ISO 27001 requires robust access control measures to ensure that only authorised personnel have access to information systems. The Add/Remove User Process is a critical component of these measures, ensuring that user access rights are managed effectively throughout the user lifecycle. This article explains the Add/Remove User Process, its key components, and its importance in the context of ISO 27001.
What is the Add/Remove User Process?
The Add/Remove User Process is a set of formal procedures designed to manage the granting and revocation of user access rights within an organisation's systems and services. This process is crucial for maintaining the integrity and security of information systems by ensuring that access rights are aligned with current user roles and responsibilities.
Key Components of the Add/Remove User Process
The Add/Remove User Process (such as the template included in the de.iterate platform) should include elements such as the following:
Initiation
Email Request: The process usually begins with an email request from the CEO to HR to initiate either the onboarding or offboarding process.
User Account Management
Account Creation/Removal: Based on the role-based access control (RBAC) matrix, the CEO creates or removes relevant accounts.
HR Confirmation
HR confirms, either verbally or via email, that the onboarding or offboarding process has been completed.
Onboarding Activities (for new users)
Introduction and Equipment: New users undergo an introduction on their first day, including a user equipment check-in/out sign-out.
Awareness and Training: New users are made aware of their roles within the Acme Inc Information Security Management System (ISMS) and complete specific cyber security awareness training.
Policy Agreement: Users confirm they have read and agree to all company policies.
Password and Account Security Settings
Secure Delivery: Passwords are sent to users separately from their login ID, using secure methods such as SMS or Signal with disappearing messages enabled.
Password Reset: Users are required to reset their passwords on first use.
Two-Factor Authentication (2FA): Users are instructed to enable 2FA on all accounts where possible.
Document Control
Maintaining documentation, including the policy owner, classification, publication date, and review schedule.
Importance of the Add/Remove User Process in ISO 27001
Access Control: Ensures strict control over who has access to information systems, a requirement under ISO 27001 to protect against unauthorised access.
Security Posture: Enhances the overall security posture by regularly updating access rights in line with user job functions and organisational changes.
Compliance and Audit Readiness: Facilitates compliance with ISO 27001 and readiness for audits by maintaining accurate records of access rights and their alignment with security policies.
Risk Management: Reduces security risks associated with improper access rights, such as potential data breaches or insider threats.
Best Practices for Implementing the Add/Remove User Process
Automate Where Possible: Use identity and access management (IAM) tools to automate the process of adding and removing users to reduce errors and increase efficiency.
Regular Reviews: Periodically review user access rights to ensure they are still appropriate for each user’s role and responsibilities.
Comprehensive Training: Ensure that all staff involved in the process are trained on the importance of secure handling of user access and are aware of the procedures.
Monitor and Audit: Regularly monitor the implementation of the process and conduct audits to ensure compliance and identify any areas for improvement.