What Changed Between the 2013 and 2022 Versions? ISO 27001:2022 Annex A 8.2

ISO 27001 Annex A 8.2 - what changed in the 2022 update

When it comes to the “keys to the kingdom,” ISO 27001 has always been strict. In the 2013 version of the standard, the management of privileged access rights was a critical part of the Access Control domain. As we move into the ISO 27001:2022 era, this control has been refined, renamed, and relocated to Annex A 8.2: Privileged Access Rights.

While the fundamental goal, keeping high-level access under lock and key, remains the same, the 2022 update introduces more specific technical requirements and a modern framework for managing these high-risk permissions. If you are currently transitioning your Information Security Management System (ISMS), understanding the nuances of 8.2 is essential for a successful audit.

Table of contents

The Evolution from Control 9.2.3 to Annex A 8.2

In the 2013 version, you likely knew this control as 9.2.3 (Management of Privileged Access Rights). It was bundled within the larger “Access Control” domain. In the 2022 restructure, ISO consolidated its 114 controls into 93 and organised them into four themes: Organisational, People, Physical, and Technological.

Annex A 8.2 now sits within the Technological theme. This shift highlights that managing admin rights is no longer just a policy exercise; it requires robust technical enforcement and automated oversight. According to Hightable.io, the transition from 9.2.3 to 8.2 is more than just a numbering change, it’s a call to move toward more dynamic and “just-in-time” access models.

What Exactly is Annex A 8.2?

Annex A 8.2 focuses on the restriction and management of privileged access rights. These are the “elevated” permissions that allow users, software components, or services to bypass security controls, change system configurations, or access sensitive data that a standard user cannot see.

The 2022 version is very clear: privileged access should be the exception, not the rule. It emphasizes the Principle of Least Privilege (PoLP), ensuring that users only have the bare minimum access required to perform their specific tasks, and only for the duration they need it.

Key Changes and New Requirements in the 2022 Update

If you are familiar with the 2013 version, you’ll notice that the 2022 guidance is more granular. Here are the most significant changes:

  • Re-authentication: The 2022 version explicitly suggests that users should be required to re-authenticate (often through Multi-Factor Authentication) immediately before they are granted privileged access to a system.
  • “Break Glass” Procedures: New guidance introduces the concept of “break glass” or emergency access. This involves granting privileged rights within tightly controlled, time-limited windows for critical maintenance or incident response.
  • Event-Based Allocation: Rather than having “permanent” admin accounts, the standard encourages allocating these rights on an “event-by-event” basis.
  • Logging and Monitoring: While logging was always important, A 8.2 now places a massive emphasis on keeping detailed logs of all privileged activity for audit and forensic purposes.
  • Software and Services: The scope has been widened to explicitly include software components and services that may require privileged access, not just human users.

The Role of Attributes in Annex A 8.2

A major feature of the 2022 update is the introduction of “Attributes.” These metadata tags help you filter and manage your controls more effectively. For Annex A 8.2, the attributes are:

  • Control Type: Preventative (it stops unauthorised access before it happens).
  • Information Security Properties: Confidentiality, Integrity, and Availability.
  • Cybersecurity Concepts: Protect.
  • Operational Capabilities: Identity and Access Management.
ISO 27001 Document Templates
ISO 27001 Document Templates
Get Auditor Approved ISO 27001 Templates

Practical Steps for a Smooth Transition

Migrating your ISMS doesn’t have to be a headache. Hightable.io suggests that the best way to handle the shift to A 8.2 is to focus on your evidence trail. An auditor isn’t just looking for a policy; they want to see the system in action.

To align with the 2022 requirements, you should:

  1. Review the Admin List: Go through your users and identify who has “domain admin” or “root” access. If they don’t use it daily for their core job, move them to a standard account.
  2. Separate Identities: Ensure that admins have two accounts, one standard account for emails and browsing, and a separate, restricted account for administrative tasks.
  3. Implement MFA: If you haven’t already, Multi-Factor Authentication is now essentially mandatory for any privileged access request.
  4. Document the Authorisation: Maintain a clear record of who authorised a specific privileged account and when it was last reviewed.

Why the Change Matters

The 2022 update to Annex A 8.2 reflects the modern reality of cyberattacks. Most major breaches involve the compromise of a single privileged account, which allows an attacker to move laterally through a network. By tightening the rules around how these rights are granted, monitored, and revoked, ISO 27001:2022 helps you close one of the biggest security gaps in any organisation.

As Hightable.io points out, the “identity is the new perimeter.” By mastering Annex A 8.2, you aren’t just checking a box for your ISO certification, you are building a much more resilient defence against the most common types of data breaches.