Access control
Is it anywhere in the iso 27001 standard explicitly defined/written that HR department should define access rights based on the valid work positions in the company? if it is, please tell me in which clause of the standard
or if it is NOT, than who should define who should perform this task while implementation of iso 27001 in one company? management board? can this as a task be assigned to IT department in coordination with HR department?
Assign topic to the user
ISO 27001 does not prescribe which roles must define access rights, only that such accesses must be defined, so organizations are free to designate roles as best fit them.
Common practice is that the person with the most knowledge of the value of the information to be accessed should define the access rights, taking into account the access need to perform business activities, and applicable legal requirements. IT staff normally assumes the role to implement defined accesses.
For example, access rights to financial information should be defined by Financial Manager, while access to salary information should be defined by the HR manager.
This article will provide you a further explanation about access control:
- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
Comment as guest or Sign in
Feb 18, 2020