ISO 27001 Control 5.18: Access Rights Management
Access rights are the gatekeepers of your information security. ISO 27001 5.18 requires you to systematically provision, review, modify, and remove access based on clear policies—not ad hoc decisions. This control ensures only authorized personnel access what they need, when they need it.
What this means
Control 5.18 mandates that organizations establish and enforce a formal process for managing user access rights throughout the asset lifecycle. This includes initial provisioning when users join, periodic reviews to catch permission creep, timely modifications when roles change, and prompt removal when users leave or change responsibilities. Your access control policy must define clear rules for who gets what access, based on business need and least-privilege principles.
How to comply
- 1.Document a formal access control policy defining provisioning rules, approval workflows, and role-based access models
- 2.Implement a request-and-approval workflow for all access provisioning with documented business justification
- 3.Conduct quarterly or semi-annual access reviews by system owners and managers to validate active permissions
- 4.Establish change management procedures for modifying access when roles, departments, or responsibilities change
- 5.Create an offboarding checklist to revoke all access rights within 24 hours of user departure or role change
- 6.Maintain an access rights register or inventory linking users, systems, and approved permissions
- 7.Define escalation procedures for access requests that don't fit standard role templates
Evidence auditors look for
- Access control policy document signed by management
- Access request forms with documented approval from managers and system owners
- Access review reports showing quarterly validation of user permissions across critical systems
- Screenshots or exports of user access matrices (who has what on each system)
- Offboarding checklists completed for departed employees showing access revocation dates
- Change tickets documenting access modifications tied to role changes or project transitions
- Access logs or audit reports showing provisioning and removal timestamps
- Role definitions and job descriptions linking positions to standard access levels
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates access provisioning workflows and scheduled access reviews, eliminating manual spreadsheets and catching permission creep before your auditors do.
See how GRCWatch handles this control automatically
Start free trial