Our Blog - for QHSE Compliance Professionals | Mango

ISO 27001 Information Security Management Standard - Clause A.9

Written by Craig Thornton | 28/01/19 02:53

Part 28 - A9 Access Control

This clause in the Annex of ISO 27001 is probably the most talked about and most important clause of the whole Annex.

Your information security management system (ISMS) revolves around who in your organisation can get access to the right information at the right time.  Getting this wrong can have a huge impact on your business. There are some major implications if you accidentally open access of personal information of your employees to unauthorised personnel.  For example, releasing salary or wage information to the public.  This is major risk to your business.

Therefore, spend lots of time on this clause to get the procedure right. Be sure to work closely with your IT people. 

Here at Mango we spent almost 50% of the time developing our ISO 27001 certified system just on this clause.

So let’s start with the business requirements for access control.

 

A.9.1 Business Requirements of access control 

The objective of this clause is to establish and implement systems to limit access to information and information processing facilities.

This clause requires an access control policy to be created.

To help you here is the Mango Limited access control policy:

Information security is the protection of information against accidental or malicious disclosure, modification or destruction.

Information is an important, valuable asset of Mango Limited which must be managed with care.  However, not all of this information has an equal value or requires the same level of protection.

We have established specific requirements for protecting information and information systems against unauthorised access, the controls effectively communicate the need for information and information system access control.

Access controls are put in place to protect information by controlling who has the rights to use different information resources and by guarding against unauthorised use.

 

A.9.2 User Access Management 

The objective of this clause is to ensure that your authorized users can access your system and services and at the same time prevent unauthorized access.

Here at Mango we created a system that covers the following activities:

  • User registration and deregistration
  • Access provisioning
  • Access rights
  • Control and management of secret authentication information (passwords)
  • Review of access rights
  • Removal of access when employees and contractors are terminated

Here at Mango our IT contractors worked closely with us to develop the detailed instructions for these areas.

 

A.9.3 User Responsibilities 

The objective here is to make your users accountable for safeguarding their authentication information from being compromised.

This procedure requires your employees to follow the instructions for using the secret authentication information. 

For Mango this is to ensure users have strong passwords and that they keep them confidential.  We talk about this every monthly at our all-company Management Review meeting. We make sure no one has auto-fill and saved passwords for any passwords on any browser.

 

A.9.4 System and Application Access Control 

The objective of this sub-clause is to have systems to prevent the unauthorized access to your information systems and your applications.

For Mango we implemented a range of things like secure log-ons, password management and restricted access to our source code.  We utilise SSL (secure sockets layers) to encrypt the data over the web.

 

Takeaways

  1. This clause is one of the most important clauses of ISO 27001.
  2. Treat this clause carefully.
  3. Spend a lot of time getting these processes right.
  4. Get your IT department or consultants to help with the processes.



View previous blogs in this series "ISO 27001 Information Security Management Standard":

Part 1 - Reasons why you need to meet this standard

Part 2 - Principle 1 - Analysing the Protection of Your Information and then Applying Controls

Part 3 - Principle 2 - Awareness of the Need for Information Security

Part 4 - Principle 3 - Assignment of Responsibility for Information Security

Part 5 - Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders

Part 6 - Principle 5 - Enhancing Societal Values

Part 7 - Principle 6 - Risk assessments determining appropriate controls to reach acceptable levels of risk

Part 8 - Principle 7 - Security incorporated as an essential element of information networks and systems

Part 9 - Principle 8 - Active prevention and detection of information security incidents

Part 10 - Principle 9 - Ensuring a comprehensive approach to information security management

Part 11 - Principle 10 - Continual reassessment of information security and making of modifications as appropriate

Part 12 - ISO 27001 Information Security Management Standard: Clauses 0, 0.1, 0.2, 1, 2 and 3

Part 13 - ISO 27001 Information Security Management Standard: Clauses 4.1, 4.2, 4.3 and 4.4

Part 14 - ISO 27001 Information Security Management Standard: Clause 5.1

Part 15 - ISO 27001 Information Security Management Standard: Clause 5.2

Part 16 - ISO 27001 Information Security Management Standard: Clause 5.3

Part 17 - ISO 27001 Information Security Management Standard: Clause 6.1

Part 18 - ISO 27001 Information Security Management Standard: Clause 6.2

Part 19 - ISO 27001 Information Security Management Standard: Clauses 7.1 - 7.4

Part 20 - ISO 27001 Information Security Management Standard: Clause 7.5

Part 21 - ISO 27001 Information Security Management Standard: Clauses 8.1, 8.2, 8.3

Part 22 - ISO 27001 Information Security Management Standard: Clauses 9.1, 9.2, 9.3

Part 23 - ISO 27001 Information Security Management Standard: Clauses 10.1, 10.2

Part 24 - ISO 27001 Information Security Management Standard: Clause A5

Part 25 - ISO 27001 Information Security Management Standard: Clause A6

Part 26 - ISO 27001 Information Security Management Standard: Clause A7

Part 27 - ISO 27001 Information Security Management Standard: Clause A8