1 minute read
Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab
Implementation guidance
The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document
This document describes how user accounts and access will be created and managed.
Areas of the standard addressed
The following areas of the ISO/IEC 27001:2013 standard are addressed by this document:
• A.9 Access Control o A.9.2 User access management ▪ A.9.2.1 User registration and de-registration ▪ A.9.2.2 User access provisioning ▪ A.9.2.3 Management of privileged access rights ▪ A.9.2.4 Management of secret authentication information of users ▪ A.9.2.5 Review of user access rights ▪ A.9.2.6 Removal or adjustment of access rights
General guidance
This is an important area that needs adequate consideration as any lack of rigour will invalidate many of your other information security controls. Ensure that appropriate authorisation procedures are established to protect your IT environment.
This may involve setup of your request management system to route user creation, change and deletion requests to the right people. Try to ensure segregation of duties in user creation and access rights assignment and make sure that regular audits are carried out to identify any areas for further investigation.
