In this ultimate how to audit guide to ISO 27001 Annex A 5.18 Access Rights, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Access Rights Provisioning Policy Formalisation Verified
- 2. Role-Based Access Control (RBAC) Alignment Confirmed
- 3. Formal Access Authorisation Records Validated
- 4. Privileged Access Right Restrictions Verified
- 5. Periodic Access Rights Review Execution Evidenced
- 6. Immediate Revocation of Access for Leavers Confirmed
- 7. Modification of Access Rights for “Movers” Validated
- 8. Access Rights for External Parties Managed
- 9. Segregation of Duties in Access Management Verified
- 10. Access Rights Logging and Monitoring Confirmed
Auditing ISO 27001 Annex A 5.18 Access Rights is the rigorous verification of how user permissions are granted, reviewed, and revoked. This process validates the Primary Implementation Requirement of applying the principle of least privilege through Role-Based Access Control (RBAC). The Business Benefit minimises insider threats and data leakage by ensuring users only access data necessary for their specific job functions.
1. Access Rights Provisioning Policy Formalisation Verified
Verification Criteria: A documented procedure defines the full lifecycle of access rights, including the methods for request, authorisation, provisioning, and periodic review.
Required Evidence: Approved Access Control Policy or Identity and Access Management (IAM) Standard with version control.
Pass/Fail Test: If the organisation lacks a documented process for how access is formally requested and authorised prior to provisioning, mark as Non-Compliant.
2. Role-Based Access Control (RBAC) Alignment Confirmed
Verification Criteria: Access rights are assigned based on predefined job roles and the principle of least privilege, rather than individual user requests.
Required Evidence: A Role-Based Access Control (RBAC) matrix or entitlement catalogue mapping roles to specific system permissions.
Pass/Fail Test: If a user is found to have “Super User” or “Admin” rights without a corresponding business justification in their job role description, mark as Non-Compliant.
3. Formal Access Authorisation Records Validated
Verification Criteria: Every grant of access right is backed by a formal authorisation from the relevant asset owner or management representative.
Required Evidence: Completed access request tickets (e.g., Jira, ServiceNow) or signed authorisation forms for a sample of new users.
Pass/Fail Test: If an account has been provisioned without a documented and timestamped approval from the asset owner, mark as Non-Compliant.
