ISO 27001 - Annex A.9 - Access control

Dec 27, 2023by Maya G

Why Is Access Control Important?     

Who in your organization has access to the right information at the right time is the main emphasis of information security management systems (ISMS). Without this essential element, issues like unauthorized information access or data manipulation could occur. The purpose of Annex A.9 is to stop these problems from happening.

ISO 27001

What Is Annex A.9? 

Only users who have been granted access to a service are permitted to use it, according to Annex A.9 access control, which prevents unauthorized users from accessing it. The terms "access management," "rights management," and "identity management" are frequently used to describe access control. Information assets and information processing facilities may be accessed by unauthorized individuals, which could lead to information misuse or loss. By enabling you to manage who has access to these assets, the access control clause addresses these problems.

All organisations must prioritise protecting their information assets, and Annex A.9 provides security against a range of hazards, such as accidental information loss or damage, overheating, attacks, and more. The registration, deletion, and review of user access rights—which include physical access, network access, control over privileged utilities, and restriction of access to programme source code—are required for this, as well as a clearly defined control policy and procedures.

What Is Access Control?

An access control system is a security measure that is put in place to regulate who has access to a premises, facility, or resource. It is usually put in place to protect people, information, and property. An access control system usually consists of three components:

  • The identification and authentication of individuals.
  • The authorization of individuals to access certain areas or resources.
  • The monitoring and logging of access events.

    The identification and authentication of individuals is usually done through the use of badges, cards, or PIN codes. The authorization of individuals to access certain areas or resources is done through the use of access control lists or roles. The monitoring and logging of access events is done through the use of CCTV cameras or access control software.

    The Four Types Of Access Control Are As Follows:

    1. Discretionary Access Control (DAC): Who is permitted access to a protected system, piece of data or resource depends on who owns or controls it in DAC.

    2. Mandatory Access Control (MAC): Users are given access under this non-discretionary model based on information clearance. Depending on the different degrees of security, a central authority controls access privileges. It is frequently employed in official and military contexts.

    3. Role-based Access Control (RBAC):RBAC allows access based on predetermined business functions rather than offering access based on a user's identification. Users should only have access to data that is necessary for doing their work within the company. This widely used strategy is built on roles, authorizations, and permissions.

    4. Attribute-Based Access Control (ABAC) : With ABAC, access to both individuals and resources can be restricted based on a dynamic set of characteristics and environmental factors, such as the time of day and the location.

      What Are Annex A.9 Controls?

      1.  Annex A.9.1: Business Requirements Of Access Control:

      Annex A.9.1 of ISO 27001 sets out the requirements for an organization’s access control system. This includes specifying the need for physical and logical access controls, defining user roles and responsibilities, and setting up procedures for granting and revoking access. This annex ensures that only authorized individuals can access the organization’s information and systems. This is vital for protecting data confidentiality, integrity, and availability.

      Organizations must carefully consider their access control requirements and implement appropriate controls to mitigate their information and systems risks. Annex A.9.1 also outlines the organization's policy for managing access control, including identifying critical assets and protecting those assets from unauthorized access. The policy should be reviewed and updated regularly, as needed, to reflect changes in the organization's business requirements.

      2.  A.9.1.1: Access Control Policy:

      A.9.1.1: Access Control Policy(ISO 27001) is an important component of the Information Security Management System(ISMS). It defines the rules and procedures to be followed by the organization to ensure the security of its information assets. The access control policy should be reviewed and updated regularly in order to keep up with the changing security needs of the organization. It should be easily accessible to all employees and should be enforced strictly.

      The access control policy should address the following:

      • The types of access control mechanisms that will be used (e.g., passwords, biometrics, tokens, etc.).
      • The process for requesting and granting access to organizational resources.
      • The process for revoking access to organizational resources.
      • The roles and responsibilities of individuals involved in the access control process.
      • The consequences of violating the access control policy.

