Expert Advice Community

Guest

Access control policy

  Quote
Guest
Guest user Created:   Aug 05, 2019 Last commented:   Aug 05, 2019

Access control policy

Where is my question: Access Control Policy
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Aug 05, 2019
Where inside the document: Chapter 3.1 Introduction (first paragraph of the chapter)
What’s my question: The last sentence of the paragraph says: "There should be a procedure for registering users for each system and service.“ It doesn’t sound like a „must“. In that chase the person who is in charge of me says: if it’s not a fact we HAVE to do we won’t do it (and I should delete the passage out of the paragraph). On the other hand this sentence expresses control A.9.2.1 which we definitely need to fulfill. What would the implementation of this sentence look like in general?

Answer:

The fact that this paragraph says "should" and not "must" is because if an organization has too much systems in the ISMS scope, implementing procedures for all of them would be unpractical.

For arguments like the one you suggested, you can perform a risk analysis for specific systems to evaluate the risk of not having a registering procedure for that system. You can either change text of the Access control policy for something like this: "Procedure for registering users for each system and service must be considered based on risks related to each system and service."

For additional information about which documents to develop, please read:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Aug 05, 2019

Aug 05, 2019

Suggested Topics