Information security management systems (ISMS) focuses on who in your organisation has access to the correct information at the right time. Without this key component, problems such as unauthorised access to information or data modifications could take place. Annex A.9 is designed to prevent these issues from occurring.
This article provides a detailed explanation of Annex A.9, why it is important, and the objective of each control for your business.
*Update: It's important to highlight that the ISO 27001:2013 standard was updated on 25th October 2022, resulting in the ISO 27001:2022 most recent edition with revised guidelines. For the most current and precise details about the ISO 27001 Annex A Controls, please refer to the updated version.
What is Annex A.9?
Annex A.9 access control guarantees that only authorised users have access to a service, while unauthorised individuals are barred from using it.
Access control is often referred to by the terms “access management”, “rights management”, and “identity management”. Unauthorised people may get access to information assets and information processing facilities, resulting in information misuse or loss. The access control clause tackles these issues by allowing you to control who has access to these assets.
Information asset protection is critical for all organisations, and Annex A.9 protects against a variety of risks, including unintentional damage or loss of information, overheating, threats, and so on. This requires a defined control policy and processes, as well as the registration, removal, and review of user access rights—includes physical access, network access, control over privileged utilities, and limitation of access to programme source code.
What is access control?
An important aspect of information security is determining who can access and use company information. Access control policies ensure that users are who they claim to be and that they have proper access to organisation data through authentication and authorisation. Physical access to buildings, rooms, and data centers can also be restricted with the use of access control.
Passwords, usernames, PINs, biometrics, and other types of security tokens can all be used to identify a user in an access control system. Multi Factor Authentication (MFA) is a common feature of many access control systems, requiring various forms of identification to authenticate a user.
In the event that a user's credentials and IP address have been validated, the appropriate level of access and allowed actions can then be granted to that user.
Access control can be divided into four categories. When it comes to security and compliance, organisations tend to adopt the method that makes the most sense for their own needs. The four types of access control are as follows:
- Discretionary access control (DAC) - In DAC, the person who owns or manages the protected system, data, or resource decides who has permission to access it.
- Mandatory access control (MAC) - In this non-discretionary model, users are permitted access based on a clearance of information. Access privileges are regulated by a central authority depending on varying levels of security. Typically, it is used in government and military settings.
- Role-based access control (RBAC) - Instead of granting access based on a user's identification, RBAC offers access based on predefined business functions. Users should only have access to information that is relevant to their jobs in the organisation. Roles, authorisations, and permissions make up the foundation of this commonly used approach.
- Attribute-based access control (ABAC) - With ABAC, both people and resources can have their access controlled according to a dynamic set of qualities and environmental variables, such as what time of day it is and where they are.
What are the Annex A.9 controls?
Annex A.9.1: Business requirements of access control
This clause's goal is to set up and put in place procedures that restrict who has access to information and information processing facilities. Access control policies must be developed in order to comply with this regulation.
A.9.1.1: Access control policy
Establishing, documenting, and periodically reviewing an access control policy with accompanying business and information security requirements is a must. To protect their assets, asset owners should set suitable access control, access rights and user role constraints, with the volume of information and the strictness of controls reflecting the associated information security risks.
When considering access controls, it is important to consider both their reason and value. There should be a clear declaration of the business requirements that access controls should meet for users and service providers.
A.9.1.2 Access to networks and network services
The network and network services that are necessary for the user's employment should be restricted to those who need access to them.
Policy must address: networks and network services in scope for access; authorisation procedures for indicating who (role-based) is permitted to access what and when; and management control to prevent or monitor access in the real world. Onboarding and off-boarding procedures should take this into account, as well as the access control policy as a whole.
Annex A.9.2: User access management
The objective of this clause is to ensure that your authorised users can access your system and services and at the same time prevent unauthorised access.
A.9.2.1 User registration and deregistration
User registration and deregistration must be made official. The ability to link specific IDs to real persons and limit shared access IDs should be part of a solid user ID management procedure, which should be approved and recorded when done.
With Annex A.7 Human Resource Security as a link, a smooth registration and deregistration process is possible, as is the avoidance of granting duplicate IDs. To demonstrate strong control and to reinforce continuous management, IDs should be reviewed on a regular basis. Access control audits and periodic evaluations by the owners of information assets or processing applications can be used in conjunction with this.
A.9.2.2 User access provisioning
Information system or service owners should grant or revoke access to their systems or services according to this process. By ensuring that the access given is relevant to the function being performed, provisioning can be avoided before authorisation is complete.
It is crucial that user access is business-driven and tailored to the needs of the organisation. However, this may sound bureaucratic, but it does not have to be, and effective basic procedures with role-based access can address this.
A.9.2.3 Management of privileged access rights
Special access to data and systems requires strict controls on who gets it and how it's used because of the additional power it gives the person who has it. System by system clarity on privileged access permissions (which can be modified within the programme) could fall under this category, as well as allocation based on actual usage rather than a blanket policy.
All privileges issued to users should be documented, and the competency of those users granted the permissions must be constantly evaluated to ensure that they are able to perform their assigned responsibilities.
It's also a good idea to keep separate identities for system administrators and regular users, especially if they're doing various jobs on the same platform.
