Access Rights - ISO 27001 Annex A Control

ISO 27001 Annex A 5.18

Access rights should match what the role needs and nothing more.

ISO 27001 Annex A 5.18 - Access Rights

Access rights are the operational layer of access control. The policy in Annex A 5.15 sets the rules. Annex A 5.18 covers what happens day-to-day - how rights get granted, modified and removed in line with those rules.

The lifecycle has four key moments. Provisioning when someone joins or takes a new role. Modification when a role changes. Review at planned intervals to confirm rights are still appropriate. Removal when employment ends or the access is no longer required. Each step needs an audit trail showing who requested, who approved and what was changed.

The most common failure is at the leaver and mover stages. Leaver access frequently lingers because account closure depends on coordination between HR and IT. Mover access tends to accumulate as people pick up new permissions in new roles without losing the ones they no longer need. Periodic reviews catch what the lifecycle process misses.

We tie access provisioning into the joiner process. New starter forms include an access request based on the role, signed off by the line manager and processed by IT before day one. Mover changes go through the same form. Leavers trigger a same-day account disable that gets reviewed for full removal at thirty days.

The annual review is the catch-all. Each system owner gets a list of who has access to their system and confirms each entry is still needed. Anything not confirmed gets removed.

Practical Compliance Guidance

Access rights management is described in the IMS1 manual at section 8.5 alongside the Access Control Policy. The IT Equipment Logins Register holds the current list of accounts and access.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
ER10 IT Equipment Logins Register	The register of active accounts and login details. Use as the basis for periodic access reviews and the leaver checklist.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

How quickly should leaver accounts be disabled?

The same day as departure for primary access such as email and core systems, with full removal of all access within a defined period such as thirty days. Faster removal is needed where the departure is unplanned or the role had elevated privileges.

How do we evidence access reviews?

Through documented review records that show who reviewed which access, when, what was confirmed and what was changed. Most organisations run reviews per system or per role with a sign-off from the system owner. The audit will sample these to verify reviews actually happened.

Should privileged access be managed differently?

Yes. Privileged access typically requires more stringent controls including additional approval, time-limited grants where possible, separate accounts for privileged activities, more frequent review and full session logging. These additional controls are covered specifically under Annex A 8.2 Privileged access rights.

Further Resources