ISO 27001 User Access Rights Management (Annex A 5.18 - Access Rights)

Introduction

User access rights management is where access control policy becomes day‑to‑day reality. Annex A 5.18 of ISO 27001:2022 requires organisations to provision, review, modify, and revoke access rights in line with business needs and security policy, ensuring only authorised users can reach sensitive systems and data.

In Comply Agent, this requirement is implemented through the Access Rights control, giving IT and security teams a structured way to manage logical access across the entire user lifecycle and to evidence compliance for ISO 27001, SOC 2, GDPR, DORA and NIST audits.

What This Control is About (Basic Information)

The Basic Information panel for this control defines the scope and purpose of User Access Rights Management. Control ID UC‑AC‑818 sits under the Access Control category with Logical Access as the subcategory. The description reads: “Provision, review, modify, and remove access rights according to policy. Conduct quarterly access reviews, implement approval workflows, and immediate termination procedures.” 

Objective: “To ensure authorised and appropriate access to information systems and data throughout the access lifecycle.”

This makes it clear that the control covers the practical execution of access control policies, not just high‑level rules. It ensures:

• Access is only granted after formal authorisation.
• Permissions remain aligned with current roles and responsibilities.
• Access is promptly revoked when no longer required (e.g. leavers, role changes).

Compared with ISO 27001:2013 control 9.2.2, Annex A 5.18 adds more explicit requirements around temporary access, logging changes and handling both physical and logical access revocation.

Implementation & Guidance

The Implementation & Guidance section in Comply Agent emphasises the need for automated workflows and strong audit trails. It states: “Implement an automated access management system that enforces approval workflows and provides an audit trail. Conduct quarterly access reviews, ensuring all active accounts have necessary and appropriate privileges.” 

Best practice implementation for Annex A 5.18 typically includes the following building blocks:

1. Formal access request and approval process

• All access changes (new, modify, remove, privileged) must start from a documented request (service desk ticket, IDM workflow, access portal).
• Each request should include requester, business justification, systems, roles, and data sensitivity.
• Approvals must come from both line manager and system/data owner for higher‑risk access.

2. Role‑based access control (RBAC)

• Define roles (HR analyst, finance controller, developer, support agent) and map them to permissions.
• Grant users to roles rather than assigning ad‑hoc permissions, reducing privilege creep and review fatigue.
• Maintain separation of duties where required (e.g. no single user can both approve and post financial transactions).

3. Quarterly access reviews

• System and data owners should review user and role membership at least quarterly, confirming which accounts remain justified and revoking unnecessary access.
• Reviews should be risk‑based: critical systems (ERP, core banking, customer data platforms) may need more frequent review.
• Comply Agent’s control text already sets quarterly reviews as the expectation, aligning with typical ISO 27001 and SOC 2 practices. 

4. Immediate revocation for leavers

• HR exit processes must integrate with IAM/IdP to trigger immediate de‑provisioning when employment or engagement ends.
• This includes disabling primary accounts, VPN, privileged access, third‑party SaaS accounts and shared credentials.
• Logs should show de‑provisioning completion within defined SLAs (e.g. same day or within 4 hours of notification).

5. Temporary and elevated access

• Temporary or emergency access must have explicit expiry dates and be logged, with justifications recorded.
• Privileged sessions should be monitored or recorded, and separate approval flows used for admin rights.

The evidence examples listed in Comply Agent’s guidance-access request and approval tickets, quarterly access review reports with sign‑offs, and system logs demonstrating timely de-provisioning of terminated users-map directly onto these practices and create a clean audit trail. 

Operational Details

The Operational Details panel in Comply Agent shows how this control is governed in practice:

• Frequency: Quarterly
• Review Cycle: Quarterly
• Owner Role: IT Manager
• Responsible Role: IT Manager
• Automation Score: 75%
• Last Updated: 18 March 2026, 2:28 AM

This configuration demonstrates mature operationalisation of Annex A 5.18:

• Quarterly execution aligns with the need for regular access reviews and change monitoring.
• Assigning both ownership and responsibility to the IT Manager centralises accountability for access workflows, IDM tools and integration with HR processes.
• A 75% automation score suggests heavy use of identity platforms (e.g. Azure AD, Okta, SailPoint) to automatically process joiner/mover/leaver events and capture logs, reducing manual error and improving auditability.

