9.2.2020 ISO 27001 Annex A.

9 - Access Control

Products  Solutions  About us  Customers Resources  Partners Book a Demo

Log In

ISO 27001 - Annex

A.9: Access Control

What is the objective of Annex A.9.1 of ISO

27001:2013?
Table of Contents 

Annex A.9.1 is about business requirements of access control. The objective in this
Annex A control is to limit access to information and information processing
facilities. It’s an important part of the information security management system (ISMS)
especially if you’d like to achieve ISO 27001 certi cation. Lets understand those
requirements and what they mean in a bit more depth now. 

We use cookies to ensure that we give you the best user experience on our website.
I'm fine with this Learn more Datenschutzerklärung -
Nutzungsbedingungen

[Link] 1/12
9.2.2020 ISO 27001 Annex A.9 - Access Control

A.9.1.1 Access Control Policy

An access control policy must be established, documented and reviewed regularly
taking into account the requirements of the business for the assets in scope. Access
control rules, rights and restrictions along with the depth of the controls used should
re ect the information security risks around the information and the organisation’s
appetite for managing them. Put simply access control is about who needs to know,
who needs to use and how much they get access to.

Access controls can be digital and physical in nature, e.g. permission restrictions on
user accounts as well as limitations on who can access certain physical locations
(aligned with Annex A.11 Physical and Environment Security). The policy should take
into account:

Security requirements of business applications and align with the information

classi cation scheme in use as per A.8 Asset Management;
Clarify who needs to access, know, who needs to use the information – supported by
documented procedures and responsibilities;
Management of the access rights and privileged access rights (more power – see
below) including adding, in life changes (e.g. super users/administrators controls) and
periodic
We usereviews
cookies(e.g. by regular
to ensure internal
that we audits
give you in line
the best with
user requirement
experience on our9.2.
website.
I'm fine with this Learn more Datenschutzerklärung -
Nutzungsbedingungen

[Link] 2/12
9.2.2020 ISO 27001 Annex A.9 - Access Control

Access control rules should be supported by formal procedures and de ned

responsibilities;

Access control needs to be reviewed based on change in roles and in particular during
exit, to align with Annex A.7 Human Resource Security.

Combine knowledge with technology to accelerate your

implementation.
[Link] includes an example of an Access Control policy in
our ISO 27001 software!

A.9.1.2 Access to Networks and Network Services

The principle of least access is the general approach favoured for protection, rather
than unlimited access and superuser rights without careful consideration.  As such
users should only get access to the network and network services they need to use or
know about for their job. The policy therefore needs to address; The networks and
network services in scope for access; Authorisation procedures for showing who (role
based) is allowed to access to what and when; and Management controls and
procedures to prevent access and monitor it in life. This also needs to be considered
during onboarding and o boarding, and is closely related to the access control policy
itself.

Accelerate your ISO

27001 implementation
Bene t from ISO 27001 policy & control content
combined with software tools to get the job done
well

Discover how

What is the objective of Annex A.9.2 of ISO

27001:2013?
We use cookies to ensure that we give you the best user experience on our website.
I'm fine with this Learn more Datenschutzerklärung -
Nutzungsbedingungen

[Link] 3/12
9.2.2020 ISO 27001 Annex A.9 - Access Control

Annex A.9.2 is about user access management. The objective in this Annex A control is
to ensure users are authorised to access systems and services as well as prevent
unauthorised access.  

A.9.2.1 User Registration and Deregistration

A formal user registration and deregistration process needs to be implemented. A good
process for user ID management includes being able to associate individual IDs to real
people, and limit shared access IDs, which should be approved and recorded where
done.

A good on-boarding and exit process ties in with A7 Human Resource Security to show
quick and clear registration/deregistration along with avoidance of reissuing old IDs. A
regular review of ID’s will illustrate good control and reinforces ongoing management.
That can be tied in with the internal audits noted above for access control audits, and
periodic reviews by the information asset or processing application owners.  

A.9.2.2 User Access Provisioning

A process (however simple and documented) must be implemented to assign or revoke
access rights for all user types to all systems and services. Done well it ties in with the
points above as well as the broader HR Security work. 

