Expert Advice Community

Guest

Question on ISO 27001

  Quote
Guest
Guest user Created:   Jul 16, 2021 Last commented:   Jul 16, 2021

Question on ISO 27001

I do indeed have very specific question, I can not answer or I do not find the right articles in ISO 27001. 

I have a pretty hard discussion with a supplier, who will not send us Service Tickets to our Service-E-Mail, but only to dedicated persons.

His rationale is this: "ISO 27001, Annex A9.2.1 requires user ID's to be restricted to real people so that these accesses can be restricted and logged."

It is just, that I do not have ANY clue what he is referencing. In my opinion, 27001 Annex A 9.2.1 states the following:

9.2.1 Registration and deregistration of users

Measure

A formal process for the registration and deregistration of users is implemented to enable the assignment of access rights.
Can you help me and do you maybe know, what he is referencing at ?

0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jul 16, 2021

First is important to note that ISO 27001 does not prescribe such a requirement about the restriction of user IDs. This information can be found in ISO 27002, a supporting standard that defines guidance and recommendations for implementation of ISO 27001 Annex A controls, and these are no mandatory and can be adopted at the discretion of each organization.

Additionally, in the recommendations for implementation of control A.9.2.1, you can find that shared IDs may be permitted where they are necessary for business or operational reasons, and in such cases, this use should be approved and documented.

Considering that, you can argue with your supplier that the use of shared accounts is possible without compromising ISO 27001 compliance, provided it is specifically approved and documented, but please note that the provider may have a business or legal reason to define this specific rule in its policy about no shared IDs and may not be allowed to open any exceptions. In this case it is your decision to accept this condition or do not make deal with this provider.

As an alternative, you can open an email address in a specific name to which the supplier will send service tickets, and then automatically forward all received emails to service email.

These articles will provide you a further explanation about ISO 2700e and access control:
- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jul 16, 2021

Jul 16, 2021