International Standard · ISO/IEC 27001:2022 · ISMS Certification
Do I Need User Access Review for ISO 27001?
ISO 27001 is the world’s leading information security management standard. User Access Review is not an option — it is one of the most explicitly defined controls in the entire Annex A framework.
OUR INTERPRETATION
Why ISO 27001 mandates User Access Reviews?
Note on versions: This page covers ISO 27001:2022 (current version). Control references from 2013 (A.9.2.5 etc.) have been consolidated into 2022’s Annex A 5.18. If you are still on the 2013 version, you are in a transition period — both control sets require periodic user access reviews.
ISO 27001’s Annex A Control 5.18 — Access Rights — is one of the most prescriptive controls in the entire standard. It explicitly requires that access rights be reviewed at regular intervals, and that privilege creep be actively prevented. Auditors will look for completed review logs, decisions recorded, and access removed when no longer justified. If you cannot show the review happened, it did not happen.
Access Rights (Primary Control)
The 2022 standard consolidates all access lifecycle controls here. It explicitly requires access rights to be “provisioned, reviewed, modified and removed” throughout the user lifecycle — review is a named, non-optional step.
Access Control Policy
Requires an access control policy defining rules for granting and restricting access. Without periodic review, you cannot verify this policy is being enforced in practice — making evidence of review essential for audit.
Privileged Access Rights
Privileged and administrative accounts require more frequent review than standard users. Admin-level access that is never validated is one of the highest-risk findings in an ISO 27001 audit.
Performance Evaluation
ISO 27001’s management system clause requires organisations to monitor, measure, analyse and evaluate their ISMS. Access review results are key evidence that the ISMS is functioning as intended.
Directly from ISO 27001:2022 Annex A
Source: ISO/IEC 27001:2022 — Information security, cybersecurity and privacy protection — Information security management systems (Annex A, Control 5.18)
iso.org · ISO/IEC 27001:2022 · Annex A — Organisational Controls · Control 5.18
Annex A Control 5.18 — Access Rights (Control Statement)
“Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organisation’s topic-specific policy on and rules for access control.”
Maps to: ISO 27001:2013 A.9.2.2, A.9.2.5, A.9.2.6
ISO 27002:2022 — Implementation Guidance for Control 5.18
“The access rights of all employees and external party users to information and associated assets should be reviewed at regular intervals. Reviews of access rights should consider: whether access rights remain appropriate given changes to roles or responsibilities; whether access rights of users have been timely removed upon termination or change; whether access rights prevent ‘permission creep’ (accumulation of access rights beyond what is needed).”
ISO 27001:2022 — Control 8.2 — Privileged Access Rights
“The allocation and use of privileged access rights shall be restricted and managed. Privileged access rights shall be reviewed at more frequent intervals than access rights for regular users.” — For admin accounts, quarterly or even monthly review cycles are expected.
Where to find this in the standard?
→ ISO/IEC 27001:2022 → Annex A → Organisational Controls → Control 5.18 (Access Rights)
→ ISO/IEC 27002:2022 → Section 5.18 → Implementation Guidance (detailed review requirements)
→ ISO/IEC 27001:2022 → Annex A → Technological Controls → Control 8.2 (Privileged Access Rights)
→ ISO/IEC 27001:2013 → Annex A → A.9.2.5 (Review of User Access Rights) — still applicable during transition
→ ISO 27001 Audit Checklist items: “Evidence of completed access reviews with timestamps and decisions”
The ISO 27001 Access Control Architecture
A.5.15
Access Control Policy
Defines the rules. Without review, you cannot prove the policy is enforced.
A.5.18
Access Rights — Lifecycle Management ★ REVIEW REQUIRED
Explicit requirement to review, modify, and remove access rights at regular intervals. The primary User Access Review control.
A.8.2
Privileged Access Rights — Elevated Review Frequency
Admin accounts must be reviewed more frequently than standard users. Monthly or quarterly cycles expected.
A.5.10
Acceptable Use of Information
Users must only access what they are authorised for. Review validates this is true in practice, not just policy.
Cl. 9.1
Performance Evaluation & Monitoring
ISMS must be evaluated. Access review completion rates and findings are key monitoring metrics.
Squarum's Interpretation
What auditors actually look for?
Completed review logs with timestamps and decisions
Auditors expect to see not just a policy on paper. They want evidence: completed review records, the decisions made (retain / revoke / escalate), and dates. If it is not documented, it did not happen.
Quarterly for regular users, monthly for privileged accounts
ISO 27002 implementation guidance expects reviews at “regular intervals” — typically every 90 days for standard users and every 30 days for privileged or administrative accounts. This cadence prevents permission creep.
Leavers and movers are a red flag if not handled
Former employees still having system access is a classic red flag that ISO 27001 Control A.5.18 calls out directly. ISO auditors specifically check termination checklists and look for dormant accounts.
Access review is part of your ISMS continual improvement
ISO 27001 is not a one-time certification — it requires continual improvement. Access review data (findings, remediation rates, time-to-revoke) feeds directly into your management review and ISMS improvement cycles.
Pass your ISO 27001 audit with confidence
Squarum is built for ISO 27001 Annex A 5.18 compliance — automated review cycles, structured decisions, audit evidence packages, and privileged access escalation built in.