The A.9.1.1 control objective in the ISO/IEC 27001:2013 standard pertains to access control policy.
Access control policies are a set of guidelines that determine how access to sensitive information and critical systems is managed within an organization.
This article provides a checklist of critical factors that organizations should consider when reviewing their access control policy.
Access Control Policy
- Review the organization’s access control policy, procedures, guidelines, practices, and associated records.
- Ensure that the policies are consistent with the classification policy, joiners/movers/leavers procedures, and other relevant guidelines.
- Check that there is appropriate segregation of duties in place to prevent conflicts of interest.
- Ensure that new workers are granted initial network/system access that is limited to email and intranet only.
- Subsequent access to business applications should be granted based on specific business needs and should follow a defined workflow that includes approvals at appropriate levels.
User Provisioning and De-Provisioning
- Check that user provisioning and de-provisioning procedures are in place to manage access to sensitive information and critical systems.
- Ensure that joiners/movers/leavers procedures are consistently followed to ensure that access is granted or revoked as needed.
- Check that there is an identity management system in place to manage user accounts and access permissions.
- Ensure that the system is regularly reviewed and updated to ensure that access permissions are current and accurate.
Access control policies are a critical component of information security management.
Organizations must ensure that they have appropriate policies, procedures, and guidelines in place to manage access to sensitive information and critical systems.
The checklist provided in this article covers critical factors that organizations should consider when reviewing their access control policy.
By following these guidelines, organizations can minimize the potential risks associated with unauthorized access to their valuable information assets.