ISO 27001:2022 - A.5 Organisational Controls (Access Management)

Why they are important and top tips for implementing them

Mark O'Kane
|
Consultant at URM
|
PUBLISHED on
09
May
2025

ISO/IEC 27001:2022 (ISO 27001) offers a structured approach to managing the wide range of information security risks faced by organisations, with Annex A of the Standard providing a catalogue of 93 controls grouped into four categories: organisational, people, physical, and technological.  

Four of the organisational controls describe how information assets can be secured by managing who can access information, how they can access it, and what they can do with it.  These controls consist of:

  • A.5.15 – Access control
  • A.5.16 – Identity management
  • A.5.17 – Authentication information
  • A.5.18 – Access rights

In this blog, we will look at these controls in more detail and how your organisation can use them to ensure confidentiality, integrity and availability (CIA) are upheld when your users are accessing and handling corporate information.

Why are the access management controls important?

Your organisation likely possesses a lot of information; this includes customer data, payroll data, employee personally identifiable information (PII), and other kinds of business information that are of value to you.  During your daily operations, some of that information will need to be shared with each of your employees, whilst other data will need to be actively withheld from your employees.  The role of access management is to protect your information by ensuring the appropriate types of information are available to the right people at the right time, and at the level necessary to perform their roles effectively.

For example:

  • An IT manager will typically need access to the server room to ensure server cables are properly configured, etc.  Since any tampering or damage to the server would likely be extremely disruptive, best practice is that other employees would not be allowed access to the server room.
  • If an HR officer has been tasked with investigating an internal complaint, they will need access to the complaint files so that they can understand the issue.  Since HR complaints can be extremely sensitive in nature, they would generally not be made accessible to other departments.
  • Employees will normally have access to your most important policies.  To ensure that your policies are not modified or deleted without the proper authorisation, it may be necessary to grant most users with ‘read-only access’, with only your senior management team having the administrative right to modify these policies.

What are the different types of access management controls?

According to ISO 27002:2022, these access management controls are ‘Preventive’ in nature, meaning that they are ‘intended to prevent the occurrence of an information security incident’.

Typical preventive steps in access management to protect information security include:

  • Implementing and enforcing an access control policy throughout your organisation
  • Granting access to systems, documents, and physical rooms on a need-to-know basis
  • Keeping verifiable records of all access accounts and user permissions granted via an access control register.

Hints and tips on implementing A.5 access management controls

A.5.15 – Access Control

ISO 27002:2022 defines access control as the ‘means to ensure that physical and logical access to assets is authorised and restricted based on business and information security requirements’.  To ensure that you have these means in place, you will typically need to have created and implemented an access control policy, or another set of documented rules explaining how access to information is managed in your organisation.  This needs to describe the procedures and conditions for granting, reviewing, adjusting and revoking user access, including who is responsible for each and the timeframes for completion.  Additionally, you need to determine and document who manages access to the assets which support that information.  This includes (but is not limited to) your computers, computer systems, paper documents, server equipment, as well as cupboards or drawers that contain equipment or documents.

Your access control needs to specify your organisation’s rules regarding access to digital files and systems.  This should include assigning the responsibility of allocating, adjusting and revoking a person’s access, which is often assigned to the CTO, the IT Manager, or the IT Department, whilst the responsibility for reviewing access is typically assigned to the system or application owners.  Additionally, if your access control policy doesn’t describe how you manage physical access (i.e., to your building and the rooms therein), this should be documented in another relevant policy.

During the audit, the auditor may check the office to see if any paper documents are left out in the open, particularly sensitive ones.  In preparation for this, you should make sure that any documents in plain view are with the people who need them.  You should also make sure that drawers, cabinets or cupboards containing documents or equipment can only be accessed by individuals with the appropriate permissions (for more advice on this, see our blog on ISO 27001:2022 Annex A Physical Controls).  Additionally, the auditor may check that restricted areas (such as your server room and other areas restricted to specific people) are locked and require some kind of authentication to gain access.  This can be demonstrated by means such as keys, passwords, smart badges, or fingerprints.

A.5.16 – Identity Management

As well as ensuring conformance to the above, the auditor will be looking to verify that access to your organisation’s information assets is attributable to a specific entity to ensure accountability and nonrepudiation. Such an entity can be a person, group of persons, an application, a system, or a device.

The auditor will want to understand whether your information security management system (ISMS) framework explains the procedures for creating IDs/user accounts, updating them and removing them.  They will also need to check that there is formal oversight that requires the approval of system and owners when setting up users’ access to those systems.  This can be your CTO, IT Manager, or simply the IT Department.  Additionally, when employees leave the business, system and application owners need to be instructed to revoke the leaver’s access in a timely manner.

Your organisation should also have reliable records of all your user accounts.  These records should be reviewed regularly and continually updated.  If your organisation has logs of user account activity, the auditor will want to verify that you’re monitoring these logs.  Doing so will also help you to detect suspicious or anomalous activity, generate evidence in the event of a security incident, or even potentially help you avoid an incident altogether.

