Hello Advisera Team,
a question to this control: A.9.2.5 Review of user access rights.
What we need and what we have now there is that user access rights are reviewed when there is a change in employees status (e.g. department or position is changed).
Is it enough or is periodical review meint here?
Thank you!
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Please note that control A.9.2.5 of ISO 27001 Annex A states that review shall be performed at regular intervals.
Considering that, reviewing access rights only when there is a change in employees’ statuses is not enough to be compliant with this control, and you must define a periodicity for review.
This article will provide you a further explanation about access control:
- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
These materials will also help you regarding access control:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO 27001 Free online training ISO 27001 Foundations Course http://training.advisera.com/course/iso-27001-foundations-course/
Comment as guest or Sign in
Jan 13, 2021