130n@calvinlai.com
  • About Calvin Lai (fkclai)
  • My Work
  • Cyber Security
    • Cyber Security Centre (CSC)
      • Why we need a CSC
      • CSC Team Structure: Roles, Functions, and Tools
        • Key Function & Role
        • Tools & Platforms
        • People
        • Outsource Strategy
      • HRMC Executive Paper
  • Detection and Response
    • Playbook: Threat Prioritization & Automated Response Strategies
      • Scenario: Detecting and Mitigating a Ransomware Attack
      • Scenario: DC Sync Attack Detected and Mitigated
      • Scenario: Pass-the-Hash (PtH) Attack Detected and Contained
      • Scenario: Phishing Campaign with Malware / Credential Theft Detected and Mitigated
  • Application Architecture
    • Comparison of MVC , N-tier and Microservice Architecture
  • Application Security
    • OAuth, SAML, and OpenID Connect: Key Differences and Use Cases
    • Secure Coding Principles
    • HTTP Header Security Principles
    • Mitigating Broken Object Level Authorization (BOLA)
    • Spring Boot Validation
    • Output Encoding in JavaServer Faces (JSF)
    • Session Management Security Issues
    • Common API Security Problems
      • Broken Authentication
      • Excessive Data Exposure
      • Lack of Resources & Rate Limiting
      • Broken Function Level Authorization
      • Unsafe Consumption of APIs
    • JAVA Exception Handling
    • File Upload Validation
    • OAuth 2.0 Security
      • Insecure Storage of Access Tokens
    • Microservice Security
      • Sample Coding Demo
        • Service Implementation
        • Client Interaction
      • Security Solution for Microservices Architecture
    • Modifying and Protecting Java Class Files
      • Modify a Class File Inside a WAR File
      • Direct Bytecode Editing
        • Steps to Directly Edit a Java Class File
          • Update: Java Bytecode Editing Tools
      • Techniques to Protect Java Class Files
        • Runtime Decryption in WebLogic
    • JAVA Program
      • Secure, Concurrent Web Access Using Java and Tor
      • Creating a Maven Java project in Visual Studio Code
  • Exploit/CVE PoC
    • ZeroLogon Exploit
    • Remote Retrieved Chrome saved Encrypted Password
    • Twitter Control an RCE attack
  • Hacking Report (HTB)
    • Hits & Summary
      • Tools & Cheat Sheet
    • Windows Machine
      • Love 10.10.10.239
      • Blackfield 10.10.10.192
      • Remote 10.10.10.180
      • Sauna 10.10.10.175
      • Forest 10.10.10.161
      • Sniper
      • Json
      • Heist
      • Blue
      • Legacy
      • Resolute
      • Cascade
    • Linux Machine
      • Photobomb 10.10.11.182
      • Pandora 10.10.11.136
      • BountyHunter 10.10.11.100
      • CAP 10.10.10.245
      • Spectra 10.10.10.229
      • Ready 10.10.10.220
      • Doctor 10.10.10.209
      • Bucket 10.10.10.212
      • Blunder 10.10.10.191
      • Registry 10.10.10.159
      • Magic
      • Tabby
  • Penetration Testing
    • Web Application PenTest
    • Network/System PenTest
    • Mobile Penetration Test
      • Certificate Pinning
        • Certificate Pinning Bypass (Android)
          • Root a Android Device
          • Setup Proxy Tool - Burp Suite
      • Checklist
  • Threat Intelligence
    • Advanced Persistent Threat (APT) groups
      • North Korean APT Groups
      • Chinese APT Groups
      • Russian APT Groups
      • Other APT
  • Red Team (Windows)
    • 01 Reconnaissance
    • 02 Privileges Escalation
    • 03 Lateral Movement
    • 04 AD Attacks
      • DCSync
    • 05 Bypass-Evasion
    • 06 Kerberos Attack
    • 99 Basic Command
  • Exploitation Guide
    • 01 Reconnaissance
    • 02 Port Enumeration
    • 03 Web Enumeration
    • 04 Windows Enum & Exploit
      • Windows Credential Dumping
        • Credential Dumping: SAM
