ISO 27001 Control 8.2: Privileged Access Rights

How to Keep Powerful Accounts Under Control

ISO 27001 Control 8.2 Privileged access rights is about one thing:

Only the right people, using the right accounts, should be able to do powerful things – and only when they actually need to.

Privileged accounts (admin, root, domain admins, super-users, service accounts, etc.) are a favourite target for attackers. If they’re not tightly controlled, a single compromise can give someone the keys to almost everything.

This control expects you to allocate, use and review privileged access in a deliberate, tightly managed way, rather than letting admin rights evolve organically over time.

---

What ISO 27001 Control 8.2 Actually Expects

In plain English, ISO 27001 Control 8.2 – Privileged access rights requires you to:

• Have a formal process for granting, changing and revoking privileged access
• Ensure privileges are no more than necessary for each role
• Use separate, identifiable privileged accounts, not shared logins
• Apply stronger authentication and monitoring to privileged activities
• Review privileged access regularly and on role changes
• Make sure administrators understand their responsibilities and risks

It builds directly on your access control policy (Control 5.15) and your access review process (Control 5.18).

---

Step 1 – Define What “Privileged Access” Means in Your Environment

Before you can manage privileged access rights, you need to be clear what counts as “privileged”.

Typically this includes:

• System-level accounts
  • Local admin, root, system accounts
  • Domain/enterprise admins and equivalent roles
• Application and database admin roles
  • DBAs, application super-users, security admin roles, IAM admins
• Infrastructure and security platforms
  • Hypervisor and container platform admins
  • Firewall, VPN, WAF, SIEM, EDR, backup and identity platform admins
• Powerful service and integration accounts
  • Accounts used for automated tasks that can create, delete or modify large amounts of data or configuration

Document these as privileged roles / profiles and link them back to:

• Business purpose
• System owner
• Data sensitivity

That gives you a concrete scope for ISO 27001 Control 8.2.

---

Step 2 – Put a Proper Authorisation Process Around Privileged Access

Privileged access should never be granted “because Bob asked nicely”.

Under ISO 27001 Control 8.2, you should:

• Use a formal request-and-approval process
  • Requests go through your service desk / IAM workflow.
  • Approvals come from the system owner and, where appropriate, information security / line manager.
• Link to role and responsibility
  • Every privileged role must have a clear purpose: what it’s for, and why that person or service needs it.
  • Avoid “just in case” admin rights.
• Record decisions
  • Keep an audit trail: who requested, who approved, what was granted, when it should be reviewed or expire.

All of this should align with your broader access control policy (5.15) and joiners–movers–leavers process.

---

Step 3 – Apply Least Privilege and Just-in-Time Access

The default should be:

“Give people the minimum they need, for the shortest possible time.”

For ISO 27001 Control 8.2:

• Role-based access
  • Build admin roles around tasks (e.g. “User admin”, “Network admin”, “Backup admin”) rather than blanket “full control”.
  • Avoid over-broad roles where someone can do far more than they actually need.
• Least privilege in practice
  • Use native role models (e.g. RBAC in cloud platforms, database roles, application-specific admin roles).
  • Don’t grant global admin when you only need read-only or scoped access.
• Event-by-event or time-bound access
  • For rare or high-risk tasks (e.g. emergency fixes, production database changes), use:
    • Just-in-time (JIT) elevation
    • “Break-glass” procedures with explicit approvals
    • Time-limited access that automatically expires
• Expiry and re-authorisation
  • Where possible, set end dates on privileged roles.
  • Require re-approval if someone still needs admin after that date.

This approach reduces the blast radius if an account is compromised and makes audits far easier.

---

Step 4 – Separate Admin and Everyday Use

A classic mistake: administrators doing email and web browsing with full admin rights.

ISO 27001 Control 8.2 expects you to:

• Use dedicated privileged accounts
  • Each admin has:
    • A standard user account for day-to-day work
    • One or more named privileged accounts for admin duties
• Forbid generic shared admin accounts where possible
  • Avoid “admin”, “root”, “sysadmin” being shared by multiple people.
  • If a platform forces a generic account, store its credentials securely (e.g. in a password vault) and require check-in/check-out with logging.
• Limit what privileged accounts can do
  • Privileged accounts should not:
    • Read personal email
    • Browse the internet freely
    • Run everyday productivity apps unnecessarily
• Make admin mode clearly visible
  • Use different desktop themes, prompts or banners for admin sessions.
  • This helps admins stay conscious that actions are high risk.

The aim is to keep privileged access special and deliberate, not the default working mode.

