![]() by regular internal audits in line with requirement 9.2. super users/administrators controls) and periodic reviews (e.g. Management of the access rights and privileged access rights (more power – see below) including adding, in life changes (e.g.Clarify who needs to access, know, who needs to use the information – supported by documented procedures and responsibilities.Security requirements of business applications and align with the information classification scheme in use as per A.8 Asset Management.permission restrictions on user accounts as well as limitations on who can access certain physical locations (aligned with Annex A.11 Physical and Environment Security). Put simply access control is about who needs to know, who needs to use and how much they get access to.Īccess controls can be digital and physical in nature, e.g. A.9.1.1 Access Control PolicyĪn access control policy must be established, documented and reviewed regularly taking into account the requirements of the business for the assets in scope.Īccess control rules, rights and restrictions along with the depth of the controls used should reflect the information security risks around the information and the organisation’s appetite for managing them. ![]() Lets understand those requirements and what they mean in a bit more depth. It’s an important part of the information security management system (ISMS) especially if you’d like to achieve ISO 27001 certification. The objective in this Annex A control is to limit access to information and information processing facilities. What is the objective of Annex A.9.1 of ISO 27001?Īnnex A.9.1 is about business requirements of access control.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |