ISO27001 and the Annex clauses – Clause A9 Access Control

It's probably fair to say that when people think about information security and ISO27001 they rightly think about passwords, access control and who can see what information. Your Information Security Management System (ISMS) is clearly more than that, but it is a very important part and you do need to spend a large part of your time getting the requirements of this section correct, and it is more than just clever passwords.  

This section of Annex 9 of your ISO27001 system is about limiting the access to both information in your organisation and information processing facilities. In other words, you have to think about both who should get access to what information but also who should get access to the area and the technology that the information is processed on. That means you need to develop two things, an access control policy (A9.1.1) and rules around access to networks and network services (A9.1.2).

• A9.1.1 Access Control Policy – This is a formally documented policy that outlines who, or what roles should get access to things, the policy is always more of a broad brush than a specific detail document, but it should set the direction clearly about your intentions. It should set guidance around the need to protect information from both malicious and accidental access, use or destruction to both information and the processing facilities. Don't forget that the processing facilities don't have to be physical, I know a lot of companies have their physical servers behind a security-controlled door for example, great, but then everyone has direct access to the servers on the network or remotely so remember it's not about being physically in the room it's about any type of access. One of the elements to consider is how you rank information, not all information is equal after all. Someone's personal information, payroll information for example is going to be more important than the stock list for your vending machine.
• A9.1.2 Access to network and network services – this is about ensuring that you only provide users with the right authorised level of access that they need to do their role correctly. In other words, you need to make sure you have a properly structured access tree, probably on a per role basis. It takes time to build, and you need to heavily involve your IT team or IT contractor in developing this. Incorrect access in terms of not being able to get the data you need is frustrating to the user, too much access and you could be in real trouble.

This is the area that most people think about when we talk about information security so it's probably the area that people believe is the most well understood, in reality, it's may be understood but it's not well done and there are a few things to think about.

• A9.2.1 User registration and de-registration – You need to have a formal process for adding people to and even more importantly removing them from your information security frameworks. How often does someone leave a company and it takes over a week or a month to disable their access? If someone leaves your business, then they need to lose access the very minute they no longer need it.
• A9.2.2 User Access provisioning – This is about creating a process for ensuring that the right level of access is given and changed on a person by person basis as they move around the company. Bob in HR may need certain access rights for HR but when he moves to operations, those change and so he should no longer have the same information access rights. Again, this should be able to be done quickly and correctly.
• A9.2.3 Management of privileged access rights – think about these as access to the secrets of the company, there is going to be a precious few who have real need to have access to certain bits of your information or your information processing facilities. How many people really need access to your user configurations, or your network configurations or your payroll. These things need to be identified, restricted to who needs them and controlled.
• A9.2.4 Management of secret authentication information of users – My mind always goes to the idea of someone sitting on a bench or standing in a doorway and uttering the secret code, "the weather is fine for this time of year' and the responder saying "yes it's helping my flowers bloom" then information being secretly being passed between them. It's not really that bad an analogy in terms of secret authentication, those codes would be tightly controlled. These days it's more fobs or random number generators but you need to control who gets access to what and how. So if you are handing out fobs for example, make sure you get them back when the user shouldn't have it.
• A9.2.5 Review user access rights – this is about ensuring that the user only ever has the access rights they need for their role at that time. So you need to review these things on a regular basis.
• A9.2.6 Removal or adjustment of access rights - It's not unusual for people to move around the organisation gaining more and more access but never losing it. If they don't need access for their current roll then they shouldn't have it, simple! This includes moving around and of course leaving the company.

Within your ISO27001 information security management system it's not all one sided, the user has some responsibility as well which is what the clause A9.3.1 is about.

• A9.3.1 Use of secret authentication information – This requirement is and easy one, it says that the users are required to follow your rules for the use of secret authentication. So, if you have rules around how they control their random code generator or how they set passwords and use of open wifi networks, then they have a responsibility to follow those.

This section is about controlling unauthorised access to both your systems and your applications. Which is probably the bit that most people are familiar with.

• A9.4.1 Information access restriction - is about making sure that people only get access to what they need and and is going to be based on your access control policy from earlier (bit of a theme going here right?)

• A9.4.2 Secure Log on Procedures – this is about setting us your secure log on procedures for your systems, it's going to be outlined in your access control policy but it's about ensuring secure log on where required. It's typically where you say you can't have a password that is just 7 alphanumeric characters or your dogs name and a number since it'll be broken in minutes. We use a password generator which generates using letters (upper & lower) numeric and special characters (@#$%&|\~`! etc) . The measure of a strong password is how long it would take another computer to break it, your dog's name and a number is seconds, a 16charater alphanumeric and special character one… 41 TRILLION YEARS
• A9.4.3 Password management systems – It is pretty obvious that if you are using strong passwords you aren't going to remember them and since we don't want you writing them on a post-it note that hangs on your screen you probably will use a password manager. This should not be your browser remembering your passwords however, that's is not secure. ISO27001 talks about it being interactive, which means you need to give it a code to get a code. So you should have to log in to it in order to retrieve your user codes.
• A9.4.4 Use of Privileged utility programs – these are programs that can effectively override all of your other ISO27001 ISMS restrictions, you do not want these randomly and freely available the standard requires you to have them very tightly controlled.
• A9.4.5 Access control to program source code - clearly having access to any source code provides opportunities to insert anything you want, a back door, monitoring code, collection codes and so on. ISO27001 states that access to the source code needs to be restricted, which really isn't much of a surprise, is it?

There is a lot to unpack in ISO27001 Annex clause A9 for user access management, it all starts with a good access control policy which is going to set the tone but it does need you to work closely with the experts in your IT side of things to make sure you have things in place correctly and that you don't document processes that either can't be followed by the users of the ISMS or aren't possible within your systems.