Inverifi logo

ISO 27001

Annex A.9 - Access control

Get compliant with ISO 27001 – Annex A.9 and simplify compliance for your organisation.

Annex A.9 has four sections. All to make sure the right employee can view the right information that is relevant to their role. The four sections are: business requirements of access control, user access management, user responsibilities, system and application access control. Access control is the base of information security management systems. This annex could be considered one of the most important in Annex A.

A.9.1 – Business requirements of access control

Annex A.9.1, the business requirements of access control. With two controls to limit access to information and information processing facilities..

A.9.1.1 Access control policy

The control of access information assets is a fundamental part of a defence in depth strategy to information security in an organisation. The access control should be established by an organisation in the access control policy.


This policy would normally include business requirements of access control, user access management, user authentication for external connections, user responsibilities and system and application access control.  The policy with regard to access control must ensure that the measures of organisation implements are appropriate to the business requirement. It should be used as protection but not unnecessarily strict. 


Business requirements should be established as part of the requirements-gathering stage of new or significantly changed systems and services and should be incorporated in the resulting design. Organisation should have clear guidelines about access control and keep a record to authorise access.

A.9.1.2 Access to networks and network services

Users shall only be provided with access to the network and network services that they have been specifically authorised to use.


Networks should be logically and physically  separated in line with network policy. Within these networks are further segmented. Access should only be granted to the segment that is required. Users should give the minimum needed access for their daily work.


Extra checks should be completed by the individuals granting access.

A.9.2 – User access management

Annex A.9.2, with six user access management controls. Aim to ensure authorised user access. Also to prevent unauthorised access to systems and services.

A.9.2.1 User registration and de-registration

Within the organisation, all requests should be processed according to the introduction procedure. This ensures appropriate security checks are carried out and correct authorisation is obtained prior to user account creation. Each user account should have a unique username that is not shared with any other user. Also should be associated with a specific individual i.e. not a role or job title. Generic user accounts i.e. single accounts to be used by a group of people should not be created as they provide insufficient allocation of responsibility.

A.9.2.2 User access provisioning

Each user in the organisation should be allocated access rights and permissions to systems and data to suit their job roles. In general this should be role-based i.e. a user account will be added to a group that has been created with the access permissions required by that job role. 


A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services. The creation of new user accounts and the on-going management of system access are fundamental to the provision of effective information security. This process describes how user accounts and access rights should be requested, approved, created, amended, reviewed and removed in a secure way which complies with the organisation’s own policy.

A.9.2.3 Management of privileged access rights

The allocation and use of privileged access rights shall be restricted and controlled. This is targeted at access rights are more than ‘usual’, which means  at a higher level. Such as those associated with administrator-level accounts, must be identified for each system or network and tightly controlled. Access to admin level permissions should only be allocated to individuals whose roles require them and who have received sufficient training to understand the implications of their use.

Privileged access should only be granted on a need-to-use basis and a record of all privileges will be maintained and reviewed in a certain period of time within the organisation.

A.9.2.4 Management of secret authentication information of users

The allocation of secret authentication information shall be controlled through a formal management process. Organisation requirements for effective access control should be addressed and appropriate measures implemented. Normally the policy includes password management, user account administration and user logon controls.

A.9.2.5 Review of user access rights

Asset owners shall review users’ access rights at regular intervals. It will need a regular basis asset and system owners to review who has access to their areas of responsibility and the level of access in place. This review should be performed according to a formal procedure. Any corrective actions identified and carried out as a follow up.  

A.9.2.6 Removal or adjustment of access rights

The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change. Where an adjustment of access rights or permissions is required e.g. due to an individual changing role, this should be carried out as part of the role change. It should be ensured that access rights no longer required as part of the new role are removed from the user account. In the event that a user is taking on a new role in addition to their existing one (rather than instead of) then a new composite role should be requested via change management. Due consideration of any issues of segregation of duties should be given.

A.9.3 – User responsibilities

Annex A.9.3, the user responsibilities control. It outlines how to make users accountable. For safeguarding their authentication information in the organisation.

A.9.3.1 Use of secret authentication information

Users shall be required to follow the organisation’s practices in the use of secret authentication information. A strong password is an essential barrier against unauthorised access. Unfortunately this area is often proven to be the weak link in an organisation’s security strategy. There are a variety of ways to improve the security of user authentication. Examples include various forms of two factor authentication and biometric techniques.

A.9.4 – System and application access control

Annex A.9.4 with 5 controls influence system and application access control. The aim is to prevent unauthorised access to systems and applications. 

A.9.4.1 Information access restriction

Access to information and application system functions shall be restricted in accordance with the access control policy. Physical protection could be to encourage use of devices in a private area. To prevent being overlooked by others. Organisation could also provide a privacy filter to place over the screens of the laptops to employees.

A.9.4.2 Secure log-on procedures

Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure. This could be achieved by using password management software. Also by making sure multi-factor authentication is in place.

A.9.4.3 Password management system

Password management systems shall be interactive and shall ensure quality passwords. Passwords play the key role to guard the security of information. Organisation should manage passwords  in order to not expose the passwords and allow for monitoring and tracking of use. Users should not reuse the same password for multiple different services. User passwords should also be changed on regular bases, organisation should have documentation clear the period of time. 


Read our blog on Password Management

A.9.4.4 Use of privileged utility programs

The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled. A privileged program is defined as a piece of software that would need to be run as a user with higher privileges. With the higher privileged access, this can introduce more risk to the system if more care is not  taken when installing packages. 

A.9.4.5 Access control to program source code

Access to program source code shall be restricted. Source code needs to apply strict controls in order to ensure that services within business are away from any malicious activity. This also should apply to businesses based on Open Source. To control the storage of source code could help to achieve  the aim of this control.  Users should give the minimum necessary access to reach the store of code. Same access control should apply if the user wants to make changes to the code library.


Want to know more? Read our blog on Access Control