Annex A 8.2 verified ISO/IEC 27001:2022
Management of Privileged Access Rights
Control and limit who gets special access to sensitive systems to keep them secure.
record_voice_over
Plain language
This control is about managing who gets special access to sensitive parts of your computer systems. If you don't handle it properly, unauthorised people might get into critical areas, which could lead to data leaks or system breakdowns, jeopardising your business's security and reputation.
01 — Overview
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Technological controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
12 Apr 2026
Maturity levels
N/A
Official control statement
The allocation and use of privileged access rights shall be restricted and managed.
verified ISO/IEC 27001:2022 Annex A 8.2
priority_high
Why it matters
If privileged access is not tightly managed, attackers can gain control over vital systems, leading to data theft, operational disruptions, and reputational harm.
settings
Operational notes
Regularly review and adjust privilege allocations, ensuring access matches current roles and requires justification for changes.
02 — Implement
build
Implementation tips
- IT managers should identify which team members need special access to sensitive systems. Start by listing roles that require heightened access, like system administrators, and ensure they have a justifiable reason for needing it.
- HR and the IT manager should work together to approve who gets special access. Create a standard process for requesting and approving these access rights, aligning with policies like the OAIC guidelines on personal data protection.
- The IT department should set up systems to automatically expire special access rights when they are no longer needed. For example, use automated reminders and software tools to review and revoke access after a specified time, ensuring compliance with CPS 234 requirements.
- Make sure all staff with special access rights are aware of their responsibilities. Regularly train these individuals about the significance of their access and the privacy obligations under the Privacy Act 1988.
- The IT manager should routinely audit privileged access rights. Conduct regular checks, especially after staff changes, to ensure that only those who should have special access actually have it, following ASD Essential Eight guidelines.
03 — Audit
fact_check
Audit / evidence tips
-
Aska list of users with privileged access rights
Goods ensure that only necessary personnel have access, with clear rationales provided
-
Askdocumentation on the access approval process
Goods include a formal procedure with evidence of compliance and adherence to policies
-
Askrecords of expired access rights
Goods show a systematic and recent audit trail of access rights changes
-
Askhow users are informed of their privileged access rights and responsibilities
Goods provide clear evidence of regular training sessions aligned with their access privileges
-
Asklogs of privileged access activities
Goods show consistent and thorough documentation of when and what systems were accessed
04 — Mappings
link
Cross-framework mappings
How Annex A 8.2 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (9) expand_less | ||
| handshake Supports (1) expand_less | ||
| link Related (2) expand_less | ||
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (25) expand_less | ||
| ISM-0443 | ISM-0443 requires that temporary access is not granted to systems handling caveated or sensitive compartmented information | |
| ISM-0445 | ISM-0445 requires organisations to assign privileged users a dedicated privileged account used solely for privileged activities | |
| ISM-0447 | ISM-0447 requires that foreign nationals (except seconded foreign nationals) are not granted privileged access to systems that process, s... | |
| ISM-0611 | ISM-0611 requires that gateway system administrators are assigned the minimum privileges required to perform their duties | |
| ISM-1175 | ISM-1175 requires privileged user accounts (unless explicitly authorised) to be prevented from accessing the internet, email and web serv... | |
| ISM-1249 | ISM-1249 requires server applications to use separate user accounts and least privilege to perform their functions | |
| ISM-1263 | ISM-1263 requires unique privileged user accounts to be used for administering individual server applications | |
| ISM-1507 | ISM-1507 requires organisations to verify (validate) privileged access requests when they are first raised, focusing on the authorisation... | |
| ISM-1612 | ISM-1612 requires that break glass accounts are only used for specific authorised activities | |
| ISM-1620 | ISM-1620 requires a specific mechanism for securing privileged accounts by placing them in the AD Protected Users security group | |
| ISM-1648 | ISM-1648 requires a specific administrative action: disabling privileged access after 45 days of inactivity | |
| ISM-1649 | ISM-1649 requires the use of just-in-time administration for system administration, reducing persistent privileged access | |
| ISM-1688 | ISM-1688 requires that unprivileged user accounts cannot log on to privileged operating environments | |
| ISM-1835 | ISM-1835 requires privileged Active Directory (AD) accounts to be configured as sensitive so they cannot be delegated, reducing the risk ... | |
| ISM-1846 | ISM-1846 requires that the **Pre-Windows 2000 Compatible Access** group has no user accounts, removing an obsolete mechanism that can gra... | |
| ISM-1883 | ISM-1883 requires privileged accounts authorised to access online services to be strictly limited to what is necessary for duties | |
| ISM-1927 | ISM-1927 requires restricting access to specific Microsoft identity servers to privileged users who require access | |
| ISM-1934 | ISM-1934 requires periodic (at least annual) review of DCSync permissions and removal if there is no ongoing requirement | |
| ISM-1936 | ISM-1936 requires that Active Directory user accounts do not use the sIDHistory attribute, reducing the risk of unintended or covert priv... | |
