ISO 27001 Controls: What is Annex A:9?

women holding space gray iphone x and black pen

Today we’re going to be talking about the set of ISO 27001 Controls, and explore what Annex A:9 is in the context of information security in your organisation.

Access Controls: Annex 9 of the ISO Controls all about the access control procedures. This control helps to safeguard and limit secure information. This is a really important criterion if you are looking to achieve ISO 27001 certification.

iso 27001 certification by best practice

Annex A:9.1 – Business requirements for Access Controls

To limit access to information and information processing facilities.

Each organization implementing an ISO 27001 requires a set of policies and procedures in relation to protecting information security. These restricted to those who actually need to have access to it. As it is illegal to give access to someone who does not require the need of having information. System owners are responsible for ensuring the secure operation of their systems; however, system owners may delegate the day-to-day management and operation of their systems to system managers.

Annex A:9.1.1 Business Requirements of access controls

The objective in this Annex A control is to limit access to information and information processing facilities. If you give access to the wrong people to your information, it could lead you to big legal trouble under The Privacy Act 1988 (Cth). For example, if you have released someone’s wages to the public, this could be a major risk to your organization.

This clause requires a control based policy with in the systems. This limit access control policy includes:

  1. Information protection against accidental disclosure, malicious, modification, and destruction of any data.
  2. Information Protection considered a legal obligation.
  3. Establish a set of controls against unauthorized access.
  4. The information must be available to genuine resources only.

Annex A:9.1.2 Access to networks and networks services

Organizations must have their own static IP or their VPN Network, where the information could be accessed. None employee or management should access the information on public networks. It’s the management’s responsibility that they should provide proper guidance to its employees. They should generate interval training for the staff to protect information security.

Annex A:9.2 User access management

To ensure authorized user access and to prevent unauthorized access to systems and services.

  • User registration and deregistration
  • Access provisioning
  • Access rights
  • Control and management of secret authentication information (passwords)
  • Review of access rights
  • Removal of access.

Get Your Free ISO Gap Analysis Checklist

Annex A:9.2.1 User registration and de-registration

Complete formal registration and de-registration must be enabled for the assignment of access rights. The least access is the key to success while implementing this clause. Access should be only given to those as per the requirements and the responsibility of the individual’s role.

Authorization procedures, for example, while boarding or un-boarding an employee must be considered as a part of the access control policy.

Annex A:9.2.2 User access provisioning

The access control policy must have a set of procedures where the access could be revoked or restricted where the threat of information loss. There should be formal provisioning while accessing the information.

For example, there should be regular check ups for Id and the password protection against the information security.

Annex A:9.2.3 Management of privileged access rights

Annex A.9.2.3 is about managing usually more powerful and higher ‘privileged’ levels of access e.g. systems administration permissions versus normal user rights. The allocation and use of privileged access rights shall be restricted and controlled under strict regulations.

For example; creating a document in the system and its publishing, deletion, the amendment should be controlled by certain authorities. To protect this clause, one can include the separation of administration systems, that could vary access for different roles in day to day activities.

person using silver macbook pro

Annex A:9.2.4 Management of secret authentication information of users

The allocation of secret authentication information shall be controlled through a proper management process. It normally includes passwords, encryptions, access to certain documents where the risk is higher. Identification should be verified to the user while accessing secret authentication information.

A.9.2.5 Review of user access rights

Asset owners shall review users’ access rights at regular intervals. It helps to identify the risks that revolved around the secret information. The access control policy should include regular user checks for the protection of information security.

Annex A:9.2.6 Removal or adjustment of access right

The access rights of all employees and external party users to
information and information processing facilities shall be removed
upon the termination of their employment, contract or agreement, or
adjusted upon change. There be should be a sign of policy where the employee must not access the information beyond its control.

Annex A:9.3 User responsibilities

To make users accountable for safeguarding their authentication information.

Annex A:9.3.1 Use of secret authentication information

Annex 9.3 is all about the user responsibilities against the use of secret authentication information. The multi-factor verification procedure must be followed under the access control policy.

Annex A:9.4 System and application access control

To prevent unauthorised access to systems and applications.

Annex A:9.4.1 Information access restriction

Access to information and application system functions shall be
restricted in accordance with the access control policy. There should be a complete description of the restriction applied to certain authorities under control access policies.

Annex A:9.4.2 Secure log-on procedures

This clause defines having multi-factor authentication. Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure. The passwords must be ket and confidential all the time.

house door business safe

A.9.4.3 Password management system

No user could share a password with anyone in the organization. Password management systems shall be interactive and shall ensure quality passwords. There should be an incident report available if the password is lost or shared accidentally.

A.9.4.4 Use of privileged utility programs

The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled. None out of the organization shall be sharing any sort of confidential details.

A.9.4.5 Access control to program source code

The last clause of Annex 9 describes that access to program source code shall be restricted. No one out of the restricted zone could access the information.

Subscribe to our Newsletter


This field is for validation purposes and should be left unchanged.

Share This Post With Your Network

More To Discover