Access rights (also called permissions or privileges) are rules that define who can use a computer system and what they’re allowed to do. They control access to things like files, folders, and applications. For example, a user might have the right to read a file but not to change or delete it. This helps keep data safe and private.
Examples
Imagine a shared school computer. The teacher has full access rights, so they can add or remove student accounts and change grades. Students have limited access rights. They can open and save their own homework files but can’t change the teacher’s files or install new programs. A company’s HR department might have access to employee salary data, but regular employees don’t.
Context
Access rights are a core part of computer security. They ensure that only authorised people can see or change important information. This is crucial for protecting against data theft, accidental changes, and misuse of systems. By assigning specific rights to users or groups, an organisation can maintain control and accountability.
Relevant ISO 27001 Controls
The following controls from the ISO/IEC 27001:2022 standard are related to access rights:
- ISO 27001:2022 Annex A 5.15: Access control: This is the main control for managing access rights.
- ISO 27001:2022 Annex A 5.16:Identity Management: This covers the process of giving, changing, and removing user access.
- ISO 27001:2022 Annex A 5.17: Authentication Information: This control deals with how users prove who they are (e.g., with passwords or keycards)
- ISO 27001:2022 Annex A 5.18: Access rights: This control focuses on setting up and reviewing user access to systems.
- ISO 27001:2022 Annex A 8.2: Privileged Access Rights This is about controlling access for powerful accounts, like system administrators.