Hello Advisera Team,
a question to this control: A.9.2.5 Review of user access rights.
What we need and what we have now there is that user access rights are reviewed when there is a change in employees status (e.g. department or position is changed).
Is it enough or is periodical review meint here?
Thank you!
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Please note that control A.9.2.5 of ISO 27001 Annex A states that review shall be performed at regular intervals.
Considering that, reviewing access rights only when there is a change in employees’ statuses is not enough to be compliant with this control, and you must define a periodicity for review.
This article will provide you a further explanation about access control:
- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
These materials will also help you regarding access control:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO 27001 Free online training ISO 27001 Foundations Course https://training.advisera.com/course/iso-27001-foundations-course/
Comment as guest or Sign in
Jan 13, 2021