Provisioning and revoking process should include; Authorisation from the owner of the
information system or service for the use of the information system or service; Verifying
that the access granted is relevant to the role being done; and protecting against
provisioning being done before authorisation is complete.

User access should always be business led and access based around the requirements
of the business.  This might sound bureaucratic but it doesn’t need to be and e ective
simple procedures with role based access by systems and services can address it.

A.9.2.3 Management of Privileged Access Rights

A.9.2.3 is about managing usually more powerful and higher ‘privileged’ levels of access
e.g. systems administration permissions versus normal user rights. 

The allocation and use of privileged access rights has to be tightly controlled given the
extra rights usually conveyed over information assets and the systems controlling them.
For example the ability to delete work or fundamentally a ect the integrity of the
information.  It should align with the formal authorisation processes alongside the
access control policy.
We use cookies to ensure that we give you the best user experience on our website.
I'm fine with this Learn more Datenschutzerklärung -
Nutzungsbedingungen

[Link] 4/12
9.2.2020 ISO 27001 Annex A.9 - Access Control

That could include; system by system clarity on privileged access rights (which can be
managed inside the application); allocation on a need-to-use basis not a blanket
approach; A process and record of all privileges allocated should be maintained
(alongside the information asset inventory or as part of the A.9 evidence; and the
competence of users granted the rights must be reviewed regularly to align with their
duties. This is another good area to include in the internal audit to demonstrate control.

One of the biggest contributory factors to failures or breaches of systems is

inappropriate and blanket use of system administration privileges with human error
leading to more damage or loss than if a ‘least access’ approach were taken.  Other
good practice relating to this area includes the separation of the systems administrator
role from the day to day user role and having a user with two accounts if they perform
di erent jobs on the same platform.

A.9.2.4 Management of Secret Authentication

Information of Users
Secret authentication information is a gateway to access valuable assets.  It typically
includes passwords, encryption keys etc. so needs to be controlled through a formal
management process and needs to be kept con dential to the user.  This is usually tied
into employment contracts and disciplinary processes (A.7) and supplier obligations
(A13.2.4 and A.15) if sharing with external parties. 

Procedures should be established to verify the identity of a user prior to providing new,
replacement or temporary secret authentication information. Any default secret
authentication information provided as part of a new system use should be changed as
soon as possible.

A.9.2.5 Review of User Access Rights

Asset owners must review users’ access rights at regular intervals, both around
individual change (on-boarding, change of role and exit) as well broader audits of the
systems access.  Authorisations for privileged access rights should be reviewed at more
frequent intervals given their higher risk nature. This ties in with 9.2 for internal audits
and should be done at least annually or when major changes take place.

A.9.2.6 Removal or Adjustment of Access Rights

As outlined above access rights of all employees and external party users to
information and information processing facilities need to be removed upon termination
of their employment, contract or agreement, (or adjusted upon change of role if
required). A good exit policy and procedures dovetailed in with A.7 will also ensure this
is achieved and demonstrated for audit purposes when people leave.

We use cookies to ensure that we give you the best user experience on our website.
I'm fine with this Learn more Datenschutzerklärung -
Nutzungsbedingungen

[Link] 5/12
9.2.2020 ISO 27001 Annex A.9 - Access Control

What is the objective of Annex A.9.3 of ISO

27001:2013?
Annex A.9.3 is about user responsibilities. The objective in this Annex A control is to
make users accountable for safeguarding their authentication information.

A.9.3.1 Use of Secret Authentication Information

This is simply about making sure that users follow the policies and will therefore tie in
with A7 Human Resource Security for contracts, user education for awareness and
compliance, as well as common sense practices. These include: Keep any secret
authentication information con dential; Avoid keeping a record of it that can be
accessed by unauthorised parties; Change it whenever there is any suggestion of
possible compromise; select quality passwords with su cient minimum length and
strength to follow broader password policy controls in Annex A.9.4. 

