I do indeed have very specific question, I can not answer or I do not find the right articles in ISO 27001.
I have a pretty hard discussion with a supplier, who will not send us Service Tickets to our Service-E-Mail, but only to dedicated persons.
His rationale is this: "ISO 27001, Annex A9.2.1 requires user ID's to be restricted to real people so that these accesses can be restricted and logged."
It is just, that I do not have ANY clue what he is referencing. In my opinion, 27001 Annex A 9.2.1 states the following:
9.2.1 Registration and deregistration of users
A formal process for the registration and deregistration of users is implemented to enable the assignment of access rights.
Can you help me and do you maybe know, what he is referencing at ?
First is important to note that ISO 27001 does not prescribe such a requirement about the restriction of user IDs. This information can be found in ISO 27002, a supporting standard that defines guidance and recommendations for implementation of ISO 27001 Annex A controls, and these are no mandatory and can be adopted at the discretion of each organization.
Additionally, in the recommendations for implementation of control A.9.2.1, you can find that shared IDs may be permitted where they are necessary for business or operational reasons, and in such cases, this use should be approved and documented.
Considering that, you can argue with your supplier that the use of shared accounts is possible without compromising ISO 27001 compliance, provided it is specifically approved and documented, but please note that the provider may have a business or legal reason to define this specific rule in its policy about no shared IDs and may not be allowed to open any exceptions. In this case it is your decision to accept this condition or do not make deal with this provider.
As an alternative, you can open an email address in a specific name to which the supplier will send service tickets, and then automatically forward all received emails to service email.