Access control policy

Where inside the document: Chapter 3.1 Introduction (first paragraph of the chapter)
What’s my question: The last sentence of the paragraph says: "There should be a procedure for registering users for each system and service.“ It doesn’t sound like a „must“. In that chase the person who is in charge of me says: if it’s not a fact we HAVE to do we won’t do it (and I should delete the passage out of the paragraph). On the other hand this sentence expresses control A.9.2.1 which we definitely need to fulfill. What would the implementation of this sentence look like in general?

Answer:

The fact that this paragraph says "should" and not "must" is because if an organization has too much systems in the ISMS scope, implementing procedures for all of them would be unpractical.

For arguments like the one you suggested, you can perform a risk analysis for specific systems to evaluate the risk of not having a registering procedure for that system. You can either change text of the Access control policy for something like this: "Procedure for registering users for each system and service must be considered based on risks related to each system and service."

For additional information about which documents to develop, please read:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/