A.5.17 – Authentication Information

ISO 27002 defines ‘authentication’ as the ‘Provision of assurance that a claimed characteristic of an entity is correct’.  The auditor will, therefore, be checking that your users are providing this assurance whenever logging into their devices, systems, or restricted physical areas.  Typical best practices include:

  • Documenting the methods your organisation uses in your access control policy.
  • Requiring staff to change company-provided passwords immediately, and again on a regular basis.
  • Making sure passwords have a minimum number of characters, and contain at least one uppercase letter, one lowercase letter, and at least one special character.
  • Documenting your password criteria in your access control policy.
  • Changing passwords for shared accounts if one of its users leaves the business or changes role.  This should include passwords or pins used to access premises and its rooms.

If you use a password manager tool (e.g., LastPass or Keeper), the auditor may want to check that your employees are aware that this is the appropriate place to store their passwords, and that storing passwords in another location is prohibited.  To this end, it may be beneficial to include training on your password manager in your employee induction and awareness programmes.

A.5.18 – Access Rights

For this control, the auditor will be checking that your organisation’s commitment to managing user access and permissions is being applied at all stages in the employee lifecycle.  In particular:

  • Users joining the business should be granted the access they need prior to or during induction.
  • The access rights and permissions of all users should be reviewed regularly, according to a specific timeframe or routine.  Such reviews are often scheduled in advance via an access control schedule.
  • Staff changing roles internally should be given the access they need for their new role, and any redundant access from their previous role must be revoked.
  • Staff leaving the organisation (whether due to resignation or dismissal) shall have their access removed as soon as possible.  It is recommended that this is conducted no later than 24 hours after the leaver’s departure.

The auditor will be checking that your rules for granting, reviewing, adjusting and revoking user access are documented in your access control policy or another relevant document.  Existing user access should be documented in an access control log, which should also be monitored to ensure the integrity of its contents.

When removing access for a departing user, organisations should consider the reasons for the termination when determining the urgency of terminating access (i.e., resignation due to a new job vs. discontentment at work, redundancy, or disciplinary dismissal).  It may also be beneficial to prioritise revoking access if the employee is resigning to work for a competitor.  Personnel should be required to return any physical means of access (e.g., keys, smart cards) to the organisation on the day of their departure.

Closing thoughts

In conclusion, access management asks two questions- who needs to see this, and what they need to do with it?  Having a robust and documented access control strategy for your organisation will allow you to confidently answer these questions.  It will allow you to secure your organisation’s information and the assets that support it whilst also ensuring that it can be effectively used by your employees, enabling both your organisation’s security, as well as its operational efficiency, to be maintained.

How URM can Help

Consultancy

With 2 decades of experience assisting organisations’ ISO 27001 implementation and over 400 successful certification projects behind us, URM is the ideal partner to support your organisation with any aspect of its conformance/certification to the Standard.  Our large team of experienced consultants can offer your organisation a wide range of ISO 27001 support services to help you meet the Standard’s requirements in full.

For example, we can begin by conducting an ISO 27001 gap analysis, where we establish where you are already conformant, and those areas which may require further improvement.  Using our proven risk assessment tool, Abriska™ 27001, we can also help you conduct your ISO 27001 risk assessment.  Following this, we can work with you to develop policies, processes and ISMS infrastructure that both enable you to achieve ISO 27001 certification, but are also appropriate for your organisation’s unique culture and needs.

Following implementation of the ISMS, URM can also provide you with a range of ISO 27001 internal audit services.  Depending on your preference and requirements, this can involve conducting an internal audit ahead of your certification assessment to ensure the ISMS is functioning as intended, planning and implementing a full 3-year ISO 27001 audit programme, or auditing more specific aspects of the ISMS or particular controls.

Training

In addition to our consultancy services, URM also regularly delivers a range of ISO 27001-related training courses, providing you with the skills and expertise necessary to effectively manage information security and conformance to the Standard in your workplace.  Our Introduction to ISO 27001 Course explores all aspects of information security and the importance of ISO 27001 in protecting information, whilst our 2-day ISO/IEC 27001:2022 Transition Course covers both the changes seen in the latest version of the Standard and how to implement them.  Or, if you would like to gain an industry-recognised information security qualification, URM regularly delivers the Certificate in Information Security Management Principles (CISMP) Training Course, which will fully prepare you to sit and pass the BCS invigilated examination.

Mark O'Kane
Consultant at URM
Mark is an Information Security Consultant at URM with significant experience working with ISO 27001 and other GRC security frameworks and services.
Read more

Do you need any help with ISO 27001 certificate?

URM can help you achieve ISO 27001 certification
Thumbnail of the Blog Illustration
Information Security
Published on
10/7/2024
A Guide to the Certificate in Information Security Management Principles (CISMP)

URM’s blog discusses everything you need to know about the CISMP, including its benefits, who it’s suited to, the topics the CISMP covers, and more.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
18/7/2022
What are the ‘Real World’ Benefits of Implementing ISO 27001?

In this blog, we want to dig a bit deeper into the benefits that are gained from implementing the Standard and from achieving certification...

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
14/2/2024
A Comparison of ISO 9001 and ISO 27001

URM’s blog compares the management system clauses of ISO 27001 and ISO 9001 to identify integration opportunities.

Read more
Thank you this was really helpful, I am looking forward to the Cyber Essentials webinar.
Webinar 'How to Develop and Maintain Robust Business Continuity Plans'
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.