Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook
Topics
ISO 27001
NIS2
Getting started
Framework management
Product security
Settings & advanced
Trial and subscription
User management
Community
Documentation
Personnel guidelines
Reporting
Task management
GDPR
Internal auditing
Personnel security
Risk management
Working as a partner
Continuous improvement
Team collaboration
Show all topics
Webinars
ISO 27001: Build a cyber security plan, that gets you compliant
NIS2: Intro to NIS2 Directive and Cyberday
Show all webinars
Videos
Asset documentation
Continuously improving your ISMS
Cyberday overall intro
ISO 27001 and certification audit fundamentals
ISO 27001 and personnel awareness
ISO 27001 and risk management
ISO 27001 introduction
NIS2 introduction
Show all videos
Helps
Documentation
For admins
For partners
Frameworks
Guideline mgmt
Other features
Reporting
Setup and integrations
Task mgmt
User management
Show all helps
Blogs
Cannes Hospital data breach, the impact of AI and NIS2 evolution: the Cyberday product and news round-up 5/2024 🛡️
6 ways to assess security work effectiveness
Access Control & MFA (NIS2 21.2): Build A Solid Foundation with ISO 27001 Best Practices
Understanding HR Security Basics for ISO 27001 & NIS2 Compliance
Build your NIS2 measures for Business Continuity and Backups with ISO 27001
Show all blogs
Content library
Kiitos! Saat jatkossa uutiskirjeen sähköpostiisi joka perjantai.
Valitettavasti jotain meni pieleen. Voit olla yhteydessä tiimi@tietosuojamalli.fi.
Kiitos! Saat jatkossa uutiskirjeen sähköpostiisi joka perjantai.
Valitettavasti jotain meni pieleen. Voit olla yhteydessä tiimi@tietosuojamalli.fi.
Cyberday.ai
Get started
Login
Content library
ISO 27001

Access rights

5.18
ISO 27001

Regular reviewing of data system access rights

Critical
High
Normal
Low

Data system owner determines the access roles to the system in relation to the tasks of users. The compliance of the actual access rights with the planned ones must be monitored and the rights reassessed at regular intervals.

When reviewing access rights, care must also be taken to minimize admin rights and eliminate unnecessary accounts.

See an example process description from task's page
Connected other frameworks and requirements:
I06: Pääsyoikeuksien hallinnointi
4 luku, 16 §: Tietojärjestelmien käyttöoikeuksien hallinta
24. Responsibility of the controller
GDPR
32. Security of processing
GDPR
5. Principles relating to processing of personal data
GDPR

Instructions for reporting changes affecting access rights

Critical
High
Normal
Low

Supervisors have been instructed to notify the owners of data systems in advance of significant changes in the employment relationships of subordinates, such as promotions, discounts, termination of employment or other changes in the job role.

Based on the notification, a person's access rights can be updated either from the centralized management system or from individual data systems.

See an example process description from task's page
Connected other frameworks and requirements:
9.2.6: Removal or adjustment of access rights
ISO 27001
I06: Pääsyoikeuksien hallinnointi
PR.AC-1: Identity and credential management
NIST CSF
5.18: Access rights
ISO 27001

Review of access right for changed employee roles

Critical
High
Normal
Low

In all changes on employment relationship, access rights should be reviewed in cooperation with the owners of the protected property and re-granted to the person completely when there is a significant change in the person's employment. A change can be a promotion or a change of role (e.g., moving from one unit to another).

See an example process description from task's page
Connected other frameworks and requirements:
9.2.5: Review of user access rights
ISO 27001
5.18: Access rights
ISO 27001
4.2 (MIL1): Control Logical Access
C2M2

Restriction of access rights at high risk times of employment

Critical
High
Normal
Low

If a person's employment is terminating or significantly changing, the reduction of access rights to assets should be considered, depending on the following:

  • a person’s reluctance towards the upcoming change
  • the extent of the person’s current access rights and responsibilities
  • the value of the assets to which the employee has access
See an example process description from task's page
Connected other frameworks and requirements:
9.2.6: Removal or adjustment of access rights
ISO 27001
5.18: Access rights
ISO 27001

Identification and management of shadow IT

Critical
High
Normal
Low

On average, the IT administrator estimates that staff use about 50 cloud services when the actual number is 1,000. Many of these are important for staff productivity and are used outside the organization’s network, so firewall rules do not solve the challenge.

Systems that focus on identifying and managing cloud services allow you to identify the cloud services used by your staff and monitor users of different services. This helps e.g.:

  • determine our own level of risk with respect to data in cloud services
  • review used services in regard to security
  • be able to report as required, e.g. on the location of data and data processors
See an example process description from task's page
Connected other frameworks and requirements:
9.2.2: User access provisioning
ISO 27001
5.18: Access rights
ISO 27001

Arranging training and guidance during orientation (or before granting access rights)

Critical
High
Normal
Low

Before granting access rights to data systems with confidential information employees have:

  • received appropriate guidance on their security responsibilities (including reporting responsibilities and responsibility for their own devices)
  • received appropriate guidance on their security roles related to their own role (including digital security rules related to their role and information systems and their acceptable use)
  • received information from cyber security contacts who can be asked for more information
See an example process description from task's page
Connected other frameworks and requirements:
7.3: Termination and change of employment
ISO 27001
7.3.1: Termination or change of employment responsibilities
ISO 27001
9.2.2: User access provisioning
ISO 27001
2 luku, 4 §: Tiedonhallinnan järjestäminen tiedonhallintayksikössä
PR.IP-11: Cybersecurity in human resources
NIST CSF
No items found.

Subscribe to Academy today

Elevate Your Knowledge with Exclusive Access to Weekly Webinars, Video Courses, Help Articles, and Blogs.

Kiitos! Saat jatkossa uutiskirjeen sähköpostiisi joka perjantai.
Valitettavasti jotain meni pieleen. Voit olla yhteydessä tiimi@tietosuojamalli.fi.
Topics
Settings & advanced
Getting started
NIS2
Task management
Documentation
Show all
Webinars
ISO 27001: Build a cyber security plan, that gets you compliant
NIS2: Intro to NIS2 Directive and Cyberday
Show all
Videos
ISO 27001 introduction
NIS2 introduction
ISO 27001 and certification audit fundamentals
Asset documentation
ISO 27001 and personnel awareness
Show all
Helps
Documentation
For partners
Other features
Reporting
Guideline mgmt
Show all
Blogs
Cannes Hospital data breach, the impact of AI and NIS2 evolution: the Cyberday product and news round-up 5/2024 🛡️
6 ways to assess security work effectiveness
Access Control & MFA (NIS2 21.2): Build A Solid Foundation with ISO 27001 Best Practices
Understanding HR Security Basics for ISO 27001 & NIS2 Compliance
Build your NIS2 measures for Business Continuity and Backups with ISO 27001
Show all
Content library
Open content libraryLabs
Kiitos! Saat jatkossa uutiskirjeen sähköpostiisi joka perjantai.
Valitettavasti jotain meni pieleen. Voit olla yhteydessä tiimi@tietosuojamalli.fi.