A.5.18 Access Rights

What is this control?

ISO 27001 control A.5.18 Access Rights ensures that access to information and organisational assets is defined, provisioned, reviewed, and revoked according to business requirements using the principle of least privilege. The control implements a formal, auditable lifecycle for all access rights including provisioning, review, modification, and revocation using Microsoft Entra ID Access Packages, PIM, and Access Reviews.

How to implement in Microsoft 365

Implement A.5.18 with baseline access where users are automatically provisioned to security groups matching their job role during onboarding via the Joiner workflow using RBAC. For additional access, submit requests via Microsoft Entra Access Packages requiring business owner approval. Configure Microsoft Entra PIM to make users eligible rather than actively provisioned for privileged roles with JIT activation and approval workflows.

Configure Access Reviews quarterly for privileged roles, quarterly for contractor groups, and bi-annually for standard groups using Microsoft Entra Identity Governance. Implement Mover workflow to review all group memberships on role change.

What an auditor looks for

Auditors will verify Access Packages are configured with approval policies routing requests to business owners. They will check that Microsoft Entra Access Reviews are configured and executed with documented approval or denial decisions. Auditors will review documented Power Automate JML workflows for Joiner, Mover, and Leaver processes with approval steps and audit trails.

They will verify PIM configuration showing eligible rather than active privileged access model. Auditors will examine access review results demonstrating periodic re-certification of access rights.

Related controls

• A.5.15
• A.8.2