| ISM-1940 | ISM-1940 requires that service accounts are not members of highly privileged Active Directory groups (e.g., Domain Admins/Enterprise Admins) | |
| ISM-1942 | ISM-1942 requires that the Active Directory **Domain Computers** group is not a member of any privileged or highly-privileged security gr... | |
| ISM-1946 | ISM-1946 requires that unprivileged user accounts do not have write access to certificate templates to prevent unauthorised changes to PK... | |
| ISM-1949 | ISM-1949 mandates dedicated, non-reused accounts for administering AD FS servers to control and segregate privileged access | |
| ISM-1952 | ISM-1952 requires that privileged user accounts are not synchronised between Microsoft AD DS and Microsoft Entra ID to reduce the risk of... | |
| ISM-2048 | ISM-2048 requires that non-administrative users are prevented from altering their own profile permissions or privileges in software that ... | |
| sync_alt Partially overlaps (9) expand_less | ||
| ISM-0415 | ISM-0415 requires strict governance over shared user accounts and unique identification of each person who uses them to maintain accounta... | |
| ISM-0446 | ISM-0446 requires that foreign nationals (including seconded foreign nationals) are not granted privileged access to systems processing, ... | |
| ISM-1250 | Annex A 8.2 requires privileged access rights to be restricted and managed to ensure elevated capabilities are tightly controlled | |
| ISM-1487 | Annex A 8.2 requires privileged access rights to be restricted and managed, including limiting who can perform high-impact administrative... | |
| ISM-1508 | Annex A 8.2 requires the allocation and use of privileged access rights to be restricted and managed | |
| ISM-1591 | ISM-1591 requires suspension or removal of access when malicious activity is detected to contain harm quickly | |
| ISM-1614 | ISM-1614 mandates changing break glass credentials after emergency access to mitigate credential exposure risk | |
| ISM-1706 | Annex A 8.2 requires privileged access rights to be restricted and managed to prevent misuse of elevated permissions | |
| ISM-1932 | Annex A 8.2 requires privileged access rights to be restricted and managed to reduce the risk of misuse or compromise | |
| handshake Supports (18) expand_less | ||
| ISM-0078 | ISM-0078 requires that systems handling AUSTEO/AGAO data remain under the control of an Australian national working for or on behalf of t... | |
| ISM-0407 | ISM-0407 requires a secure, life-of-system record for each user covering authorisation, access grant dates, access level, reviews, change... | |
| ISM-0432 | ISM-0432 requires documenting system access requirements, including for sensitive resources, in a system security plan | |
| ISM-0629 | ISM-0629 requires that shared gateway components between different security domains are managed by administrators from the higher securit... | |
| ISM-0665 | ISM-0665 requires that only CISO-verified and authorised people and services can be trusted sources for exporting SECRET and TOP SECRET data | |
| ISM-1297 | ISM-1297 requires organisations to change or disable default accounts on network devices so privileged or built-in access cannot be obtai... | |
| ISM-1392 | ISM-1392 requires that only approved users can modify approved files and write to approved folders when path rules are used for applicati... | |
| ISM-1422 | ISM-1422 necessitates preventing unauthorised access to software sources by controlling high-risk accounts | |
| ISM-1583 | ISM-1583 requires organisations to label contractor personnel distinctly from other users in systems | |
| ISM-1593 | ISM-1593 requires verifying a person's identity before issuing new credentials to reduce risks of illegitimate privileged access | |
| ISM-1604 | ISM-1604 requires restricting access to the administrative interface used to manage the isolation mechanism, reducing who can administer ... | |
| ISM-1619 | ISM-1619 addresses secure use of service identities by requiring service accounts to be implemented as gMSAs, reducing unmanaged privileg... | |
| ISM-1685 | ISM-1685 requires that critical account credentials (break glass, local administrator and service accounts) are long, unique, unpredictab... | |
| ISM-1834 | ISM-1834 requires organisations to ensure duplicate SPNs do not exist in the domain, reducing the likelihood of ambiguous Kerberos servic... | |
| ISM-1898 | ISM-1898 requires Secure Admin Workstations for administrative activities to reduce the likelihood of privileged access being abused or s... | |
| ISM-1948 | ISM-1948 requires CA Certificate Manager approval before enabling certificate templates that let requesters supply SANs, limiting a commo... | |
| ISM-1950 | ISM-1950 requires organisations to disable soft matching between Microsoft AD DS and Microsoft Entra ID after initial synchronisation to ... | |
| ISM-2005 | ISM-2005 requires the board or executive committee to understand critical systems and who has access, including the adequacy of protectio... | |
| link Related (6) expand_less | ||
| ISM-1647 | Annex A 8.2 requires privileged access rights to be restricted and managed through their lifecycle | |
| ISM-1650 | Annex A 8.2 requires privileged access rights to be restricted and managed, which typically includes accountability mechanisms around pri... | |
| ISM-1827 | Annex A 8.2 requires privileged access rights to be restricted and managed, including controlling the allocation and use of administrativ... | |
| ISM-1842 | Annex A 8.2 requires privileged access rights to be restricted and managed so only authorised entities can perform high-impact actions | |
| ISM-1939 | Annex A 8.2 requires privileged access rights to be restricted and managed, including limiting who holds highly privileged permissions | |
| ISM-1958 | Annex A 8.2 requires privileged access rights to be restricted and managed, including controlling where and how highly privileged rights ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.