Access Rights
Plain English Translation
ISO 27001 Annex A.5.18 governs the entire lifecycle of user access permissions—from the moment an employee joins (provisioning), to when they change roles (modification), to when they leave (removal). It also requires regular checks (reviews) to ensure that people still need the access they currently have. The goal is to prevent 'privilege creep,' where users accumulate unnecessary access over time, and to ensure immediate revocation of rights when employment ends.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Use a manual onboarding/offboarding checklist to grant and revoke access
- Implement SSO (Single Sign-On) to centralize access management
Required Actions (scaleup)
- Conduct semi-annual access reviews for non-administrative users
- Implement Role-Based Access Control (RBAC) to standardize provisioning
Required Actions (enterprise)
- Automate User Access Reviews (UAR) with Identity Governance tools
- Integrate HRIS with IdP for zero-touch provisioning and immediate de-provisioning
It is an organizational control requiring the formal management of the access rights lifecycle—provisioning, reviewing, modifying, and removing permissions—in accordance with access control policies.
The control requires organizations to provision access based on authorization, review access rights at planned intervals, modify rights when roles change, and remove rights immediately upon termination.
Implement a formal Joiner, Mover, Leaver (JML) process that uses role-based access control (RBAC) and enforces periodic reviews to validate continued access needs.
Access rights should be reviewed at planned intervals; typically, privileged/administrative access is reviewed quarterly, while standard user access is reviewed semi-annually or annually.
Control A.5.18 in the 2022 version consolidates several 2013 controls (A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.5, A.9.2.6) into a single, lifecycle-focused control for managing access rights.
Access must be revoked immediately upon termination or contract end, verified via an employee termination checklist and cross-referenced with the asset inventory.
Auditors look for completed access review logs (showing decisions to retain/revoke), tickets for access grants/revocations, and termination checklists for recent leavers. WatchDog Security's Compliance Center can help keep these artifacts mapped to A.5.18, track completion status, and provide a consistent evidence trail for each review cycle.
Least privilege means granting users only the minimum access rights necessary to perform their job functions, preventing unrestricted access to sensitive information.
Privileged access rights pose higher risk and therefore require stricter controls, approval workflows, and more frequent reviews (e.g., quarterly) compared to standard users.
A user access review is a periodic audit where asset owners confirm or revoke current user permissions, directly satisfying the 'reviewed' requirement of A.5.18.
UARs often break down because evidence is scattered across tickets, spreadsheets, and system exports, making it hard to prove reviews were completed and acted on. WatchDog Security's Compliance Center helps by tracking A.5.18 review requirements, centralizing UAR evidence artifacts, and flagging missing review records so access decisions (retain/revoke) are auditable and repeatable.
Privilege creep happens when access is only added during role changes and not consistently removed, leaving users with accumulated permissions over time. WatchDog Security's Risk Register helps teams record access-rights risks (e.g., excessive privileges in critical systems), assign owners and treatment actions (like RBAC cleanup and tighter approvals), and track remediation progress until access rights are right-sized.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-17 | WatchDog Security GRC Team | Initial publication |
