How do you manage privileged access rights?

Manage privileged rights by using a formal request and approval process. Record all elevations in Jira tickets. Maintain a master list of administrators in SharePoint. Perform quarterly reviews to ensure rights remain necessary for each user role.

ISO 27001:2022 Annex A 8.2 Guide

Q: Why avoid automated SaaS for privilege audits?

Automated platforms often show a static green tick without context. They fail to prove human intent or management approval. Auditors prefer seeing the original Jira tickets and internal meeting minutes. These records prove the organisation actively controls its security.

What is ISO 27001 Annex A 8.2 in ISO 27001?

ISO 27001 Annex A 8.2 restricts administrative powers to authorised users only. This process exists as documented workflows within your SharePoint and Jira environments. It ensures administrators use separate accounts for elevated tasks. Management monitors these rights through regular internal reviews. This approach integrates security into daily operations.

Auditor’s Eye: The Shortcut Trap

Relying on automated SaaS dashboards for privilege management creates a visibility gap. These platforms often display a static “green tick” for admin status. They fail to show the human intent behind granting rights. I prefer seeing Jira tickets where managers approve specific administrative elevations. Native SharePoint registers provide a clear audit trail of version-controlled access reviews. Surface-level compliance in a black-box tool often hides excessive permissions that staff never actually reviewed.

ISO 27001:2013 Reference	ISO 27001:2022 Reference	Key Focus Areas
Annex A 9.2.3	Annex A 8.2	Restricting privileged access. Formal allocation process. Separate admin accounts.

How to Implement ISO 27001 Annex A 8.2 (Step-by-Step)

Identify all administrative accounts in your central SharePoint user register. Assign a unique owner to every elevated role. Restrict privileged access to only those who require it for specific duties. Frame this as a cultural shift in accountability.

Identify all privileged accounts in SharePoint.
Define administrative roles in Confluence.
Use Jira workflows for all access requests.
Establish separate accounts for admin tasks.
Schedule quarterly reviews via Outlook.

ISO 27001 Annex A 8.2 Privileged Access Rights Audit Evidence Checklist

Focus on manual records and internal document versions. These prove human oversight and intent. Auditors check for signs of active management within your primary tools.

Jira approval tickets for role elevation.
SharePoint registers of current administrators.
Minutes from quarterly access review meetings.
Version history of the access control policy.
Logs showing use of separate admin accounts.

Relational Mapping

Privileged access links to several core clauses:

Clause 5.3: Roles and responsibilities define who needs access.
Clause 9.3: Management review looks at access trends.
Annex A 8.3: Information access restriction complements this control.

Auditor Interview

Auditor: How do you grant admin rights to a new engineer?

Manager: We use a Jira ticket. The lead engineer must approve it first. We then update the SharePoint admin register.

Auditor: How do you ensure people only use admin accounts for admin work?

Manager: Our policy requires separate accounts. We audit this through monthly log reviews stored in Confluence.

Common Non-Conformities

Failure Mode	Description	Corrective Action
Automated Complacency	Trusting a SaaS green tick without internal procedural evidence.	Move access approvals to internal Jira workflows.
Shared Admin Accounts	Multiple people using one “Root” or “Admin” login.	Enforce individual accounts and log every action.
Ghost Admins	Former employees still having elevated access rights.	Link HR offboarding to the SharePoint register review.

Frequently Asked Questions

What is ISO 27001 Annex A 8.2?

The Bottom Line: It is the requirement to strictly control administrative permissions. You must document who has these rights and why. Use SharePoint to maintain your list of privileged users. This ensures only authorised staff can make high-level system changes.

How do I manage privileged access rights?

The Bottom Line: Use a documented workflow for every access request. Jira is the best tool for this. Record the manager’s approval before granting the right. This creates a clear audit trail for the Lead Auditor.

Why avoid automated SaaS for privilege audits?

The Bottom Line: Automated tools often miss the “why” behind the access. They cannot show you the management discussion or approval. Internal repositories like SharePoint provide a deeper view of your security culture. Auditors trust records you manage yourself.

LA CASA DE CERTIFICACIÓN