Compliance & Risk Management

Under Compliance & Risk Management, this control is categorised as:

• Control Type: Administrative
• Risk Domain: Unauthorised Access
• Maturity Level: 4 (of 5)
• Compliance Status: N/A
• Clause Reference: ISO 27001:2022 A.5.18. 

This classification reflects that Annex A 5.18 is not just a technical control; it’s an organisational and procedural control that coordinates HR, IT, security, and business owners to prevent unauthorised access.

Maturity Level 4 indicates:

• Documented processes and automation in place.
• Regular, evidence‑backed periodic reviews.
• Clear link into risk management and internal audit.

This will be attractive to ISO 27001 auditors and to regulators looking for proof that access control is not a one‑off project but an ongoing discipline.

Framework Mappings 

The Framework Mappings panel in the below Image shows how one well‑implemented Access Rights control supports multiple frameworks:

Key mappings include:

• ISO 27001: A.5.18 Access rights - exact mapping to Annex A 5.18.
• SOC 2: CC6.1 and enriched CC6.1 Logical access security - covers user provisioning, modification and revocation for Trust Services Criteria.
• NIST: AC‑2 - Account management, including creation, modification, disabling and removal of accounts.
• GDPR: Article 32 - Requires appropriate technical and organisational measures to ensure a level of security appropriate to risk, including access control.
• DORA: Pillar II ICT security tools and policies - addresses account management and permissions as part of digital operational resilience for financial entities.
• ISO 27001 enriched: A.5.1 Information security policies, A.5.15 Access control, A.5.16 Identity management - shows cross‑linkages within Annex A organisational controls.

By centralising these mappings, Comply Agent lets organisations avoid duplicating efforts across standards—one Access Rights process can satisfy all.

Evidence Library 

The Evidence Library panel defines the artefacts required to prove that Annex A 5.18 is operating effectively:

1. Access Request Forms - Records of all user and privilege access requests, typically stored in an ITSM tool or identity platform.
2. Approval Records - Signed‑off approvals from managers and system owners, demonstrating authorisation prior to access being granted.
3. Provisioning Logs (Auto‑collect) - Technical logs from identity management systems showing account creation, permission assignments and removals.
4. Quarterly Access Review Reports - Reports documenting periodic reviews of user access rights, including decisions to retain or revoke access and sign‑offs by asset owners.

Together, these provide a complete audit trail covering provisioning, modification, review and revocation-exactly what Annex A 5.18 and SOC 2 auditors will test.

FAQs: ISO 27001 Access Rights (Annex A 5.18)

1. What does ISO 27001 Annex A 5.18 “Access Rights” actually require?

Annex A 5.18 requires organisations to provision, review, modify and remove access rights according to their access control policy, ensuring access is granted only after proper authorisation and removed when no longer needed.

2. How often should user access rights be reviewed for ISO 27001 compliance?

The standard doesn’t fix an exact frequency; best practice is quarterly reviews for privileged accounts and at least annual reviews for standard users, aligned with risk and documented in your access control policy.

3. Who should approve access rights under Annex A 5.18?

Access should be authorised by the system or information asset owner, often alongside the user’s line manager, to confirm business need, segregation‑of‑duties requirements and alignment with the access control policy.

4. How does this control relate to the principle of least privilege?

A.5.18 enforces least privilege by requiring that users only receive the minimum access necessary for their role, and that rights are adjusted or revoked promptly when roles change or users leave.

5. What evidence do auditors expect for ISO 27001 Access Rights?

Auditors typically request access request forms, approval records, provisioning/deprovisioning logs from IAM or directory systems, and signed user access review reports showing what was reviewed and which rights were revoked.

6. How is ISO 27001 A.5.18 different from identity management control A.5.16?

A.5.16 focuses on identity lifecycle governance (creation and management of unique identities), whereas A.5.18 focuses on the concrete rights those identities receive, how those rights are granted, reviewed and removed in line with policy.