I do indeed have very specific question, I can not answer or I do not find the right articles in ISO 27001.
I have a pretty hard discussion with a supplier, who will not send us Service Tickets to our Service-E-Mail, but only to dedicated persons.
His rationale is this: "ISO 27001, Annex A9.2.1 requires user ID's to be restricted to real people so that these accesses can be restricted and logged."
It is just, that I do not have ANY clue what he is referencing. In my opinion, 27001 Annex A 9.2.1 states the following:
9.2.1 Registration and deregistration of users
A formal process for the registration and deregistration of users is implemented to enable the assignment of access rights.
Can you help me and do you maybe know, what he is referencing at ?