User Access Management is the process of granting, modifying, and revoking user access to an organisation’s systems and information. It is a structured approach to ensuring that users have the appropriate level of access—no more and no less—to perform their jobs. This is a lifecycle process that starts when a user joins the organisation and ends when they leave.
Key Components
- Granting Access: Providing new users with the necessary permissions and credentials to do their work.
- Modifying Access: Changing a user’s permissions when their role or responsibilities change within the organisation (e.g., a promotion or transfer).
- Reviewing Access: Regularly checking and validating that users’ access rights are still appropriate and necessary. This helps to prevent privilege creep.
- Revoking Access: Immediately removing a user’s access when their employment is terminated or their need for access ends.
ISO 27001 Context
User access management is a crucial part of ISO 27001, in particular access management to privilege (ISO 27001 Annex A 8.2 Privileged Access Rights), access restrictions (ISO 27001 Annex A 8.3 Information Access Restriction) and secure authentication (ISO 27001 Annex A 8.5 Secure Authentication). It is a preventive control that helps to enforce the principle of least privilege, which states that users should only be given the minimum level of access required to perform their duties. This is a critical security measure to protect against both internal and external threats.
