ISO 27001:2022 - A.5 Organisational Controls (Access Management)

Your organisation likely possesses a lot of information; this includes customer data, payroll data, employee personally identifiable information (PII), and other kinds of business information that are of value to you.  During your daily operations, some of that information will need to be shared with each of your employees, whilst other data will need to be actively withheld from your employees.  The role of access management is to protect your information by ensuring the appropriate types of information are available to the right people at the right time, and at the level necessary to perform their roles effectively.

For example:

• An IT manager will typically need access to the server room to ensure server cables are properly configured, etc.  Since any tampering or damage to the server would likely be extremely disruptive, best practice is that other employees would not be allowed access to the server room.
• If an HR officer has been tasked with investigating an internal complaint, they will need access to the complaint files so that they can understand the issue.  Since HR complaints can be extremely sensitive in nature, they would generally not be made accessible to other departments.
• Employees will normally have access to your most important policies.  To ensure that your policies are not modified or deleted without the proper authorisation, it may be necessary to grant most users with ‘read-only access’, with only your senior management team having the administrative right to modify these policies.

According to ISO 27002:2022, these access management controls are ‘Preventive’ in nature, meaning that they are ‘intended to prevent the occurrence of an information security incident’.

Typical preventive steps in access management to protect information security include:

• Implementing and enforcing an access control policy throughout your organisation
• Granting access to systems, documents, and physical rooms on a need-to-know basis
• Keeping verifiable records of all access accounts and user permissions granted via an access control register.

A.5.15 – Access Control

ISO 27002:2022 defines access control as the ‘means to ensure that physical and logical access to assets is authorised and restricted based on business and information security requirements’.  To ensure that you have these means in place, you will typically need to have created and implemented an access control policy, or another set of documented rules explaining how access to information is managed in your organisation.  This needs to describe the procedures and conditions for granting, reviewing, adjusting and revoking user access, including who is responsible for each and the timeframes for completion.  Additionally, you need to determine and document who manages access to the assets which support that information.  This includes (but is not limited to) your computers, computer systems, paper documents, server equipment, as well as cupboards or drawers that contain equipment or documents.

Your access control needs to specify your organisation’s rules regarding access to digital files and systems.  This should include assigning the responsibility of allocating, adjusting and revoking a person’s access, which is often assigned to the CTO, the IT Manager, or the IT Department, whilst the responsibility for reviewing access is typically assigned to the system or application owners.  Additionally, if your access control policy doesn’t describe how you manage physical access (i.e., to your building and the rooms therein), this should be documented in another relevant policy.

During the audit, the auditor may check the office to see if any paper documents are left out in the open, particularly sensitive ones.  In preparation for this, you should make sure that any documents in plain view are with the people who need them.  You should also make sure that drawers, cabinets or cupboards containing documents or equipment can only be accessed by individuals with the appropriate permissions (for more advice on this, see our blog on ISO 27001:2022 Annex A Physical Controls).  Additionally, the auditor may check that restricted areas (such as your server room and other areas restricted to specific people) are locked and require some kind of authentication to gain access.  This can be demonstrated by means such as keys, passwords, smart badges, or fingerprints.

A.5.16 – Identity Management

As well as ensuring conformance to the above, the auditor will be looking to verify that access to your organisation’s information assets is attributable to a specific entity to ensure accountability and nonrepudiation. Such an entity can be a person, group of persons, an application, a system, or a device.

The auditor will want to understand whether your information security management system (ISMS) framework explains the procedures for creating IDs/user accounts, updating them and removing them.  They will also need to check that there is formal oversight that requires the approval of system and owners when setting up users’ access to those systems.  This can be your CTO, IT Manager, or simply the IT Department.  Additionally, when employees leave the business, system and application owners need to be instructed to revoke the leaver’s access in a timely manner.

Your organisation should also have reliable records of all your user accounts.  These records should be reviewed regularly and continually updated.  If your organisation has logs of user account activity, the auditor will want to verify that you’re monitoring these logs.  Doing so will also help you to detect suspicious or anomalous activity, generate evidence in the event of a security incident, or even potentially help you avoid an incident altogether.

A.5.17 – Authentication Information

ISO 27002 defines ‘authentication’ as the ‘Provision of assurance that a claimed characteristic of an entity is correct’.  The auditor will, therefore, be checking that your users are providing this assurance whenever logging into their devices, systems, or restricted physical areas.  Typical best practices include:

• Documenting the methods your organisation uses in your access control policy.
• Requiring staff to change company-provided passwords immediately, and again on a regular basis.
• Making sure passwords have a minimum number of characters, and contain at least one uppercase letter, one lowercase letter, and at least one special character.
• Documenting your password criteria in your access control policy.
• Changing passwords for shared accounts if one of its users leaves the business or changes role.  This should include passwords or pins used to access premises and its rooms.

If you use a password manager tool (e.g., LastPass or Keeper), the auditor may want to check that your employees are aware that this is the appropriate place to store their passwords, and that storing passwords in another location is prohibited.  To this end, it may be beneficial to include training on your password manager in your employee induction and awareness programmes.

A.5.18 – Access Rights

For this control, the auditor will be checking that your organisation’s commitment to managing user access and permissions is being applied at all stages in the employee lifecycle.  In particular:

• Users joining the business should be granted the access they need prior to or during induction.
• The access rights and permissions of all users should be reviewed regularly, according to a specific timeframe or routine.  Such reviews are often scheduled in advance via an access control schedule.
• Staff changing roles internally should be given the access they need for their new role, and any redundant access from their previous role must be revoked.
• Staff leaving the organisation (whether due to resignation or dismissal) shall have their access removed as soon as possible.  It is recommended that this is conducted no later than 24 hours after the leaver’s departure.

The auditor will be checking that your rules for granting, reviewing, adjusting and revoking user access are documented in your access control policy or another relevant document.  Existing user access should be documented in an access control log, which should also be monitored to ensure the integrity of its contents.

When removing access for a departing user, organisations should consider the reasons for the termination when determining the urgency of terminating access (i.e., resignation due to a new job vs. discontentment at work, redundancy, or disciplinary dismissal).  It may also be beneficial to prioritise revoking access if the employee is resigning to work for a competitor.  Personnel should be required to return any physical means of access (e.g., keys, smart cards) to the organisation on the day of their departure.

In conclusion, access management asks two questions- who needs to see this, and what they need to do with it?  Having a robust and documented access control strategy for your organisation will allow you to confidently answer these questions.  It will allow you to secure your organisation’s information and the assets that support it whilst also ensuring that it can be effectively used by your employees, enabling both your organisation’s security, as well as its operational efficiency, to be maintained.