Privileged Access Rights - ISO 27001 Annex A Control

ISO 27001 Annex A 8.2

Privileged accounts are the master keys - manage them like the keys they are.

ISO 27001 Annex A 8.2 - Privileged Access Rights

Privileged accounts - administrators, root accounts, service accounts with elevated rights - can do things ordinary user accounts cannot. They can install software, change configurations, read other users' data, and disable security controls. The control treats privileged access as a separate population that needs tighter management than standard user access.

Tighter management means several things: a defined process for granting and revoking privileged access; allocation only to people whose role requires it; multi-factor authentication on privileged accounts; logging and monitoring of privileged actions; and periodic review to remove access that is no longer needed. The principle of least privilege applies more strongly here than anywhere else.

Service accounts are part of the privileged population and often the weakest part. They get created when systems are deployed, given broad permissions to make integration easier, and then forgotten about. Inventory of privileged accounts including service accounts is the starting point - you cannot manage what you have not catalogued.

Privileged access is the area where the audit usually finds the largest gap between policy and practice. Long lists of named admins, service accounts whose owners have left the organisation, and shared accounts whose use is impossible to attribute. The fix is rarely complex - it is usually a matter of inventory, review and applying the existing policy consistently.

Practical Compliance Guidance

Privileged access management is described in the IMS1 manual at section 8.5 alongside the Access Control Policy. The user access matrix or equivalent record tracks who holds privileged rights.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
PP-8-100 Information Security Policy Procedure	Contains the Access Control Policy including the rules for allocating, reviewing and revoking privileged access. Use as the source for privileged account governance.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Should privileged accounts be separate from normal user accounts?

Yes - the recommended pattern is a separate privileged account used only for administrative work, with normal day-to-day activity (email, browsing, document editing) done from a standard user account. This limits the exposure window during which the privileged account is active and reduces the impact of compromise of the standard account.

How often should privileged access be reviewed?

Typically quarterly or whenever there is a role change. The review confirms that each holder still needs the access, that it still matches their current role, and that no holders have left or moved. Documented evidence of the review is part of the audit trail.

How do we handle emergency or break-glass access?

Through defined emergency accounts that are normally disabled or whose credentials are sealed, with use that triggers immediate logging, notification and post-incident review. The break-glass process should be documented and tested periodically so it works when needed.

Further Resources