ISO 27001 A.5.18: Access rights
What This Control Requires
Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization's topic-specific policy on and rules for access control.
In Plain Language
Privilege creep is one of the most common audit findings out there. Someone joins the marketing team, moves to product, then to engineering - and by the end they have access to everything from the CRM to the production database. Nobody removed the old permissions.
This control is about the operational management of access rights: granting them properly, reviewing them regularly, updating them when roles change, and revoking them when they are no longer needed. It is separate from identity management (A.5.16) - a person can keep their identity but their access rights should change as their role evolves.
Everything here ties back to the principles in your access control policy (A.5.15) - least privilege and need-to-know. Access should never be granted without proper authorisation, and stale permissions need to be actively cleaned up.
How to Implement
Build a structured process covering the full access rights lifecycle: provisioning, review, modification, and revocation.
For provisioning, set up a formal request-and-approve workflow. Every request needs a business justification, specific resource and access level details, and sign-off from the resource owner. Pre-define standard role packages so you are not reinventing the wheel for every new hire.
For role changes, trigger an access review whenever someone moves team, department, or location. The new manager approves what is needed going forward, the old manager confirms what can be removed. This is how you stop privilege creep.
For periodic reviews, set a schedule based on system criticality. System and information owners should verify that each user still needs their current access. Document the results and act on findings. Automate with identity governance tooling where you can - manual reviews do not scale well.
For revocation, be prompt. Cover all the scenarios: someone leaving the organisation, finishing a project or contract, changing roles, or going on extended leave. Wire this into your offboarding process so nothing falls through.
Set up a break-glass procedure for emergencies where access is needed urgently outside normal channels. Include enhanced logging, mandatory post-incident review, time-limited grants, and automatic revocation. Every emergency access event should be documented and reviewed by management.
Evidence Your Auditor Will Request
- Access request and approval records for recent provisioning activities
- Periodic user access review records with actions taken on findings
- Evidence of access modification when users change roles
- Records of timely access revocation for recent departures
- Emergency access procedure documentation and usage logs
Common Mistakes
- Access rights accumulate over time without removal of unnecessary privileges
- Access reviews are conducted but findings are not remediated in a timely manner
- No formal approval workflow for access requests resulting in ad hoc provisioning
- Access is not modified when users change roles within the organization
- Emergency access is granted but not reviewed or revoked after the emergency
Related Controls Across Frameworks
| Framework | Control ID | Relationship |
|---|---|---|
| SOC 2 | CC6.2 | Equivalent |
| SOC 2 | CC6.3 | Related |
| GDPR | Art.32 | Related |
| NIS2 | Art.21(2)(i) | Related |
Frequently Asked Questions
What is privilege creep and how do we prevent it?
How should we handle emergency access requests?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment