The basics
ISO 27001 control A.8.2 Privileged access rights requires companies to restrict access rights above those required by regular users in order to minimize opportunities for inadequate use of sensitive information systems.
Documentation
ISO 27001 control A.8.2 Privileged access rights can be documented:
- For smaller and mid-sized companies – by writing an Access Control Policy
- For larger companies – by writing a Privileged Access Procedure
These documents are not mandatory but are recommended.
Implementation
In order to comply with control A.8.2 Privileged access rights you might implement the following:
- Technology — the technology to enable management of privileged access rights mainly involves software (e.g., data loss prevention applications, access management systems, logging and monitoring tools, etc.). Companies may use access management features available on their local computers to set users’ privileged access rights, and use networked systems to allow centralized and remote management of privileged access rights.
- Organization/processes — you should set up a process for defining how privileged access rights are provisioned, reviewed, modified, and removed. You can document those processes through an Access Control Policy or a Privileged Access Procedure.
- People — make employees aware of why managing privileged access rights is needed, and train IT staff on how to manage them.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.8.2 Privileged access rights: if access rights that go beyond access rights of regular users are restricted and controlled.
