Access control policies are an unquestionably important part of ISO 27001. The requirements for producing one are outlined in section A.9 of Annex A, which contains 14 controls.
In this blog, we explain what Annex A.9 covers and what your access control should include.
What is Annex A.9 of ISO 27001?
Annex A.9 of ISO 27001 helps you govern who has access to your organisation’s sensitive information and under what scenarios.
This helps secure your data – minimising the possibility of it being misused – while ensuring that employees who need the information for their jobs suffer as few obstacles as possible.
For example, your HR team needs to view and edit employees’ financial information to process payslips, but you don’t want everybody at the organisation to be able to do that.
Access controls help you identify people who require privileged access and how you can prevent unauthorised personnel from viewing that information.
What does an ISO 27001 access control policy cover?
Access controls can be used wherever an organisation stores sensitive information. This is most likely to cover digital records, which can be protected with passwords or other technical defences.
However, access controls can also be used to protect hard-copy data. For example, if you have a filing cabinet containing personal records, you may keep it locked away with keys handed to a handful of relevant people.
ISO 27001 provides specific details on how you can protect hard-copy data in Annex A.11 Physical and Environmental Security.
To help organisations address specific aspects of their access control policy, Annex A.9 is broken down into four sub-sections.
- A.9.1 Business requirements of the access control
The objective of this clause is to implement processes that limit unauthorised access to information and information processing facilities.
The policy should take into account the way you align your security requirements with your information classification scheme (outlined in Annex A.8 Asset Management), and state who needs access to each set of information.
You also need to consider who requires access to networks and networks services. This should include a review of authorisation procedures that document who is allowed access information and when.
A.9.2 User access management
Next, you must create a system that enables you to assign or revoke access rights for your employees.
This should include coverage of the authorisation from the owner of the information system or service, the verification procedure that grants people access and how you can protect against provisioning being done before authorisation is complete.
A.9.3 User responsibilities
The objective of this section is to ensure that users are accountable for protecting their authentication information.
For example, if a database is password-protected, you must ensure that the person creating the password chooses something adequately secure and that employees don’t share the credentials with unauthorised individuals.
Likewise, if hard-copy data is locked away, you need to remind employees not to lend their keys to other members of staff.
A.9.4 System and application access control
This section aims to prevent unauthorised access to organisations’ information systems and their applications.
To help achieve this, you should consider ways in which you can restriction information access. This might be by creating role-based controls or assigning different levels of access, for example.
You should also look at technical and organisational measures you can adopt to restrict access to only approved personnel.
Data encryption, a password management system and secure log-on procedures are ideal starting points. Additionally, you should consider your use of privileged utility programmes and ways in which you can control access to program source code.
Identifying relevant controls
You can find out more about access controls and ISO 27001, and discover which controls are appropriate for your organisation by reading Nine Steps to Success – An ISO 27001 Implementation Overview.
This essential guide contains a comprehensive explanation of ISO 27001, and includes a dedicated section on completing a gap analysis, which will help you understand the controls you have in place and identify where to focus your efforts.
Now in its third edition, Nine Steps to Success gives anyone tackling the Standard for the first time the guidance and direction they need to make their implementation project a success.