Virtual Coach
Implementing ISO 27001 and need a little extra help?
“The virtual coach is a great addition to [Link].  It has all of the information you’d nd
on a lead implementer course and a whole lot more, I can refresh or improve my knowledge
about a particular topic right at the stage I need to, I don’t even need to navigate away from
the work I am doing.”

Toby Snell, Compliance at Worldwide Internet Insurance Services 

We use cookies to ensure that we give you the best user experience on our website.
I'm fine with this Learn more Datenschutzerklärung -
Nutzungsbedingungen

[Link] 6/12
9.2.2020 ISO 27001 Annex A.9 - Access Control

What is the objective of Annex A.9.4 of ISO

27001:2013?
Annex A.9.4 is about system and application access control. The objective in this Annex
A control is to prevent unauthorised access to systems and applications.

A.9.4.1 Information Access Restriction

Access to information and application system functions must be tied into the access
control policy. Key considerations should include:

Role based access control (RBAC);

Levels of access;
Design of “menu” systems within applications;
Read, write, delete and execute permissions;
Limiting output of information; and
Physical and/or logical access controls to sensitive applications, data and systems.

The auditor will check to see that considerations have been made for limiting access
within systems and applications that support access control policies, business
requirements, risk levels and segregation of duties.

A.9.4.2 Secure log-on Procedures

Access to systems and applications must be controlled by a secure log-on procedure to
prove the identity of the user. This can go beyond the typical password approach into
multi factor authentication, biometrics, smart cards, and other means of encryption
based on the risk being considered.

Secure log on should be designed so it cannot be easily circumvented and that any
authentication information is transmitted and stored encrypted to prevent interception
and misuse. ISO 27002 guidance is signi cant around this topic, as are specialist bodies
like the National Cyber Security Centre (NCSC).  Additional tips include:

Log-on procedures should be designed so that they cannot be easily circumvented

and that any authentication information is transmitted and stored encrypted to
prevent interception and misuse.
Log-on procedures should also include a display stating that access is for authorised
users only. This is designed to support cybersecurity legislation such as the Computer
We use
Misuse Actcookies to ensure that we give you the best user experience on our website.
1990 (UK).
I'm fine with this Learn more Datenschutzerklärung -
Nutzungsbedingungen

[Link] 7/12
9.2.2020 ISO 27001 Annex A.9 - Access Control

Both successful and unsuccessful log-ons and log-o s should be logged in a secure
manner to provide forensic evidential ability and alerts for unsuccessful attempts and
possible lock-outs should be considered.
Depending on the nature of the system access should be restricted to certain times of
day or periods of time and potentially even be restricted according to location.

In practice the business needs and information at risk should drive the log on and log
o procedures.  It is not worth having 25 steps to log on, then have rapid time outs etc
if sta are then unable to do their job well and spend a disproportionate amount of
time in this loop.

A.9.4.3 Password Management System

The purpose of a password management system is to ensure quality passwords meet
the required level and are consistently applied.

Password generation and management systems provide a good way of centralising the
provisioning of access and they serve to reduce the risk of people using the same login
for everything, as illustrated in this little story of what happens when a customer
contacts our team about a forgotten password!

As with any control mechanism, password generation and management systems need
to be carefully implemented to ensure adequate and proportionate levels of protection.

Wherever possible users should be able to choose their own passwords as this makes
them easier to remember than machine-generated ones, however, it needs to be up to
a certain level of strength.

There are lots of con icting views on password management systems and password
policies so we encourage organisations to look at the frequently changing best practices
and adopt approaches based on the risk appetite and culture of the organisation. As
mentioned above, NCSC is a good place to review latest practices or simply ask us to
introduce you to one of our partners for help.

A.9.4.4 Use of Privileged Utility Programmes

Utility computer programmes that might be capable of overriding system and
application controls need to be carefully managed. 

