The basics
ISO 27001 control A.5.18 Access rights requires companies to enable access to users according to the Access control policy, but also review this access, modify it, and remove it according to the status of a user.
Documentation
ISO 27001 control A.5.18 Access rights can be documented by writing an Access Control Policy.
This policy is not a mandatory document but is recommended for all companies.
Implementation
In order to comply with control A.5.18 Access rights you might implement the following:
- Technology — the technology to enable management of access rights may involve software (e.g., data loss prevention applications, user management systems, logging and monitoring tools, etc.), hardware (e.g., physically separated servers and network devices), and networks (firewalls and routers).
- Organization/processes — you should set up a process for defining how access rights are provisioned, reviewed, modified, and removed. You can document those processes through an Access Control Policy.
- People — make employees aware of why managing access rights is needed, and train IT staff on how to manage them.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.5.18 Access rights: if access of users is granted and revoked according to the defined access control policy.