      3.  A.9.1.2 Access To Networks And Network Services:

      The purpose of this control is to ensure that only authorized users have access to the organization’s networks and network services. A.9.1.2 Access to networks and network services under the ISO/IEC 27001:2013 standard. Organizations must ensure that access to networks and network services is restricted to authorized users, processes, and devices in accordance with security policy. To meet the requirements of this section, organizations must:

      • Define categories of users, processes, and devices allowed to access networks and network services.
      • Define the required level of access for each category.
      • Ensure that only authorized users, processes, and devices have access to networks and network services.
      • Monitor and log access to networks and network services.
      • Restrict access to privileged accounts.
      • Review and terminate access when no longer needed.
      • Implement security controls to protect against unauthorized access.

      Network services include, but are not limited to, the following:

      • E-mail
      • Web servers
      • FTP servers
      • Databases
      • Firewalls
      • VPNs
      • Intrusion detection/prevention systems

      4.  Annex A.9.2: User Access Management:

      Annex A.9.2 of ISO/IEC 27001:2013 specifies the user access management controls. User access management (UAM) is the process of authorizing users to access specific system resources and defining the extent of that access. The purpose of the UAM controls is to ensure that only authorized users have access to the resources they need and only have the level of access they need. Access control is a fundamental security principle and is, therefore, essential to the security of any system.

      To protect its information assets, an organization must first understand who has access to them and what level of access is required. This understanding is essential to be able to establish appropriate controls. The purpose of this Annex is to provide guidance on how to ensure that only authorized users have access to information assets and that the level of access is appropriate for the user’s need and responsibilities. This Annex provides guidance on the following topics:

      • Determining who should have access to information assets.
      • Establishing user roles and responsibilities.
      • Managing user accounts.
      • Granting and revoking access to information assets.
      • Monitoring and auditing user access.

      ISO 27001

      5.  A.9.2.1 User Registration And Deregistration:

      Organizations that implement an information security management system (ISMS) as specified in ISO/IEC 27001:2013 are required to develop and retain information about their users. The purpose of this requirement is to ensure that only authorized individuals have access to the organization’s information and systems. To meet the requirements of A.9.2.1, organizations must establish and maintain procedures for the registration and deregistration of users. These procedures should include the following:

      • Collecting and verifying the identification information of prospective users.
      • Determining the access rights of registered users.
      • Revoking the access rights of users who are no longer authorized to have them.
      • Providing registered users with the means to change their own password or other access credentials.

      ISO/IEC 27001:2013 does not specify how these procedures should be implemented, but organizations should consider the following when developing their own procedures:

      • The level of access that each user needs.
      • The frequency with which users need to be registered and deregistered.
      • The importance of maintaining accurate records of user registrations and de-registrations

      6.  A.9.2.2 User Access Provisioning :

      As part of the security measures required by ISO 27001, it is essential that businesses put in place processes for granting users access to systems and data, and for revoking that access when it is no longer needed. A.9.2.2 User access provisioning refers to the creation and management of user accounts, and the assignment of permissions and roles that determine what a user is able to do within the system.

      The process of user access provisioning should be designed to ensure that only authorized users are able to gain access to the system, and that they only have the level of access that is appropriate for their needs. There are a number of factors to consider when designing a user access provisioning process, which are described in more detail in the ISO 27001 standard. However, some of the key considerations are as follows:

      • Identification and authentication of users.
      • Assignment of permissions and roles.
      • Management of user accounts.
      • Review of user access.
      • 60 days after termination of user access.

      7.  A.9.2.3 Management Of Privileged Access Rights:

      The A.9.2.3 Management of privileged access rights control is a very important control within the A.9 Access Control domain for the ISO 27001:2013 Information Security Management System (ISMS). This control is designed to ensure that all privileged access rights (PAR) within the scope of the ISMS are managed in a defined and controlled manner. This includes identifying, defining, approving, documenting, and periodically reviewing all PARs. The A.9.2.3 Management of privileged access rights control is also designed to ensure that the following takes place: All PARs are granted in the least privileged manner.