Powerful system and network utility programs can create an attractive target for
malicious attackers and access to them must be restricted to the smallest number of
people. As such utility programmes can be easily located and downloaded from the
internet it is also important that users are restricted in their ability to install software as
much as possible weighed against business requirements and risk assessment. Use of
utility programmes should be logged and monitored/reviewed periodically to satisfy
auditor requests.
We use cookies to ensure that we give you the best user experience on our website.
A.9.4.5 Access Control to Program
I'm fine with this
Source Code
Learn more Datenschutzerklärung -
Nutzungsbedingungen

[Link] 8/12
9.2.2020 ISO 27001 Annex A.9 - Access Control

Access to program source code must be restricted. Access to program source code and
associated items (such as designs, speci cations, veri cation plans and validation plans)
should be strictly controlled. Programme source code can be vulnerable to attack if not
adequately protected and can provide an attacker with a good means to compromise
systems in an often covert manner. If the source code is central to the business success
it’s loss can also destroy the business value quickly too.

Controls should include consideration for:

As few people as possible having access
Keeping source code o operational systems (only compiled code)
Access to source code being as restricted as possible (deny-by-default)
Access to source code being logged and the logs periodically reviewed
Strong and strict change control procedures
Frequent audits and reviews

Looking for an ISMS to make light work of access control but need help in building
the business case? Download our whitepaper ‘Building the Business Case for an
ISMS’

ISO 27001 requirements

4.1 Understanding the organisation and its context
4.2 Understanding the needs and expectations of interested parties
4.3 Determining the scope of the information security management system
4.4 Information security management system
5.1 Leadership and commitment
5.2 Information Security Policy
5.3 Organizational roles, responsibilities and authorities
6.1 Actions to address risks and opportunities
6.2 Information security objectives and planning to achieve them
7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information
8.1 Operational planning and control
8.2 Information security risk assessment
8.3 Information security risk treatment
9.1 Monitoring, measurement,
We use cookies to ensure thatanalysis andthe
we give you evaluation
best user experience on our website.

9.2 Internal audit I'm fine with this Learn more Datenschutzerklärung -

Nutzungsbedingungen

[Link] 9/12
9.2.2020 ISO 27001 Annex A.9 - Access Control

9.3 Management review
10.1 Nonconformity and corrective action
10.2 Continual improvement

ISO 27001 Annex A Controls

A.5 Information security policies
A.6 Organisation of information security
A.7 Human resource security
A.8 Asset management
A.9 Access control
A.10 Cryptography
A.11 Physical and environmental security
A.12 Operations security
A.13 Communications security
A.14 System acquisition, development, and maintenance
A.15 Supplier relationships
A.16 Information security incident management
A.17 Information security aspects of business continuity management
A.18 Compliance

Practical policies and controls for your

organisation to easily adopt, adapt and
add to, giving you up to 77% head start
for ISO 27001

Discover now

We use cookies to ensure that we give you the best user experience on our website.
I'm fine with this Learn more Datenschutzerklärung -
Nutzungsbedingungen

[Link] 10/12
9.2.2020 ISO 27001 Annex A.9 - Access Control

GET IN TOUCH NEW TO [Link]?

Phone:   +44 (0)1273 041140 What is [Link]?
Email:    enquiries@[Link] About Us
Customer Success Stories
Our Security and Credentials
Pricing
Partner Enquiries
Contact Us
Subscribe
Careers
Log in to [Link]

MAIN FEATURES NEWSLETTER SIGNUP

Policy Creation & Management Get your weekly x of information
Information Asset Inventory security & cyber security news.
Risk Management
Statement of Applicability
Name
Audits, Management and Actions
Incident Management
Sta Communication and Training Email
Supply Chain Management
Privacy
We use Management
cookies to ensure that we give you the best user experience on our website.
Human Resource Security
I'm fine with this Learn moreYes, sign me up! Datenschutzerklärung -
Nutzungsbedingungen

[Link] 11/12
9.2.2020 ISO 27001 Annex A.9 - Access Control

Virtual Coach
  
Assured Results Method

Copyright © 2020 Alliantist Ltd | Privacy policy | T&Cs | Sitemap

We use cookies to ensure that we give you the best user experience on our website.
I'm fine with this Learn more Datenschutzerklärung -
Nutzungsbedingungen

[Link] 12/12