ISO 27001:2022 Control 5.18 (A.5.18)

Explaining Annex A Control 5.18 Access rights

Control 5.18 of ISO 27001, "Access Rights," goes over managing and controlling access to information and associated assets. It ensures that access is provisioned, reviewed, modified, and revoked based on organizational requirements, safeguarding confidentiality, integrity, and availability. This control supports effective identity and access management and is preventive in nature.

Iso 27001 Control 5.18 (A.5.18)

Control Type

  • Preventive

Information Security Properties

  • Confidentiality
  • Integrity
  • Availability

Cybersecurity Concepts

  • Protect

Operational Capabilities

  • Identity and Access Management

Security Domains

  • Protection

Objective of ISO 27001 Control 5.18

The objective of Control 5.18 is to ensure that access to your organization’s information and associated assets is authorized based on business needs and security policies. Access rights must be provisioned, reviewed, and revoked systematically to minimize security risks.

Effective access rights management helps:

  • Reduce the risk of unauthorized access.
  • Protect sensitive data from misuse or leaks.
  • Ensure compliance with regulatory and contractual obligations.
  • Improve security monitoring and accountability.

Purpose of Access Rights Management

The primary purpose of access rights management is to control who can access specific systems, applications, and data within your organization. Unauthorized access can lead to data breaches, financial losses, and reputational damage.

Your organization should implement structured processes for:

  • Defining access requirements based on job roles.
  • Ensuring users have appropriate permissions without excessive privileges.
  • Reviewing access rights periodically to prevent outdated or unnecessary access.
  • Revoking access when no longer needed, such as when an employee leaves or changes roles.

Elements of Access Rights Management

1. Provisioning of Access Rights

Access provisioning is the process of assigning access rights to users. It should be performed in a controlled manner, ensuring that access is granted based on business needs and security policies.

Best practices for provisioning access rights:

  1. Authorization Process:

    • Access requests should be reviewed and approved by system owners or managers.
    • Separate approvals may be required for administrative or privileged access.
    • Each access request should be documented for audit purposes.

  2. Role-Based Access Control (RBAC):

    • Assign access based on predefined roles rather than granting permissions to individual users.
    • Define roles based on job functions (e.g., HR, finance, IT support).
    • Avoid granting excessive access rights to prevent privilege creep.

  3. Separation of Duties (SoD):

    • Prevent conflicts of interest by separating key security functions (e.g., approval and implementation of access requests).
    • Ensure that users responsible for approving access do not also execute changes.

  4. Temporary Access Management:

    • Grant temporary access only when necessary, with predefined expiration dates.
    • Regularly review temporary access rights to prevent unauthorized retention of privileges.

  5. Maintaining a Centralized Access Control Registry:

    • Keep a record of all assigned access rights.
    • Document access approval, modification, and revocation history.
    • Use access management tools to automate tracking and reporting.

2. Reviewing Access Rights

Access rights should not be granted indefinitely. Regular access reviews help ensure that users maintain appropriate access and that unauthorized or excessive permissions are removed.

Best practices for reviewing access rights:

  1. Scheduled Access Reviews:

    • Conduct quarterly, semi-annual, or annual access reviews for all users.
    • Ensure privileged accounts undergo more frequent reviews.

  2. Review During Role Changes:

    • Adjust access when employees change roles, are promoted, or transferred to different departments.
    • Prevent former employees from retaining access to systems they no longer require.

  3. Automated Access Review Tools:

    • Use identity and access management (IAM) tools to automate periodic access reviews.
    • Generate reports to analyze access trends and detect anomalies.

  4. Access Reviews for Third Parties:

    • Regularly assess access rights for contractors, vendors, and partners.
    • Ensure third-party access is revoked when their contract ends.

3. Revocation of Access Rights

Timely removal of access is critical for maintaining security. When employees leave the organization or change roles, their access must be revoked or modified immediately.

Best practices for revoking access rights:

  1. Immediate Termination Procedures:

    • Disable accounts and retrieve company-issued authentication devices upon employee termination.
    • Remove remote access privileges (e.g., VPN, cloud services).

  2. Offboarding Checklist:

    • Use a standardized checklist to ensure that access rights are fully revoked.
    • Conduct a final review to confirm that no access remains.

  3. Emergency Revocation Protocols:

    • Establish procedures for emergency access revocation in case of security incidents.
    • Implement mechanisms to immediately disable compromised accounts.

  4. Multi-Factor Authentication (MFA) Deactivation:

    • Ensure MFA tokens and authentication apps are removed when access is revoked.

Considerations for Employee Changes and Termination

Whenever an employee’s status changes (promotion, transfer, resignation, or termination), access rights should be adjusted to prevent security risks.

Key factors to consider:

  • Who initiated the termination? Voluntary exits pose lower risks than involuntary terminations.
  • What systems did the employee access? Remove access to all business-critical applications.
  • Is there an offboarding checklist? Ensure no lingering access remains.

Related ISO 27001 Controls

Control 5.18 is linked to multiple other ISO 27001 controls:

  • Control 5.3 (Segregation of Duties): Ensures key security functions are assigned to different individuals.
  • Control 5.9 (Inventory of Assets): Defines inventory assets management policies and procedures.
  • Control 5.15 (Access Control): Defines access management policies and procedures.
  • Control 5.20 (Privileged Access Management): Manages administrative and high-risk accounts.
  • Control 6.1Control 6.2Control 6.3Control 6.4 & Control 6.5 (Employment Security): Covers employee onboarding, offboarding, and role changes.

Templates to Assist with Control 5.18

To implement Control 5.18 effectively, your organization can use structured templates. Available resources at Cyberzoni.com include:

  • Access Control Policy Template – Define your organization’s access control procedures.
  • Role-Based Access Control (RBAC) Template – Manage user roles and permissions efficiently.
  • Offboarding Checklist Template – Ensure proper access revocation when employees leave.
  • Access Review Log Template – Maintain audit records for access rights reviews.

Conclusion

Access rights management is a critical component of information security. By implementing Control 5.18 effectively, your organization can:

  • Reduce security risks related to unauthorized access.
  • Ensure compliance with ISO 27001 and other regulations.
  • Maintain an efficient and secure access control framework.
Control 5.17
ISO 27001 overview
Control 5.19