can gain full access and make any changes. This protection is needed to guard against their misuse or compromise.
What is ISO 27001 Annex A 8.2?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Privileged Access Rights”.
What is the ISO 27001 Annex A 8.2 control objective?
The formal definition and control objective in the standard is: “The allocation and use of privileged access rights should be restricted and managed.“
What is the purpose of ISO 27001 Annex A 8.2?
The purpose of ISO 27001 Annex A 8.2 is “To ensure only authorised users, software components and services are provided with privileged access rights.“
Is ISO 27001 Annex A 8.2 Mandatory?
ISO 27001 Annex A control 8.2 (Privileged Access Rights in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 8.2 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
General Guidance
Privileged access is the type of access that people, software, or services have that allows them to do things normal users cannot. This access could cause the most harm. You use this high level of access to manage and set up your systems and to let people do administrative tasks. You need people to have this access, but you do not want everyone to have it. The danger of giving this access to someone who is unsure how to use it or who should not have it is that they could break something, stop something from working, or perform actions that are harmful.
Implement a Specific Policy
Your first step for this rule is to create a specific policy on access control. You should include your approach to managing privileged access within that policy.
Implement an Authorisation Process
You need an authorisation process for all requests to access your company’s assets. Create a process where the person needing access is separate from the person who grants it. You must keep a record of every account that has privileged access. Think about placing time limits or setting expiration dates on the use of these accounts.
Implement Role-Based Access
Using role-based access is a great tool here. Figure out what roles you need, describe what they do, and then give people these roles based on their job needs.
Ensure There is Segregation of Duties
When you put this rule in place, use good judgment and be practical. You are working on the idea of segregation of duty. You do not want the person with the access to also be the one who approves the access. If possible, the person with access should not have two conflicting types of access. Instead, separate your privileged accounts logically where it makes sense and you are able to do so. For instance, separate the people who have access to the databases from the people who have access to the logging and monitoring systems. This prevents them from doing something bad and then changing the logs to hide it.
Adopt the Principle of Least Privilege
You should only give out access based on the principle of least privilege. This means users only get the smallest amount of access needed for their job.
Adopt the Principle of Need-to-Know
Users should only be able to see information they absolutely need to do their work.
Enforce Access Control
You must make sure there is proper access control that matches the risk of the access required.
Review Access Requirements
Checking people’s access regularly should be part of your normal work schedule. This also applies to privileged accounts. You need a process to check who has what and if they still need it. You should ideally do this check at least once a month.
Restrict the Use of Privilege Accounts
Ideally, you want privilege accounts to be used only when you need to do privileged actions. Users should use their normal accounts for everyday tasks. While this isn’t mandatory, it is the best method. The ideal is to have a way to tell when the user is operating in “privilege mode.” This will lower the chance of a security issue.
You should definitely log and monitor this type of account for audit purposes.
Remove Generic Privileged Accounts
You should strongly discourage the use of general administrative accounts. You want to be able to link every action back to one person. If you absolutely must have a general account, you should treat it as an exception and write it down in your risk register. Manage it by using risk management, even if that means simply accepting the risk.