      8.  A.9.2.4 Management Of Secret Authentication Information Of Users:

      A.9.2.4 Management of secret authentication information of users  (iso 27001) is a security standard that provides guidance on how to manage secret authentication information of users. The standard is relevant for organizations of all sizes and industries that use secret authentication information to protect their assets and information. The guidance in A.9.2.4 Management of secret authentication information of users (iso 27001) covers the following topics:

      • Identification of secret authentication information.
      • Handling of secret authentication information.
      • Storage of secret authentication information.
      • Transmission of secret authentication information.
      • Disposal of secret authentication information.

      This standard is part of the ISO/IEC 27000 family of standards on information security management. The A.9.2.3 Management of privileged access rights control is a very important for any organization that wants to ensure the security of their information assets.

      • All PARs are reviewed and approved by designated personnel.
      • Access to systems and data is granted in a controlled and monitored manner.
      • All PARs are revoked in a timely manner.

       

      9.  A.9.2.5 Review Of User Access Rights:

      A.9.2.5 Review of user access rights is a section of ISO 27001:2013, an international standard that lays out the requirements for an information security management system (ISMS). This section of the standard requires organizations to review and monitor user access rights on a regular basis. The frequency of the review depends on the organization's risk management process, but it should be conducted at least annually. This requirement aims to ensure that only authorized individuals have access to information and systems and that their access is appropriate for their needs. This helps to protect information from unauthorized access, use, disclosure, or loss.

      A review of user access rights includes an assessment of the type of access required by each user and the need for any changes to access rights based on changes in the user's role or needs. Organizations should also consider whether any changes to the user's access rights are required in order to mitigate any risks that have been identified. This requirement is important for protecting information and systems from unauthorized access. By conducting a regular review of user access rights

      10.  A.9.2.6 Removal Or Adjustment Of Access Rights:

      A.9.2.6 Removal or adjustment of access rights  After the end of an employee’s or contractor’s assignment, their access rights to information and information processing facilities shall be removed or adjusted in a timely and controlled manner. Organizations shall control the assignment, removal, and adjustment of access rights to information and information processing facilities. The management of access rights shall be auditable.

      The following are some measures that can be taken to control the assignment, removal, and adjustment of access rights:

      • Use an access control system to generate a list of authorized personnel and their access rights.
      • Employees and contractors shall be made aware of their responsibility to report any change in their circumstances that might affect their access rights.
      • Employees and contractors shall be required to formally acknowledge their understanding of the organization’s access control policy and procedures.
      • Access rights shall be reviewed and updated regularly.
      • Procedures shall be in place for the removal of access rights when an employee or contractor leaves.

      11.  Annex A.9.3: User Responsibilities:

      Annex A.9.3 of ISO 27001 sets out the user’s responsibilities for information security. The annex is divided into two parts: Part 1 covers the management, and Part 2 the user responsibilities. Part 1 is to ensure that the management understands their responsibilities for information security and provides the necessary resources and support. Part 2 of the annex aims to ensure that all users understand their responsibilities for information security.

      It is important to note that the responsibilities set out in Annex A.9.3 are not exhaustive and that other responsibilities need to be considered depending on the organization’s particular circumstances. The annex does not mandate any specific actions to be taken by users but requires that they be aware of their responsibilities. It is up to the organization to decide how to communicate these responsibilities to its users.

      12.  A.9.3.1 Use Of Secret Authentication Information:

      A.9.3.1 Use of secret authentication information is a security control that is part of the A.9 Access Control domain in ISO/IEC 27001:2013. The control is defined as: “The use of secret authentication information (e.g. passwords, personal identification numbers (PINs), or cryptographic keys) to grant access to resources or systems.”