---

Step 5 – Strengthen Authentication and Monitoring for Privileged Use

Privileged accounts should be harder to abuse and easier to trace than normal accounts.

For ISO 27001 Control 8.2:

• Require stronger authentication
  • Enforce multi-factor authentication (MFA) for all privileged accounts and sessions.
  • Use step-up authentication for especially sensitive tasks (e.g. changing security settings, modifying audit logs).
• Centralise and protect credentials
  • Use a privileged access management (PAM) or password vault solution where possible.
  • Rotate privileged credentials regularly and immediately on staff changes.
• Log privileged actions in detail
  • Record who did what, where, and when:
    • Admin commands or high-level actions
    • Configuration changes
    • Creation, modification and deletion of accounts or roles
• Feed logs into your monitoring and alerting
  • Flag unusual privileged activities:
    • High-risk actions out of hours
    • Logins from unfamiliar locations
    • Repeated failed admin logins
    • Attempts to disable logging or security controls

The combination of strong auth + good logging is what makes control 8.2 genuinely effective.

---

Step 6 – Maintain an Accurate Register of Privileged Access

You should always be able to answer:

“Who currently has privileged access to what, and why?”

For ISO 27001 Control 8.2:

• Maintain a privileged access inventory
  • For each system / platform, track:
    • Privileged roles / groups
    • Who is a member
    • What those roles allow
    • Owner / approver and review dates
• Keep it in sync with reality
  • Integrate with your directory / IAM tools wherever possible.
  • Use scheduled reports or IAM connectors to keep the inventory up to date.
• Include service and application accounts
  • Don’t forget non-human accounts that have powerful rights (integration accounts, automation scripts, backup agents, etc.).

This inventory is gold dust when auditors ask about Control 8.2 – and when you’re troubleshooting incidents.

---

Step 7 – Review and Revoke Privileged Access Regularly

ISO 27001 is big on periodic review, and privileged access is no exception.

For Control 8.2, you should:

• Run regular access reviews
  • At least annually – often more frequent for critical systems.
  • System owners confirm:
    • Who still needs their privileged roles
    • Which rights can be reduced or removed
• Tie reviews to role and employment changes
  • Immediately recheck and adjust privileged access when:
    • Someone changes role, team or project
    • A contract ends
    • An employee leaves the organisation
• Revoke quickly and cleanly
  • For leavers, ensure privileged accounts are disabled or removed promptly, including:
    • Direct system accounts
    • Group memberships
    • Access tokens, SSH keys, API keys
• Use re-authorisation for ongoing access
  • For long-term admins, require periodic re-approval of their privileges as part of the review.

These reviews link neatly to Control 5.18 – Access rights and demonstrate that privileged access isn’t “set and forget”.

---

Step 8 – Make Privileged Users Aware of Their Responsibilities

Finally, people with elevated access need to understand that their mistakes and their actions carry more weight.

Under ISO 27001 Control 8.2:

• Provide specific training for privileged users
  • Risks of misuse (accidental or deliberate)
  • Expectations for behaviour and good practice
  • Legal, regulatory and contractual implications
• Use reminders in the tools
  • Banners or warnings on admin portals (“You are logged in with privileged access”)
  • Clear prompts before executing destructive or high-risk actions.
• Link to disciplinary and incident procedures
  • Make it clear that misuse of privileged access will be taken seriously.
  • Ensure people know how to report suspected abuse by others.

This helps build a culture where admins treat their privileges as a professional responsibility, not a perk.

---

Quick Implementation Checklist for ISO 27001 Control 8.2

You’re in a good position for ISO 27001 Control 8.2 – Privileged access rights if:

• You have a documented process for requesting, approving, changing and revoking privileged access.
• You have defined which roles, groups and accounts count as privileged in your environment.
• Privileged access is granted based on least privilege, with clear business justification.
• Admins use separate privileged accounts and do not use them for everyday tasks.
• Generic/shared admin accounts are minimised, tightly controlled and auditable.
• All privileged accounts are protected with MFA and stronger controls.
• Privileged activity is logged, monitored and reviewed, with alerts for unusual behaviour.
• You maintain an up-to-date register of privileged accounts and rights.
• Privileged access is reviewed regularly and on role/employment changes.
• Admins and other privileged users receive specific training on their responsibilities.

---

Bringing It All Together

ISO 27001 Control 8.2 – Privileged access rights – is about making sure that elevated permissions:

• Are rare, deliberate and justified
• Are well protected and well monitored
• Can be traced to individual people and revoked quickly when needed

If you put in place clear processes, strong technical controls, and regular reviews, you not only satisfy ISO 27001 Control 8.2 – you also shut down one of the biggest pathways to serious security incidents.