This article provides an overview of Asset management and why it is important for information security as part of  ISO 27002 compliance.

The objective of access control is to limit access to information and information processing facilities.

The Objective of  user access management is to ensure authorized user access and to prevent unauthorized access to systems and services.

The objective user responsibilities is to make users accountable for safeguarding their authentication information.

The objective of system and application access control is to prevent unauthorized access to systems and applications.
Business requirements of access control:

  1. Access control policy – an access control policy should be established, documented and reviewed based on business and information security requirements.
  2. Access to networks and network services – users should only be provided with access to the network and network services that they have been specifically authorized to use.

User access management:

  1. User registration and de-registration – a formal user registration and de-registration process should be implemented to enable assignment of access rights.
  2. User access provisioning – A formal user access provisioning process should be implemented to assign or revoke access rights for all user types to all systems and services.
  3. Management of privileged access rights – the allocation and use of privileged access rights should be restricted and controlled.
  4. Management of secret authentication information of users – the allocation of secret authentication information should be controlled through a formal management process.
  5. Review of user access rights – asset owners should review users’ access rights at regular interval.
  6. Removal or adjustment of access rights – the access rights of all employees and external party users to information and information processing facilities should be removed upon termination of employment, contract or agreement, or adjusted upon change.

User responsibilities:

  1. Control – users should be required to follow the organization’s practices in the use of secret authentication information.
  2. Guidelines – all users should be advised to keep secret authentication information confidential, ensuring that it is not divulged to any other parties, including people of authority. Avoid keeping a record (e.g. on paper, software file or hand-held device) of secret authentication information, unless this can be stored securely and the method of storing has been approved (i.e. password vault).

System and application access control:

  1. Information access restriction – access to information and application system functions should be restricted in accordance with the access control policy.
  2. Secure log-on procedures – where required by the access control policy, access to systems and applications should be controlled by a secure log-on procedure.
  3. Password management system – password management systems should be interactive and should ensure quality passwords.
  4. Use of privileged utility programs – the use of utility programs that might be capable of overriding system and application controls should be restricted and tightly controlled.
  5. Access control to program source code – access to program source code should be restricted.
  6. Access to program source code and associated items (such as designs, specifications, verification plans and validation plans) should be strictly controlled, in order to prevent the introduction of unauthorized functionality and to avoid unintentional changes as well as to maintain the confidentiality of valuable intellectual property.  For program source code, this can be achieved by controlled central storage of such code, preferably in program source libraries.

For more information please contact Morland-Austin at