      This control is intended to protect secret authentication information from unauthorized disclosure or use. The disclosure of secret authentication information can lead to the compromise of resources or systems. The unauthorized use of secret authentication information can lead to the unauthorized access or modification of data. There are a number of measures that can be taken to protect secret authentication information. These measures include:

      • Use of strong encryption to protect secret authentication information in transit.
      • Use of strong authentication mechanisms to protect secret authentication information.
      • Use of physical security controls to protect media that stores secret authentication information.
      • Use of access control measures to restrict access to secret authentication information

      13.  Annex A.9.4: System And Application Access Control:

      The purpose of this blog is to provide an overview of Annex A.9.4: System and Application Access Control from ISO 27001. This includes a brief description of the control, its objectives, and the benefits of implementing it. Annex A.9.4 of the ISO 27001 standard deals with system and application access control. The control is designed to ensure that only authorized individuals have access to systems and applications and that these individuals only have the level of access that is necessary for them to perform their duties.

      One of the benefits of implementing this control is that it helps to prevent unauthorized access to systems and applications. This, in turn, helps to protect sensitive information and assets from being compromised.

      14.  A.9.4.1 Information Access Restriction:

      A.9.4.1 Information access restriction is a security measure that limits access to information and data to only authorized individuals. This is done to protect the information from being accessed and used by unauthorized individuals who may misuse it. There are various ways in which information access can be restricted. These include physical access controls, logical access controls, and data encryption.

      • Physical Access Controls: It involve restricting physical access to information and data. This can be done by storing the information in a secure location that authorized individuals can only access.
      • Logical Access Controls: It involve restricting access to information and data by using passwords, user IDs, and other authentication methods.
      • Data Encryption: It converts information and data into a code authorized individuals can only access.

      All these methods protect the information and data from being accessed and used by unauthorized individuals. To ensure that access to systems and applications is restricted to authorized users only, the following measures should be implemented:

      • System and application accounts should be created for authorized users only.
      • Access to systems and applications should be logged and monitored.
      • Inactive accounts should be disabled or removed.
      • Strong authentication should be used for accessing systems and applications.
      • Physical access to systems and applications should only be restricted to authorized personnel.

      15.  A.9.4.2 Secure Log-On Procedures:

      To comply with the requirement of A.9.4.2, organizations need to implement appropriate security controls for user identification and authentication when accessing systems and network services. The rationale for this requirement is to protect against unauthorized access to systems and network services. There are many different techniques that can be used for user identification and authentication, such as passwords, personal identification numbers (PINs), hardware tokens, biometrics, and so on. The most appropriate technique(s) to use will depend on the organization’s specific security needs.

      In addition to implementing the required security controls, organizations must ensure that they have adequate procedures and policies to manage these controls. This includes defining how users will be authenticated, what information they need to provide, and how often they need to authenticate. Any organization dealing with sensitive information needs to have secure log-on procedures to ensure that only authorized individuals can access the information. ISO 27001 is an international standard that helps organizations to implement an effective Information Security Management System (ISMS).

      A.9.4.2 is the specific requirement within ISO 27001 that deals with secure log-on procedures. To conform to this requirement, organizations must put in place controls to ensure that only authorized individuals can access information systems. Organizations should develop, document, and communicate to all relevant parties their procedures for logging on to their systems to ensure that only authorized users gain access. The procedures should consider the type of system being used, the level of access required, and the sensitivity of the data being processed. The procedures should ensure that only authorized users can log on to systems and that access is only granted to the areas of the system and data to which they have a legitimate need. To fulfill these requirements, organizations should consider implementing the following controls:

      • Use strong passwords.
      • Regular password changes.
      • Two-factor authentication.
      • Log-on banners.
      • Audit logs of successful and failed log-on attempts.
      • Physical security of terminals.

      16.  A.9.4.3 Password Management System:

      The A.9.4.3 Password management system (iso 27001) is a security measure designed to protect information systems from unauthorized access. The system is based on the principle of least privilege, which states that users should only have the minimum amount of access required to perform their tasks. The A.9.4.3 Password management system (iso 27001) defines three types of passwords:

      • Administrator: Used to access the system administrator functions.
      • User: Used to access the system user functions.
      • Operator: Used to access the system operator functions.