A.9.2.4 Management of secret authentication information of users
Access to important assets is being granted through the use of secret authentication information. When it comes to sensitive information like passwords or encryption keys, it needs to be managed through a structured process and kept private to its user.
The user's identity should be verified prior to supplying any new, replacement, or temporary secret authentication information. When a new system is set up, any default secret authentication information should be altered as quickly as possible.
A.9.2.5 Review of user access rights
Owners of assets must conduct periodic audits of user access rights, both for individual changes (such as onboarding, role changes, and departures) and for larger audits of system access.
It is essential that privileged access permissions be assessed more frequently because of their high-risk nature. Internal audits, such as this one, should be conducted at least once a year, or more frequently if significant changes occur.
A.9.2.6 Removal or adjustment of access rights
All access rights to information and information processing facilities must be revoked following termination of employment, contract, or agreement, as specified in the preceding paragraph (or adjusted upon change of role if required).
When employees leave, an effective exit policy and procedures that tie in with A.7 will help guarantee that this goal is met and can be verified for audit purposes.
Annex A.9.3: User responsibilities
The purpose here is to hold users accountable for ensuring that their authentication information is not compromised. This technique requires your staff to follow the instructions for using the secret authentication credentials.
A.9.3.1 Use of secret authentication information
Secret authentication information should be kept private; unauthorised individuals should not have access to it; and, if there is any indication that it may have been compromised, the information should be changed immediately.
Additionally, you should encourage users to choose strong passwords that meet the minimal requirements in Annex A.9.4 for password length and strength.
Annex A.9.4: System and application access control
The goal of this sub clause is to have systems in place to prevent unwanted access to your information systems and applications.
A.9.4.1 Information access restriction
The use of information and application system functionalities should be regulated according to the company's access control policy. Control on access should be applied complying to the stated access control policy and based on business application requirements. To access restriction standards, keep in mind the following:
- Controlling access to application system functionalities through menus.
- Limiting the data that a specific user has access to.
- User access privileges, such as read, write, delete, and execute control.
- controlling other applications' access rights.
- Reducing the amount of data in outputs.
- Physical or logical access control to isolate sensitive applications, application data, and systems from the rest of the network.
A.9.4.2 Secure log-on procedures
The user must be able to authenticate their identity through a secure log-on procedure before they may access systems and apps. Multi-factor authentication, biometrics, smart cards, and other forms of encryption can be used in place of passwords, depending on the risk.
Authentication information should be transmitted and stored in encrypted form to prevent interception and misuse of the information.
- In order to avoid interception and misuse, log-on methods should be built in a way they cannot be easily avoided.
- There should also be a warning that access is restricted to those who are authorised. Legislation like the Computer Misuse Act of 1990 is intended to be supported by this (UK).
- In order to offer forensic evidence, both successful and unsuccessful log-ons and log-offs should be recorded securely, and notifications for failed attempts and suspected lock-outs should be considered.
- Depending on the system, access may need to be restricted to specific hours of the day or days, or even to specific locations.
- When it comes to log on and log off protocols, the demands of the business and the information at risk should be the primary considerations. If personnel are unable to do their work well and spend a disproportionate amount of time in this loop, having 25 steps to log on, rapid timeouts, etc. It is simply disproportional.
A.9.4.3 Password management system
This helps prevent the same login from being used across several sites by providing a centralised method for password generation and administration.
The implementation of password generation and management systems must be done with care, as with any other control mechanism, to provide acceptable and proportionate levels of security. Passwords should be created by the user whenever possible, but they must meet a particular level of security in order to be secure enough for the user to remember them without difficulty.
A.9.4.4 Use of privileged utility programmes
Controls on the system and applications should be carefully monitored for utility computer programmes that have the potential to override them.
Malicious attackers may take advantage of powerful system and network utility programmes, thus only a small number of users should have access to them.
Users should be limited in their capacity to install any software as much as possible considering company requirements and risk assessment while using such readily available utility programmes from the internet. To meet auditor requirements, the use of utility programmes should be documented and monitored/reviewed on a regular basis.
A.9.4.5 Access control to program source code
Restrictions must be placed on access to the program's source code. There should be strong controls on who has access to programme source code and related materials (such as designs, specifications, verification plans, and validation plans).
If a program's source code is not appropriately safeguarded, an attacker has a strong opportunity to gain access to the system in a covert manner. This is especially true if the source code is critical to the company's success.
Why is access control important for your organisation?
Protecting sensitive data such as personal identifying information and intellectual property is a primary goal of access control. As part of the contemporary zero-trust security framework, it's a critical part of ensuring that only authorised users have access to a firm network. Organisations are at risk of data leakage from both internal and external sources if they don't have strong access control procedures.
Controlling access to resources, apps, and data in both on-premises and cloud environments is critical for enterprises using hybrid or multi-cloud cloud architectures. Single sign-on (SSO) and, access management can protect these environments from unmanaged access and BYO policy (Bring Your Own) can also restrict access to certain resources and apps.
Annex A.9 is one of the most important clauses to implement when getting ISO 27001 certified. The security of your information is important, and one of the main ways to keep it secure is to control access to this information. Setting access controls helps prevent unwanted access, attacks on information systems and data leaks.
If you are looking to implement access controls for your organisation, DataGuard can provide expert advice on the entire process and help you get one step closer to ISO 27001 certification.