A.9.2.5 Review of user access rights

Please note that control A.9.2.5 of ISO 27001 Annex A states that review shall be performed at regular intervals.

Considering that, reviewing access rights only when there is a change in employees’ statuses is not enough to be compliant with this control, and you must define a periodicity for review.

This article will provide you a further explanation about access control:

• How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/

These materials will also help you regarding access control:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Please can you recommend a template to use to capture reviews (whether it be an excel sheet or something similar)

Please note that ISO 27001 does not prescribe how to document the review, so organizations can develop the form as best fit their needs.

Considering that, to record reviewed access rights you can use the Internal Audit Report template included in your toolkit, using the field Audit Trail to record this information.

In case you need a more generic approach, you can use a word or excel file.

In both cases, it is important to cover at least this information:

• review date
• who performed the review
• who approved the review
• name of system/network / service / physical area reviewed
• results of the review: uses reviewed and if they were compliant or not with the defined access rules