      The system also defines a fourth type of password, the shared password, which is used to share access to the system among multiple usersA.9.4.3 Password management system is a system that is used to store, manage, and protect passwords. It is an important part of information security and is required by the ISO 27001 standard. A.9.4.3 Password management system can be either physical or software-based. It should be able to store passwords securely and allow for recovery in the event of loss or forgetfulness.

      The system should also allow for the customization of password policy, such as password length, complexity, and expiration. A.9.4.3 Password management system is a critical part of any organization’s information security program and should be given the attention it deserves.

      17.  A.9.4.4 Use Of Privileged Utility Programmes:

      Systems administrators, database administrators, and other key system personnel require the use of privileges utilities to perform their legitimate system management functions. The use of these utilities represents a significant threat to the system due to the potential for abuse. It is essential that the use of these utility programmes is carefully monitored and controlled.

      The objectives of this requirement are to:

      ensure that the use of privileged utilities is controlled

      • Limit the number of personnel with privileged access to the system.
      • Ensure that the use of privileged utilities is logged.
      • Ensure that only authorized personnel use privileged utilities.

      To achieve these objectives, the following controls should be implemented:

      • All use of privileged utilities should be logged.
      • Only authorized personnel should be granted access to privileged utilities.
      • Privileged utilities should be run in accordance with predefined procedures.
      • The use of privileged utilities should be reviewed regularly.

      Organizations should take measures to prevent unauthorized use of privileged utility programmes. The use of these programmes should be logged and monitored. Review of the logs should be performed on a regular basis. A.9.4.4 Use of privileged utility programmes (iso 27001) is a security control that helps to protect against unauthorized use of privileged programmes. This is achieved by logging and monitoring usage, as well as regularly reviewing logs. Implementing this security control can be challenging, but it is important to do so in order to protect your organization from potential threats.

      18.  A.9.4.5 Access Control To Program Source Code:

      The objective of A.9.4.5 is to ensure that access to program source code is restricted to authorized individuals. This includes the source code for in-house developed systems and off-the-shelf software. Several measures can be taken to achieve this objective, such as:

      • Ensuring that only authorized individuals have access to the development environment.
      • Restricting access to program source code repositories to authorized individuals.
      • Implementing change control procedures to ensure that only authorized changes are made to program source code.
      • Regularly reviewing access to program source code and making changes as necessary.

      Implementing these measures will help to ensure that only authorized individuals have access to program source code, which will in turn, help to protect the system from unauthorized changes. In order to thoroughly protect program source code, it is necessary to control access to it. This can be accomplished through various means, such as user identification and authentication, file permissions and encryption. The most important factor in controlling access to program source code is to ensure that only authorized individuals have access to it. This can be accomplished through the use of user identification and authentication, which will verify the identity of the user and ensure that they are authorized to access the code.

      Why Is Access Control Important For Your Organization?

      Access control protects information and information systems from unauthorized access, use, disclosure, interception, or destruction. Unauthorized access can result from accidental or intentional actions by unauthorized individuals. Information security protects information and information systems from unauthorized access, use, disclosure, interception, or destruction. The costs of an information security breach can be significant, so it is important to have controls to prevent unauthorized access to information and information systems.

      One of the key components of an effective information security program is access control. Access control is the process of granting or denying access to information and information systems. Access control includes the ability to identify and authenticate users, authorize access to information and information systems, and monitor and log activity. There are several benefits of implementing an access control system, including:

      • Preventing unauthorized access to information and information systems.
      • Enforcing the least privilege.
      • Facilitating compliance with security policies and regulations.
      • Enhancing the security of physical and virtual assets.

      Conclusion:

      One of the most crucial provisions to implement when obtaining ISO 27001 certification is Annex A.9. Controlling who has access to your information is one of the most effective ways to ensure the security of that information, which is vital. Inappropriate access, attacks on information systems, and data leaks can all be avoided by implementing access restrictions.

      ISO 27001