Table of Contents
ISO 27001 Privileged Access Rights
I am going to show you what ISO 27001 Annex A 8.2 Privileged Access Rights is, what’s new, give you ISO 27001 templates, an ISO 27001 toolkit, show you examples, do a walkthrough and show you how to implement it.
I am Stuart Barker the ISO 27001 Ninja and using over two decades of experience on hundreds of ISO 27001 audits and ISO 27001 certifications I show you exactly what changed in the ISO 27001:2022 update and exactly what you need to do for ISO 27001 certification.
What is ISO 27001 Annex A 8.2 Privileged Access Rights?
ISO 27001 Annex A 8.2 Privileged Access Rights is an ISO 27001 control that looks to make sure you have controls in place to manage privileged access rights.
ISO 27001 Annex A 8.2 Purpose
The purpose of Annex A 8.2 Privileged Access Rights is to ensure only authorised users, software components and services are provided with privileged access rights.
ISO 27001 Annex A 8.2 Definition
The ISO 27001 standard defines Annex A 8.2 as:
The allocation and use of privileged access rights should be restricted and managed.
ISO 27001:2022 Annex A 8.2 Privileged Access Rights
DO IT YOURSELF
ISO 27001
ISO 27001 Annex A 8.2 Implementation Guide
General Guidance
Privileged access is the access that people, software or services have that allows them to do things that normal users cannot do and that could cause the most harm. This level of access is used to manage and configure systems and to allow people to perform administrative tasks. We need people to have this level of access but we do not want everyone to have it. The risk of granting this level of access to someone that doesn’t know what to do with it or should not have it is that they could break something, stop something working or carry out activities that are, shall we say, bad.
Your starting point for this control is to implement a topic specific policy on access control and include in that policy your approach to privilege access. The ISO 27001 Access Control Policy Template is already written for you and ready to go and includes a great free Access Control Policy Example PDF.
When implementing this control use common sense and be practicable. We are working here on the principle of segregation of duty. We do not want the person with the access to authorise the access and where possible the person with access should not have conflicting access. Rather, separate out your privilege accounts logically where it makes sense and you are able to do so. An example would be to separate out those with the access to the databases from those with access to the logging and monitoring. This prevents things like that ability to do something then change the logs to cover it up.
I find the use of role based access as a technique is a great tool here. Understanding what roles you need, defining them and then allocating people to roles based on need.
Authorisation Process
Implement a process of authorisation that separates those requiring access from those that grant it. Keep a record of all accounts with privilege access. Consider placing time limits on their use or allocating expiry dates.
Review Access Requirements
Regular reviews of people’s access should form part of your normal operating rhythm. This also applies to privilege accounts. A process to check who has what and if they still need it.
Use of privilege accounts
Ideally we want a situation where privilege accounts are only used when needed to perform privileged actions and normal accounts are used in normal day to day operations for the user. It doesn’t have to be this, as this is best practice, but the ideal is some way to distinguish when the user is in privilege mode. It will reduce the likelihood of an information security incident.
This level of account really should be logged and monitored for audit purposes.
Generic accounts
You should really discourage the use of generic administrative accounts. We want to be able to tie actions back to an individual. If you simple have to have a generic account then my recommendation is to manage it as an exception and record it in the risk register. Mange it via risk management, even if that is accepting the risk.
ISO 27001 Templates
ISO 27001 templates have the advantage of being a massive boost that can save time and money so before we get into the implementation guide we consider these pre written templates that will sky rocket your implementation. This ISO 27001 Toolkit has been specifically designed so you can DIY your ISO 27001 certification, build your ISMS in a week and be ISO 27001 certification ready in 30 days.
DO IT YOURSELF
ISO 27001
How to pass an audit of ISO 27001 Annex A 8.2
Time needed: 1 day
How to comply with ISO 27001 Annex A 8.2
- Have policies and procedures in place
Write, approve, implement and communicate the documentation required for privileged access rights.
- Assess your privilege use requirements and perform a risk assessment
Identify what your requirements are for privileged access and then perform a risk assessment.
- Implement controls proportionate to the risk posed
Based on the risk assessment implement controls proportionate that risk assessment and the needs of the business.
- Keep records
For audit purposes you will keep records. Examples of the records to keep include changes, updates, monitoring, review and audits.
- Test the controls that you have to make sure they are working
Perform internal audits that include the testing of the controls to ensure that they are working.
Top 3 Mistakes People Make for ISO 27001 Annex A 8.2
The top 3 mistakes people make for ISO 27001 Annex A 8.2 are
1. Having generic accounts
Having generic accounts is not always a bad thing but having them because you are lazy is. Try to eliminate them and where you do require them manage via risk management. This means recording them on the risk register and managing the risk, even if managing the risk is accepting the risk and recording the decision.
2. Laptop Administrator Accounts
This common mistake actually relates to end points and the default position of providing all users administrative control over those devices by default. Again, this is usually lazy management and again, as above, if required manage it via risk management. Auditors check and will want a justification and don’t just do it because it is easy or you have always done it. This level of access really does negate a lot of the end point controls that you are going to rely on.
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
Get the Help of the ISO 27001 Ninja
Book your FREE 30 Minute ISO 27001 Strategy Call and let me show you how you can do it 30x cheaper and 10x faster that you ever thought possible.
Controls and Attribute Values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Confidentiality | Protect | Identity and access management | Protection |
| Integrity | ||||
| Availability |