Managing Access Rights: Safeguarding Organisational Information Assets
ISO 27001 Control 5.18 is about access rights management is a fundamental aspect of organisational security, ensuring that users and systems access only the resources they require for their roles. By adhering to structured policies for provisioning, reviewing, modifying, and revoking access rights, organisations can mitigate risks, maintain compliance, and protect sensitive assets.
Contents
Purpose of Access Rights Management
The core objectives of managing access rights include:
- Defining and authorising access to information and associated assets based on operational and business needs.
- Ensuring timely provisioning and revocation of access rights.
- Preventing unauthorised access and misuse of organisational resources.
Key Guidelines for Access Rights Management
1. Securing Authorised Approvals
- Obtain explicit authorisation from asset or information owners before granting access rights.
- Involve management in approval processes, particularly for sensitive or privileged access levels.
2. Alignment with Policies and Roles
- Ensure all access rights comply with the organisation’s access control policies.
- Integrate principles like segregation of duties to mitigate conflicts of interest or role overlaps.
3. Timely Access Revocation
- Promptly remove access rights when they are no longer needed, such as when:
- An individual leaves the organisation.
- A temporary assignment or contract concludes.
4. Temporary Access Management
- Provide temporary access rights for specific periods as required, ensuring they are automatically revoked after expiration.
5. Centralised Record Keeping
- Maintain a comprehensive, centralised record of all granted access rights, linking them to user identifiers.
- Document changes to access rights, including updates, revocations, and replacements.
Regular Review of Access Rights
Regular reviews are essential to ensure ongoing security and compliance. Organisations should:
- Reassess access rights after significant role changes, such as promotions or terminations.
- Review privileged access rights to ensure they remain necessary and justified.
- Conduct proactive adjustments or revocations based on periodic risk assessments.
Special Considerations During Employment Changes
Before employment changes or terminations, organisations must:
- Evaluate risks associated with the user’s access, considering whether the termination is voluntary or management-initiated.
- Review the user’s responsibilities and the sensitivity of assets they can access.
- Adjust or remove access rights to prevent potential misuse or security breaches.
Streamlined Access Through Roles and Profiles
To simplify access management:
- Define user roles based on business requirements, bundling common access rights into profiles.
- Manage access rights at the role or profile level to streamline requests and reviews.
- Avoid duplicating access rights without thorough consideration, as it can lead to over-privileged accounts.
Incorporating Security in Contracts
- Include clauses in employment and service contracts to enforce adherence to access control policies.
- Define clear sanctions for unauthorised access attempts, promoting accountability.
FAQs
What Does ISO 27001 Control 5.18 Require?
Control 5.18 focuses on granting, reviewing, and revoking access rights based on:
– User roles
– Business needs
– Security requirements
The aim is to minimize risk by ensuring that only the right people have access to the right information and systems — and only for as long as necessary.
What does “least privilege” mean in access management?
“Least privilege” means giving users the minimum access they need to perform their job. For example, a marketing intern shouldn’t have access to financial systems. This limits the potential damage if an account is misused or compromised.
How often should access rights be reviewed?
ISO 27001 recommends regular reviews, but doesn’t set a fixed schedule. Good practice is:
– Quarterly reviews for high-risk systems
– Annually for general systems
– After role changes or employee exits
What should happen when an employee leaves or changes roles?
When someone leaves or changes roles:
– Revoke old access immediately.
– Update or assign new access as needed.
– Document the changes to maintain an audit trail.
This ensures former employees or those in new roles don’t retain inappropriate access.
Do we need to document all access rights?
Yes, documentation is key. You should:
– Maintain a record of who has access to what.
– Track approvals and modifications.
– Use access logs for security audits and incident response.
This supports both ISO 27001 compliance and good security hygiene.
Conclusion
Managing access rights effectively per control 5.18 is crucial to protecting organisational resources and minimising security risks.
By implementing clear processes for provisioning, reviewing, and revoking access, organisations can ensure secure and appropriate resource usage.
Regular reviews, role-based access models, and diligent oversight of access changes enhance overall security and resilience, enabling organisations to meet operational and regulatory demands with confidence.
