Requirement
Requirement lens
This control asks whether privileged access rights are restricted, approved, managed, logged, reviewed, and removed when no longer needed.
“The allocation and use of privileged access rights shall be restricted and managed.”
Plain-language meaning
Privileged access allows users to administer systems, override controls, change configurations, access sensitive data, or recover systems during failure. Because privileged access can bypass normal controls, it must be limited to people who need it, for the time they need it, and under monitoring.
Why this matters
Uncontrolled privilege is a common cause of breaches. Too many administrators, shared admin accounts, unreviewed emergency access, or permanent privilege for convenience can lead to data exposure, unauthorized changes, loss of availability, and weak accountability.
Implementation guidance
Implementer focus
Privileged access should be a controlled exception, not a shortcut. Grant it based on need-to-use, log it, review it, and remove it quickly.
1. Define privileged access
Examples include:
- system administrator rights;
- database administrator rights;
- security tool administrator rights;
- cloud tenant/subscription owner roles;
- root or superuser accounts;
- domain administrator rights;
- service account privilege;
- emergency/break-glass access;
- safe codes and secure-area access codes where they override controls.
2. Approve privileges based on business justification
Privilege should require:
- owner approval;
- business justification;
- defined scope;
- separate privileged identity where possible;
- expiry or review date;
- logging and monitoring;
- emergency access procedure where needed.
3. Use separate privileged identities
For critical administration, users should have a separate privileged account rather than using their normal user account. Privileged use should be traceable to an individual.
4. Control emergency privilege
Emergency access may be needed for recovery. It should have strict procedure, logging, management notification, post-use review, and restoration checks.
5. Monitor, log, and review privileged activity
Privileged access should be logged and reviewed. Logs should be protected from modification and retained long enough to support investigation and audit.
Audit guidance
Auditor focus
Test whether privilege is granted on need-to-use, whether separate admin IDs exist, whether use is logged, and whether emergency privilege is reviewed after use.
Auditors should verify:
- privileged access register;
- approval and business justification;
- separate privileged accounts for critical functions;
- no default full-admin access where lesser privilege is possible;
- privileged activity logs;
- log protection and retention;
- periodic access reviews;
- immediate removal when no longer needed;
- emergency access procedure and use records;
- post-incident restoration and review;
- monitoring by more than one person where appropriate.
Interview privileged users and compare their answers to logs and access records.
Evidence examples
Evidence quality
Strong evidence proves privileged access is justified, traceable, monitored, reviewed, and removed.
| Evidence | What it proves |
|---|---|
| Privileged access policy/procedure | Rules are defined |
| Privileged access register | Privileges are known |
| Access approval records | Business justification exists |
| Separate admin account records | Privileged use is distinct |
| Privileged activity logs | Use is traceable |
| Log review records | Monitoring occurs |
| Emergency access records | Break-glass use is controlled |
| Access review/removal records | Privilege is not retained unnecessarily |
Strong evidence
- Privileges are approved based on business need.
- Privileged accounts are separate from normal accounts where feasible.
- Privileged activity is logged and reviewed.
- Logs are protected from modification.
- Emergency access is time-bound and reviewed.
- Privilege is removed when no longer required.
Weak evidence
- Admin rights are granted by default.
- Shared administrator accounts are used.
- Privileged logs are unavailable or modifiable.
- Emergency access is informal.
- Senior staff retain privilege without need.
- Privilege reviews happen but do not remove access.
Common failures
Implementation watchouts
A.8.2 fails when privilege becomes a convenience entitlement instead of a controlled, monitored capability.
| Failure | Why it matters |
|---|---|
| Too many admins | Attack surface and misuse risk increase |
| Shared privileged accounts | Accountability is lost |
| No separate admin identity | Privileged actions blend into normal user activity |
| No emergency access review | Control bypass may remain uncorrected |
| Logs not reviewed | Misuse is not detected |
| Privilege not removed | Old access becomes breach path |
Exam traps
Exam focus
A.8.2 is about both allocation and use of privilege. Approval alone is not enough.
| Trap | Correct interpretation |
|---|---|
| Privilege is acceptable if the user is trusted | Privilege still needs business need, approval, logging, and review |
| Full admin is easiest and therefore acceptable | Least privilege should be used where possible |
| Emergency privilege can be informal | Emergency access needs procedure, logging, review, and restoration checks |
| Shared admin accounts are efficient | They weaken accountability |
| Privileged access review is enough | Actual privileged activity should also be logged and reviewed |
Related controls and concepts
- A.8 Technological Controls MOC
- A.5.15 Access Control
- A.5.16 Identity Management
- A.5.17 Authentication Information
- A.5.18 Access Rights
- A.5.24 Information Security Incident Management Planning and Preparation
- A.5.25 Assessment and Decision on Information Security Events
- A.5.26 Response to Information Security Incidents
- A.5.28 Collection of Evidence
- Risk Assessment
- Privileged Access Register
- Privileged Access Review Checklist
- Emergency Privileged Access Record
- Privileged Activity Log Review Checklist
- A.8.2 Audit Evidence Pack
- A.8.2 Audit Checklist
KB-ready summary
Mentor takeaway
A.8.2 restricts and manages powerful access. Strong implementation proves who has privilege, why they have it, when they use it, who reviews it, and when it is removed.
- Grant privilege only with business justification.
- Use separate named privileged accounts where feasible.
- Log and review privileged activity.
- Control emergency privilege tightly.
- Remove privilege when no longer needed.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Technological controls
- Privileged access
- Audit
Note Metadata
Aliases: A.8.2, Privileged Access Rights
Source: 05 Annex A Technological Controls/A.8.2 Privileged Access Rights.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
12
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- Risk Assessment
- ISO 27001 A.5.15 - Access Control
- ISO 27001 A.5.16 - Identity Management
- ISO 27001 A.5.17 - Authentication Information
- ISO 27001 A.5.18 - Access Rights
- ISO 27001 A.5.24 - Information Security Incident Management Planning and Preparation
- ISO 27001 A.5.25 - Assessment and Decision on Information Security Events
- ISO 27001 A.5.26 - Response to Information Security Incidents
- ISO 27001 A.5.28 - Collection of Evidence
- A.8.2 Audit Evidence Pack
- ISO 27001 A.8.15 - Logging
- ISO 27001 A.8.3 - Information Access Restriction
- ISO 27001 A.8.4 - Access to Source Code
- ISO 27001 A.8.5 - Secure Authentication
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Guide
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.2 Privileged Access Rights
- A.8 Technological Controls Implementation Audit Risk Mapping
- EXAM-027 - Endpoint, Privileged Access, and Information Access Restriction
- ISO 27002 Annex A Control Interpretation Map
- A.8.2 Audit Checklist
- Dynamic Privilege Session Record
- Emergency Privileged Access Record
- Log Integrity and Access Review Checklist
- Privileged Access Register
- Privileged Access Review Checklist
- Privileged Activity Log Review Checklist
- Secure Authentication Standard
- Source Code Access Register
- Annex A Controls MOC