ISO 27001 A.8.2: Privileged access rights
What This Control Requires
The allocation and use of privileged access rights shall be restricted and managed.
In Plain Language
Admin accounts, root access, database superuser rights - these are the keys to the kingdom. If an attacker compromises a privileged account, they can bypass security controls, access any data, and reconfigure systems at will. That is why auditors spend a disproportionate amount of time scrutinising how you manage these.
The focus here is twofold: who gets privileged access and how that access is actually used. You need enhanced authentication, time-limited access windows, session monitoring, and regular reviews. The principle of least privilege is not optional at this level.
In practice, you should have as few privileged accounts as possible, and each one should be technically constrained. Standing admin access that is always on is a red flag auditors will catch every time.
How to Implement
Write a privileged access management (PAM) policy that spells out who qualifies for elevated access, under what conditions, and what controls apply. Keep the number of privileged accounts to an absolute minimum.
Deploy a PAM solution. A good PAM tool gives you credential vaulting, just-in-time access grants, session recording and monitoring, automated credential rotation, and break-glass procedures for emergencies. This is one of those investments that pays for itself in audit findings avoided.
Separate privileged from standard accounts. Every admin should have a regular account for email, browsing, and daily work, and a separate privileged account used only for administrative tasks. This limits exposure to phishing and malware - if the daily account gets compromised, the attacker still does not have admin rights.
Enforce strong authentication on all privileged accounts. MFA is mandatory. For your most critical systems, use phishing-resistant MFA like FIDO2 hardware keys. Add step-up authentication for especially sensitive operations.
Move to just-in-time (JIT) access wherever you can. Instead of permanent standing privileges, grant elevated permissions only when needed, for a limited duration, with justification and approval required. Auto-revoke when the window expires.
Monitor and audit everything privileged accounts do. Log all activity with enough detail for forensic investigation. Set up alerts for anomalies - unusual access times, unexpected locations, excessive privilege use. Review logs regularly and run periodic access reviews to confirm every privileged account is still justified.
Evidence Your Auditor Will Request
- Privileged access management policy and procedures
- Inventory of all privileged accounts and their justifications
- PAM solution deployment records showing credential vaulting and session management
- MFA enforcement records for privileged accounts
- Privileged access review records showing periodic verification
Common Mistakes
- Excessive number of accounts with privileged access beyond what is needed
- Privileged accounts are used for routine activities like email and web browsing
- MFA is not enforced for privileged account authentication
- Privileged account passwords are not rotated regularly or are shared
- No monitoring or alerting on privileged account usage
Related Controls Across Frameworks
| Framework | Control ID | Relationship |
|---|---|---|
| SOC 2 | CC6.1 | Related |
| SOC 2 | CC6.3 | Related |
| GDPR | Art.32 | Partial overlap |
| NIS2 | Art.21(2)(i) | Related |
Frequently Asked Questions
What is just-in-time privileged access?
How often should privileged access be reviewed?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment