Annex A 5.18 verified ISO/IEC 27001:2022
Managing Access Rights to Information Assets
Regularly check and adjust who can access sensitive information based on business rules.
record_voice_over
Plain language
This control is about making sure that only the right people have access to sensitive information in your business. If you don't manage who can see or use important data correctly, unauthorised people might access, misuse, or even damage your information, harming your business and violating privacy laws.
01 — Overview
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Organisational controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control.
verified ISO/IEC 27001:2022 Annex A 5.18
priority_high
Why it matters
Unchecked access rights can enable unauthorised access to information assets, causing data breaches, insider misuse, privacy breaches, and financial loss.
settings
Operational notes
Review access rights regularly against role requirements; promptly provision, modify or remove access for joiners, movers and leavers, and keep approvals recorded.
02 — Implement
build
Implementation tips
- The IT manager should create a clear policy for managing access to information. This involves defining who can access specific types of data and under what conditions, referencing ISO 27002:2022 guidance for best practices.
- Human Resources should coordinate access rights adjustments when employees change roles. This can be achieved by regularly updating lists of staff roles and access permissions to ensure they match current job duties.
- Department heads should perform regular reviews of who has access to sensitive data. These reviews can be done quarterly by checking the list of current access rights against roles and responsibilities, removing access where it is no longer necessary.
- The security team should establish a process for granting temporary access rights. This includes creating a system for logging access requests, having them reviewed by management, and automatically revoking them after the expiration date.
- Procurement should ensure that any third-party service agreements include clauses about correctly managing access to sensitive data, according to Australian Privacy Principles and OAIC guidelines.
03 — Audit
fact_check
Audit / evidence tips
-
AskRequest the organisation's access control policy document.
GoodA comprehensive policy that aligns with both business needs and regulatory standards, with clear roles and responsibilities.
-
AskAsk for records of recent access rights reviews.
GoodRecords show reviews conducted quarterly, with documented changes to access rights where necessary.
-
AskRequest evidence of training sessions for employees on access control policies.
GoodTraining logs show regular sessions with high staff attendance and clear content outlines.
-
AskAsk for logs of temporary access rights granted in the past six months.
GoodLogs are detailed, complete, and show timely revocation of temporary access.
-
AskRequest any access control agreement clauses in third-party contracts.
GoodContracts include clear access management responsibilities and align with Privacy Act 1988 requirements.
04 — Mappings
link
Cross-framework mappings
How Annex A 5.18 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (6) expand_less | ||
| sync_alt Partially overlaps (1) expand_less | ||
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (26) expand_less | ||
| ISM-0269 | ISM-0269 requires restricting dissemination of specific sensitive information in email by ensuring only verified-nationality recipients i... | |
| ISM-0405 | ISM-0405 requires that requests for unprivileged access to systems and resources are validated when first requested | |
| ISM-0409 | ISM-0409 mandates preventing foreign nationals from accessing AUSTEO or REL data unless effective controls eliminate access | |
| ISM-0411 | ISM-0411 requires blocking foreign nationals from accessing AGAO data on relevant systems unless controls ensure the data is not accessib... | |
| ISM-0415 | ISM-0415 requires that shared user accounts are tightly controlled and that activity performed using them can be attributed to a uniquely... | |
| ISM-0430 | ISM-0430 requires organisations to remove or suspend system access the same day a person no longer has a legitimate need for it | |
| ISM-0443 | ISM-0443 mandates that organisations do not grant temporary access to systems processing, storing or communicating caveated or sensitive ... | |
| ISM-1392 | ISM-1392 requires that when application control uses path rules, only approved users can modify approved files and write to approved folders | |
| ISM-1432 | ISM-1432 focuses on preventing domain hijacking by locking domains at the registrar and validating the correctness of domain registration... | |
| ISM-1591 | ISM-1591 requires user access to systems and resources to be removed or suspended as soon as practicable when malicious activity is detected | |
| ISM-1647 | ISM-1647 requires privileged access to be disabled after 12 months unless revalidated, which is an access-rights review and removal mecha... | |
| ISM-1648 | ISM-1648 requires disabling privileged access after 45 days of inactivity as part of keeping access current and reducing unnecessary elev... | |
| ISM-1649 | ISM-1649 requires just-in-time administration to control the granting and use of administrative access for systems and resources | |
| ISM-1812 | ISM-1812 requires preventing unprivileged accounts from accessing other users’ backups | |
| ISM-1843 | ISM-1843 requires organisations to review Active Directory (AD) user accounts with unconstrained delegation at least annually and remove ... | |
| ISM-1844 | ISM-1844 requires that computer accounts that are not Microsoft AD DS domain controllers are not trusted for delegation to services, prev... | |
| ISM-1845 | ISM-1845 mandates automatic removal of security group memberships when a user account is disabled to ensure access rights are promptly re... | |
| ISM-1846 | ISM-1846 requires organisations to ensure the **Pre-Windows 2000 Compatible Access** group does not include user accounts, effectively en... | |
| ISM-1932 | ISM-1932 requires minimising the count of AD service accounts with SPNs to reduce unnecessary accounts and authentication exposure | |
| ISM-1933 | ISM-1933 requires removing/avoiding DCSync permissions for SPN-configured service accounts to prevent directory replication abuse | |
| ISM-1934 | ISM-1934 requires user accounts with DCSync permissions to be reviewed at least annually and removed where there is no ongoing need | |
| ISM-1936 | ISM-1936 requires that the sIDHistory attribute is not used on user accounts, which prevents legacy or migrated identifiers from being le... | |
| ISM-1940 | ISM-1940 requires that service accounts are not members of Domain Admins, Enterprise Admins, or other highly privileged AD security groups | |
| ISM-2049 | ISM-2049 requires that when user permissions or credentials change, all impacted users are forced to re-authenticate so existing sessions... | |
| ISM-2092 | ISM-2092 requires fine-grained permissioning for AI applications, ensuring only authorised users can use AI capabilities in line with policy | |
| ISM-2095 | ISM-2095 requires that unapproved AI agents are not granted access to sensitive/protected systems or data from privately-owned devices | |
| sync_alt Partially overlaps (6) expand_less | ||
| ISM-0446 | ISM-0446 prohibits foreign nationals from having privileged access to AUSTEO/REL systems | |
| ISM-0555 | ISM-0555 requires authentication and authorisation for IP telephony actions such as user registration, setting changes, and voicemail access | |
| ISM-1199 | ISM-1199 requires Bluetooth pairings to be removed from relevant mobile devices once there is no longer a business requirement | |
| ISM-1612 | ISM-1612 requires that break glass accounts are only used for specific authorised activities | |
| ISM-1833 | Annex A 5.18 requires access rights to be provisioned and maintained according to business rules and access control policy, which typical... | |
| ISM-2093 | ISM-2093 requires RBAC enforcement in AI applications so only authorised roles can access sensitive AI data | |
| handshake Supports (14) expand_less | ||
| ISM-0133 | ISM-0133 requires advising the data owner and restricting access to the affected data as part of data spill response | |
| ISM-0414 | Annex A 5.18 requires organisations to provision, review, modify and remove access rights based on defined access control rules | |
| ISM-0432 | ISM-0432 requires that system access requirements be documented in the system security plan | |
| ISM-1263 | ISM-1263 requires unique privileged user accounts to be used for administering individual server applications | |
| ISM-1268 | ISM-1268 requires enforcing need-to-know for database contents using minimum privileges, database roles/views, and tokenisation | |
| ISM-1422 | ISM-1422 depends on correctly provisioning and maintaining authorisations to the authoritative software source | |
| ISM-1583 | ISM-1583 requires organisations to ensure contractor accounts are identifiable as contractor users within systems | |
| ISM-1593 | ISM-1593 requires verification of user identity with sufficient evidence before issuing new credentials | |
| ISM-1604 | ISM-1604 requires that access to the administrative interface of the software isolation mechanism is restricted as part of hardening | |
| ISM-1841 | ISM-1841 requires that only authorised users can join devices to the domain, which is an access right that must be tightly controlled | |
| ISM-1948 | ISM-1948 requires CA Certificate Manager approval for certificate templates that allow a supplied SAN, reducing the risk of unauthorised ... | |
| ISM-2005 | ISM-2005 requires executives to understand who has access to critical systems and how that access is controlled and verified | |
| ISM-2013 | ISM-2013 mandates internal APIs to authenticate and authorise clients before data modifications, supported by Annex A 5.18's requirement ... | |
| ISM-2048 | Annex A 5.18 requires controlled provisioning and modification of access rights in accordance with access control rules | |
| extension Depends on (1) expand_less | ||
| ISM-0665 | ISM-0665 requires that only CISO-verified and authorised people/services can export SECRET and TOP SECRET data | |
| link Related (4) expand_less | ||
| ISM-1255 | Annex A 5.18 requires access rights to be provisioned and maintained based on organisational access control policy and business rules | |
| ISM-1404 | Annex A 5.18 requires organisations to remove or adjust access rights in line with policy and business rules, including when access is no... | |
| ISM-1927 | Annex A 5.18 requires organisations to manage access rights across their lifecycle in line with access control rules | |
| ISM-1946 | Annex A 5.18 requires access rights to be provisioned, reviewed, modified, and removed according to access control policy across informat... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.