If your organisation was a medieval castle, privileged access rights would be the master keys that open every door, the drawbridge, and the treasury. In the wrong hands—whether it’s a malicious hacker or just a well-meaning employee who clicks the wrong button—these keys can bring the whole kingdom crashing down.
This is why ISO 27001:2022 Annex A 8.2 is one of the most critical controls in the entire standard. It deals with Privileged Access Rights. Put simply, it’s about making sure that the powerful “Super User” or “Administrator” accounts are locked down tight and only used when absolutely necessary.
Table of contents
- What is Annex A 8.2?
- The Golden Rule: Separate Accounts
- Step 1: Create a Topic-Specific Policy
- Step 2: Inventory Your “Super Users”
- Step 3: Enforce Multi-Factor Authentication (MFA)
- Step 4: Implement “Just-in-Time” Access
- Step 5: Log and Monitor Everything
- Step 6: Regular Reviews
- Common Pitfalls to Avoid
- Conclusion
What is Annex A 8.2?
In the 2022 update of the standard, Annex A 8.2 falls under the “Technological Controls” category. The requirement is to ensure that the allocation and use of privileged access rights are restricted and managed.
It’s not enough to just trust your IT team. You need a formal process to control who gets these rights, why they get them, and when they are taken away. The goal is to prevent the misuse of administrative privileges, which is a leading cause of security breaches.
The Golden Rule: Separate Accounts
Before we dive into the step-by-step implementation, there is one golden rule you must follow: No daily use of admin accounts.
Your IT Manager, let’s call him Dave, should have two accounts:
dave.smith(Standard User): For email, web browsing, and writing reports.dave.admin(Privileged User): For configuring servers and managing users.
If Dave surfs the web as dave.admin and accidentally downloads malware, that malware instantly has the keys to the castle. If he does it as dave.smith, the damage is limited. This segregation is the foundation of Annex A 8.2.
Step 1: Create a Topic-Specific Policy
You can’t enforce rules if they aren’t written down. You need a specific policy (or a section within your Access Control Policy) that deals with Privileged Access.
This policy should state:
- Who is authorised to request admin rights.
- The requirement for “Just-in-Time” (JIT) access where possible.
- The mandatory use of strong authentication (MFA).
- The rule that privileged accounts must not be used for routine activities.
If you are looking for a shortcut here, Hightable.io offers comprehensive ISO 27001 toolkits that include these policy templates. Using a pre-written structure can save you significant time and ensure you don’t miss the subtle requirements of the 2022 standard.
Step 2: Inventory Your “Super Users”
You probably have more admins than you think. Start by auditing your systems:
- Domain Admins: Check your Active Directory.
- Cloud Admins: Check AWS, Azure, and Google Cloud IAM roles.
- SaaS Admins: Who has “Super Admin” status in Salesforce, Microsoft 365, or your CRM?
- Local Admins: Do your developers have admin rights on their local laptops? (Ideally, they shouldn’t).
Create a register of these accounts. If you find a user who “needed admin rights for a project in 2019” and still has them, revoke them immediately.
Step 3: Enforce Multi-Factor Authentication (MFA)
This is non-negotiable. Every single privileged account must be protected by MFA. If an attacker steals an admin password, MFA is the only thing standing between them and a total breach.
This links directly to Annex A 8.5 (Secure Authentication). Ensure that the MFA method is robust—authenticator apps or hardware keys (like YubiKeys) are far superior to SMS codes.
Step 4: Implement “Just-in-Time” Access
The best way to secure a privileged account is for it not to exist until it is needed.
Modern Privileged Access Management (PAM) tools allow you to grant admin rights for a specific window of time (e.g., 2 hours) to complete a specific task. Once the time is up, the rights disappear. This significantly reduces the “attack surface” because there are no standing admin accounts waiting to be compromised.
Step 5: Log and Monitor Everything
When someone is using the “keys to the kingdom,” you should be watching.
Ensure that all activity performed by privileged accounts is logged (Annex A 8.15). If a system configuration is changed or a user is deleted, you need to know exactly which admin did it and when. Set up alerts for suspicious behaviour, such as an admin logging in at 3 AM from an unusual location.
Step 6: Regular Reviews
Annex A 8.2 requires you to review these rights at regular intervals. Set up a quarterly “Access Review” meeting.
Print out the list of all privileged users and ask:
- Is this person still in this role?
- Do they still need this level of access?
- Have they used this access in the last 90 days?
If the answer is “No,” remove the access.
Common Pitfalls to Avoid
- Shared Admin Accounts: “IT_Admin” with a password written on a whiteboard is a guaranteed audit failure. Every admin action must be attributable to a specific individual.
- Service Accounts: Don’t forget the non-human accounts used by software. These often have high privileges and weak passwords. Manage them carefully.
- “Emergency” Accounts: You need a “Break Glass” account in case your MFA system fails, but it must be monitored, and its password should be kept in a physical or digital vault.
Conclusion
Implementing ISO 27001 Annex A 8.2 is about moving from “Implicit Trust” to “Explicit Verification.” By identifying your privileged users, separating their duties, enforcing MFA, and regularly reviewing their need for access, you turn your biggest security risk into a managed process.
Remember, this isn’t just about passing an audit; it’s about sleeping better at night knowing that your kingdom’s keys are safe. If you need help with the documentation side, resources like Hightable.io can provide the framework you need to get this right the first time.
