Access Rights

Access Rights is a critical security framework defining the specific permissions granted to entities to ensure Principle of Least Privilege enforcement. By strictly managing these rules, organisations achieve a significant reduction in internal data breaches while maintaining the integrity of their information assets.

What are access rights?

Access rights (also called permissions or privileges) are rules that define who can use a computer system and what they’re allowed to do. They control access to things like files, folders, and applications. For example, a user might have the right to read a file but not to change or delete it. This helps keep data safe and private.

Examples

Imagine a shared school computer. The teacher has full access rights, so they can add or remove student accounts and change grades. Students have limited access rights. They can open and save their own homework files but can’t change the teacher’s files or install new programs. A company’s HR department might have access to employee salary data, but regular employees don’t.

Context

Access rights are a core part of computer security. They ensure that only authorised people can see or change important information. This is crucial for protecting against data theft, accidental changes, and misuse of systems. By assigning specific rights to users or groups, an organisation can maintain control and accountability.

How to Implement Access Rights

Implementing access rights in accordance with ISO 27001:2022 Annex A 5.18 is a fundamental security requirement to ensure that only authorised users can interact with your organisation’s sensitive data. By following this 10-step implementation framework, you will align your technical controls with the principle of least privilege, reducing the risk of internal data breaches and ensuring compliance during your certification audit.

1. Formalise the Access Rights Policy

Establish a documented policy that defines how access rights are requested, approved, and assigned to ensure consistent governance across the organisation.

   
• Define clear criteria for granting access based on job roles and business necessity.
   
• Identify the stakeholders responsible for approving access requests, typically the Information Asset Owners.
   
• Document the process for handling temporary access and emergency access scenarios.

2. Map Rights to the Asset Register

Utilise your Asset Register to link specific access rights to individual information assets, ensuring every data set has a defined set of permissions.

   
• Categorise assets by sensitivity to determine the granularity of required access controls.
   
• Ensure every asset listed in the register has an assigned owner responsible for access validation.
   
• Document the specific technical permissions (Read, Write, Execute, Delete) required for each asset category.

3. Provision Role-Based Access Control (RBAC)

Implement Identity and Access Management (IAM) roles to automate the assignment of rights, ensuring users only receive the permissions necessary for their specific job function.

   
• Create standardised roles within your IAM system that reflect organisational departments.
   
• Map granular permissions to these roles rather than to individual user accounts.
   
• Review role definitions annually to prevent “permission creep” as business processes evolve.

4. Enforce the Principle of Least Privilege

Configure technical systems to default to a “deny-all” state, ensuring that access is only granted explicitly when required for a task.

   
• Audit all existing accounts to remove any permissions that exceed the user’s current requirements.
   
• Disable “Guest” accounts and ensure no generic or shared credentials are in use.
   
• Utilise “Just-In-Time” (JIT) access for sensitive tasks to limit the duration of elevated rights.

5. Secure Privileged Access Rights

Apply enhanced controls to administrative and privileged accounts, as these represent the highest risk to the Information Security Management System (ISMS).

   
• Separate administrative accounts from standard user accounts for all IT personnel.
   
• Mandate the use of Multi-Factor Authentication (MFA) for every privileged login attempt.
   
• Implement a Privileged Access Management (PAM) solution to vault and rotate administrative passwords.

6. Implement Segregation of Duties

Distribute sensitive tasks and access rights across multiple individuals to prevent any single person from compromising a critical business process.

   
• Identify high-risk activities, such as financial transfers or system configuration changes, that require dual authorisation.
   
• Technical implementation: ensure that the person requesting a change cannot be the same person who approves or deploys it.
   
• Document exceptions where segregation is not possible and apply compensatory monitoring controls.

7. Enforce Multi-Factor Authentication (MFA)

Deploy MFA as a mandatory technical control for all remote access and access to critical cloud applications to mitigate the risk of credential theft.

   
• Utilise hardware tokens or mobile authenticator apps rather than SMS-based codes where possible.
   
• Ensure MFA is triggered for all access to the ISO 27001 Toolkit and GRC documentation.
   
• Configure conditional access policies to require MFA based on user location or device health.

8. Audit and Review Access Rights

Conduct periodic access reviews to verify that users still require their assigned permissions, providing evidence of “continual improvement” for auditors.

   
• Schedule formal access re-certifications quarterly for standard users and monthly for privileged users.
   
• Require Asset Owners to provide a digital signature or log entry confirming the validity of current access.
   
• Automate the identification of “stale” accounts that have not been used for more than 30 days.

9. Revoke Access via the Offboarding Process

Link your HR termination workflow to a technical Rules of Engagement (ROE) document to ensure access is revoked immediately upon a user leaving the organisation.

   
• Establish a strict “T-minus” timeline for disabling accounts once a resignation is received.
   
• Revoke physical access, VPN tokens, and cloud application rights simultaneously.
   
• Ensure all company-owned assets are returned before the final exit interview is completed.

10. Log and Monitor Access Activities

Enable comprehensive logging of all access events, focusing on failed login attempts and changes to privileged groups, to support incident response.

   
• Centralise logs in a secure, tamper-proof location for at least 12 months.
   
• Set up automated alerts for “impossible travel” or brute-force login patterns.
   
• Review logs as part of the internal audit process to ensure the Access Rights Policy is being followed technically.

Access Rights FAQ

Relevant ISO 27001 Controls

The following controls from the ISO/IEC 27001:2022 standard are related to access rights:

• ISO 27001:2022 Annex A 5.15: Access control: This is the main control for managing access rights.
• ISO 27001:2022 Annex A 5.16:Identity Management: This covers the process of giving, changing, and removing user access.
• ISO 27001:2022 Annex A 5.17: Authentication Information: This control deals with how users prove who they are (e.g., with passwords or keycards)
• ISO 27001:2022 Annex A 5.18: Access rights: This control focuses on setting up and reviewing user access to systems.
• ISO 27001:2022 Annex A 8.2: Privileged Access Rights This is about controlling access for powerful accounts, like system administrators.

About the author