Youattest Logo

How Do Access Reviews Relate to ISO 27002 Audits?

The ISO 27002, first published in 2000 by the International Organization for Standardization, was designed to outline international information security standards. In 2013, it was updated to complement the newly published ISO 27001. With 14 controls included in the scope of the publication, a component of ISO 27002 outlines the specific requirements of access control in correlation with information security. 

Annex 9 of ISO 27002 (A9) refers to the segment of the publication outlining an organization’s access controls. Further divided, it details different aspects of access controls that an organization should implement for best information security practices. A9.2.5 specifies the review of user access rights. It is recommended that a user access review is conducted regularly, as well as when the status of an individual changes within the organization (such as a new hire, a change in roles, or a termination). During this periodic review, an organization should assess the users within their systems, what they can access, and whether that access is necessary for the user to complete their duties. 

A9.2.6 continues from the previous annex and outlines the removal and adjustment of access rights. After the review outlined in A9.2.5 is conducted, user access should be modified based on the status of users within the organization. Since roles within an organization often change, it is important that access permissions change as well. If someone’s employment is terminated, access to the system with their credentials should be revoked, just as when someone’s role changes their authorizations should change accordingly.

Both A9.2.5 and A9.2.6 are key components of access reviews, which should be conducted regularly to ensure that users are only able to access what they have been authorized. When conducted regularly, access reviews greatly increase information security by ensuring that sensitive data does not fall into the wrong hands. 

During an ISO 27002 audit, an auditor ensures that an organization meets the controls outlined by ISO 27002. When a company conducts regular access reviews, they are ensuring that they are at least meeting compliance standards when it comes to access controls. If they are not able to maintain compliance with access control standards, they will be unable to meet other control standards because the information they are responsible for is not being kept safe.

When utilized in conjunction with a best-practice approach to cybersecurity, access reviews and ISO 27002 compliance ensure that data is used how it’s intended. By allowing only privileged users to access information within an organization and regularly monitoring who has access, it keeps those who might use the information for criminal or dangerous activities out. Access reviews will allow any organization to better maintain the sensitive information they are held responsible for.

YouAttest automates the creation and review of these access reviews.  To learn more about YouAttest, please register for our next webinar,  Insider Theat and Access Reviews.   Or write us @