GRCWatch
Sign inStart free trial

ISO 27001 Control 5.18: Access Rights Management

Access rights are the gatekeepers of your information security. ISO 27001 5.18 requires you to systematically provision, review, modify, and remove access based on clear policies—not ad hoc decisions. This control ensures only authorized personnel access what they need, when they need it.

What this means

Control 5.18 mandates that organizations establish and enforce a formal process for managing user access rights throughout the asset lifecycle. This includes initial provisioning when users join, periodic reviews to catch permission creep, timely modifications when roles change, and prompt removal when users leave or change responsibilities. Your access control policy must define clear rules for who gets what access, based on business need and least-privilege principles.

How to comply

  1. 1.Document a formal access control policy defining provisioning rules, approval workflows, and role-based access models
  2. 2.Implement a request-and-approval workflow for all access provisioning with documented business justification
  3. 3.Conduct quarterly or semi-annual access reviews by system owners and managers to validate active permissions
  4. 4.Establish change management procedures for modifying access when roles, departments, or responsibilities change
  5. 5.Create an offboarding checklist to revoke all access rights within 24 hours of user departure or role change
  6. 6.Maintain an access rights register or inventory linking users, systems, and approved permissions
  7. 7.Define escalation procedures for access requests that don't fit standard role templates

Evidence auditors look for

  • Access control policy document signed by management
  • Access request forms with documented approval from managers and system owners
  • Access review reports showing quarterly validation of user permissions across critical systems
  • Screenshots or exports of user access matrices (who has what on each system)
  • Offboarding checklists completed for departed employees showing access revocation dates
  • Change tickets documenting access modifications tied to role changes or project transitions
  • Access logs or audit reports showing provisioning and removal timestamps
  • Role definitions and job descriptions linking positions to standard access levels

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates access provisioning workflows and scheduled access reviews, eliminating manual spreadsheets and catching permission creep before your auditors do.

See how GRCWatch handles this control automatically

Start free trial

Related controls

ISO 27001 5.15 — Information Security for Supplier RelationshipsISO 27001 5.16 — Information Security in Project ManagementISO 27001 5.17 — Supplier Service Delivery ManagementISO 27001 5.19 — Information Security in HR ProcessesISO 27001 6.8 — Management of Technical VulnerabilitiesISO 27001 8.1 — User Endpoint DevicesISO 27001 8.2 — Privileged Access Rights