ISO 27001 controls: What is Annex A:9?

Today we’re going to talk about the set of ISO 27001 Controls and explore what Annex A:9 is in the context of information security in your organisation.

Access controls: Annex A:9

Annex A:9 of the ISO 27001 Controls is all about access control procedures. This control helps to safeguard and limit access to secure information. This is a crucial criterion if you are looking to achieve ISO 27001 certification.

Annex A:9.1 – Business requirements for access controls

The objective of Annex A:9.1 is to limit access to information and information processing facilities.

Each organisation implementing ISO 27001 requires a set of policies and procedures to protect information security, restricted to those who actually need access. It is illegal to give access to someone who does not require it. System owners are responsible for ensuring the secure operation of their systems; however, they may delegate the day-to-day management and operation to system managers.

Annex A:9.1.1 Business requirements of access controls

The objective of this Annex A control is to limit access to information and information processing facilities. Giving access to the wrong people could lead to significant legal trouble under The Privacy Act 1988 (Cth). For example, releasing someone’s wages to the public could pose a major risk to your organisation.

This clause requires a control-based policy within the systems, including:

• Protecting information against accidental disclosure, malicious modification, and destruction.
• Ensuring information protection as a legal obligation.
• Establishing controls against unauthorised access.
• Making information available only to genuine resources.

Annex A:9.1.2 Access to networks and network services

Organisations must have their own static IP or VPN Network where information can be accessed. Employees and management should not access information on public networks. Management is responsible for providing proper guidance and regular training for staff to protect information security.

Annex A:9.2 User access management

To ensure authorised user access and prevent unauthorised access to systems and services, user access management must include:

• User registration and deregistration
• Access provisioning
• Access rights
• Control and management of secret authentication information (passwords)
• Review of access rights
• Removal of access

Annex A:9.2.1 User registration and de-registration

Formal registration and de-registration must be enabled for assigning access rights. Access should be given only as per the requirements and responsibilities of the individual’s role. Authorisation procedures should be part of the access control policy during onboarding or off boarding.

Annex A:9.2.2 User access provisioning

The access control policy must have procedures to revoke or restrict access when there is a threat of information loss. Regular checks for ID and password protection against information security are necessary.

Annex A:9.2.3 Management of privileged access rights

Annex A:9.2.3 focuses on managing higher ‘privileged’ levels of access, such as systems administration permissions. The allocation and use of privileged access rights must be restricted and controlled under strict regulations.

Annex A:9.2.4 Management of secret authentication information of users

The allocation of secret authentication information must be controlled through a proper management process, including passwords, encryptions, and access to high-risk documents. Identification should be verified for users accessing secret authentication information.

Annex A:9.2.5 Review of user access rights

Asset owners must regularly review users’ access rights to identify risks associated with secret information. The access control policy should include regular user checks for information security protection.

Annex A:9.2.6 Removal or adjustment of access right

The access rights of all employees and external party users to information and information processing facilities must be removed upon termination of their employment, contract, or agreement, or adjusted upon change. Employees should sign a policy agreeing not to access information beyond their control.

Annex A:9.3 User responsibilities

To make users accountable for safeguarding their authentication information, Annex A:9.3.1 requires multi-factor verification procedures to be followed under the access control policy.

Annex A:9.4 System and application access control

To prevent unauthorised access to systems and applications, Annex A:9.4.1 requires access to information and application system functions to be restricted in accordance with the access control policy.

Annex A:9.4.2 Secure log-on procedures

Where required by the access control policy, access to systems and applications must be controlled by a secure log-on procedure. Passwords must be kept confidential at all times.

Annex A:9.4.3 Password management system

No user should share a password with anyone in the organisation. Password management systems must be interactive and ensure quality passwords. An incident report should be available if a password is lost or shared accidentally.

Annex A:9.4.4 Use of privileged utility programs

The use of utility programs that might override system and application controls must be restricted and tightly controlled. Confidential details must not be shared outside the organisation.

Annex A:9.4.5 Access control to program source code

Access to program source code must be restricted. No one outside the restricted zone should access the information.

For more guidance and support on achieving ISO 27001 certification and understanding Annex A:9, contact Citation Certification today. We provide comprehensive support and training to help your organisation meet all necessary requirements and achieve compliance with ISO 27001 standards.