Zum Hauptinhalt springen
CENEDRIL WIKI
DE
Annex A · Organisational Control

A.5.18 — Access Rights

Updated on 5 min Reviewed by: Cenedril Editorial
A.5.18 ISO 27001ISO 27002BSI ORP.4

An annual access review reveals that a project manager still holds write access to seven systems from a project that ended two years ago. A former intern’s account retains the same privileges granted during a summer placement. A.5.18 requires that access rights are provisioned, reviewed and revoked through a disciplined, documented process.

Where A.5.15 sets the policy and A.5.16 manages identities, A.5.18 governs the specific permissions attached to those identities — the operational heart of access management.

What does the standard require?

  • Provision access through a formal process. Access rights must be granted based on a documented request, approved by the asset owner. The request must reference the business need.
  • Apply least privilege and segregation of duties. Every access grant must respect the principle of minimum necessary permissions. Conflicting duties must not be assigned to the same person.
  • Adjust rights upon role changes. When an employee changes role, department or project, their access rights must be reviewed and adjusted promptly. Old rights that are no longer needed must be revoked.
  • Revoke access upon departure. When an employee leaves the organisation, all access rights must be removed. The same applies to external parties whose contract ends.
  • Review access rights periodically. Asset owners must confirm at planned intervals that every user still needs the access they hold. The review must be documented.

In practice

Establish a request-and-approval workflow. Every access request flows through a defined process: the requester states the business need, the line manager confirms, the asset owner approves, IT provisions. Ticket systems or IAM portals document the chain end to end.

Conduct annual recertification campaigns. At least once a year, generate a list of all users and their access rights per system. Send each asset owner their portion and require them to confirm or revoke each entry. Track completion rates and escalate overdue reviews.

Automate deprovisioning. Connect the HR system to the IAM platform so that departure events trigger immediate account deactivation. Manual deprovisioning should exist only as a backup.

Separate duties in critical processes. Map processes that carry financial, legal or security risk. Ensure that the access model prevents a single person from executing all steps. For example, the person who creates a payment should differ from the person who approves it.

Document exceptions. Where business needs require a deviation from least privilege — such as a temporary elevation during an emergency — record the justification, the approver, the scope and the expiry date. Review exceptions monthly.

Typical audit evidence

Auditors typically expect the following evidence for A.5.18:

  • Access request records — tickets or forms documenting request, justification and approval
  • Recertification reports — documented annual (or more frequent) access reviews by asset owners
  • Deprovisioning logs — evidence of timely access removal upon departure
  • Role-change adjustment records — evidence that access rights were updated when employees changed roles
  • Exception register — documented deviations with justification, approval and expiry
  • Segregation-of-duties matrix — mapping of incompatible roles with evidence of enforcement

KPI

% of access rights reviewed and revalidated within the last 12 months

This KPI measures the completeness of the periodic access review cycle. Every access right that has not been reviewed within the defined interval lowers the score. Achieving 100% requires disciplined campaign management and follow-up on non-responsive asset owners.

Supplementary KPIs:

  • Average time to adjust access rights after an internal role change
  • Percentage of departures with same-day access deactivation
  • Number of access exceptions currently open versus resolved

BSI IT-Grundschutz

A.5.18 maps to the following BSI modules:

  • ORP.4 (Identity and access management) — formal processes for granting, modifying and revoking access, including periodic reviews and documentation requirements.
  • OPS.1.1.1.A2 (Assignment of access authorisations) — requires that access rights are granted only based on documented requests and business justification.
  • OPS.1.1.2.A21 (Regular review of authorisations) — mandates periodic reviews of all access rights, with special attention to privileged accounts.

A.5.18 operationalises the access decisions defined by the broader access control framework:

Sources

Frequently asked questions

How often should access rights be reviewed?

ISO 27001 does not prescribe a specific frequency. Common practice is at least annual reviews for standard users and quarterly reviews for privileged accounts. Event-driven reviews (role change, department transfer, project end) are equally important.

Who is responsible for approving access rights?

The asset owner -- the person accountable for the information or system -- must approve access. IT departments provision the access technically, but the business decision belongs to the asset owner.

What happens to access rights during a temporary absence?

During extended absences (parental leave, sabbatical), accounts should be suspended. Upon return, the line manager confirms that the same access is still needed before reactivation. This prevents stale rights from persisting unreviewed.