        • Credential Dumping: DCSync
      • Kerberos Attack
      • RDP
    • 05 File Enumeration
    • 06 Reverse Shell Cheat Sheet
      • Windows Reverse Shell
      • Linux Reverse Shell
    • 07 SQL Injection
    • 08 BruteForce
    • 09 XSS Bypass Checklist
    • 10 Spring Boot
    • 11 WPA
    • 12 Payload list
  • Vuln Hub (Writeup)
    • MrRobot
    • CYBERRY
    • MATRIX 1
    • Node-1
    • DPwwn-1
    • DC7
    • AiWeb-2
    • AiWeb-1
    • BrainPan
  • CTF (Writeup & Tips)
    • CTF Tools & Tips
    • Hacker One
    • CTF Learn
    • P.W.N. University - CTF 2018
    • HITCON
    • Pwnable
      • 01 Start
  • Useful Command/Tools
    • Kali
    • Windows
    • Linux
  • Offensive Security Lab & Exam
    • Lab
    • Tools for an Offensive Certification
      • Strategy for an Offensive Exam Certification
        • CVEs
        • Privilege Escalation
        • Commands
        • Impacket
  • ISO 27001
    • Disclaimer
    • What is ISO 27001
      • Implementation
    • Documentation
    • Common Mistake
    • Q&A
      • Can internal audit to replace the risk assessment
      • Is it sufficient for only the IT department head to support the ISO 27001 program
      • Does the Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) are the same?
    • ISO 27001 Controls and Domains
      • 1. Information Security Policies
      • 2. Organization of Information Security
      • 3. Human Resource Security
      • 4. Asset Management
      • 5. Access Control
      • 6. Cryptographic Controls
      • 7. Physical and Environmental Security
      • 8: Operational Security
      • 9. Communications Security
      • 10. System Acquisition, Development, and Maintenance
      • 11. Supplier Relationships
      • 12: Information Security Incident Management
      • 13. Information Security Aspects of Business Continuity Management
      • 14. Compliance
Powered by GitBook
On this page
  • Control A.9.1.1: Access Control Policy
  • Control A.9.1.2: Access to Networks and Network Services
  • Control A.9.2.1: User Registration and De-registration
  • Control A.9.2.2: User Access Provisioning
  • Control A.9.2.3: Management of Privileged Access Rights
  • Control A.9.2.4: Management of Secret Authentication Information of Users
  • Control A.9.2.5: Review of User Access Rights
  • Control A.9.2.6: Removal or Adjustment of Access Rights
  • Control A.9.3.1: Use of Secret Authentication Information
  • Control A.9.4.1: Information Access Restriction
  • Control A.9.4.2: Secure Log-on Procedures
  • Control A.9.4.3: Password Management System
  • Control A.9.4.4: Use of Privileged Utility Programs
  • Control A.9.4.5: Access Control to Program Source Code

Was this helpful?

  1. ISO 27001
  2. ISO 27001 Controls and Domains

5. Access Control

This category focuses on managing access to information and information systems to ensure that only authorized users have access to specific resources. It includes defining, implementing, and monitoring access controls to protect the organization's information assets and ensure compliance with security policies.

Controls (A.9):

  • A.9.1.1: Access Control Policy

  • A.9.1.2: Access to Networks and Network Services

  • A.9.2.1: User Registration and De-registration

  • A.9.2.2: User Access Provisioning

  • A.9.2.3: Management of Privileged Access Rights

  • A.9.2.4: Management of Secret Authentication Information of Users

  • A.9.2.5: Review of User Access Rights

  • A.9.2.6: Removal or Adjustment of Access Rights

  • A.9.3.1: Use of Secret Authentication Information

  • A.9.4.1: Information Access Restriction

  • A.9.4.2: Secure Log-on Procedures

  • A.9.4.3: Password Management System

  • A.9.4.4: Use of Privileged Utility Programs

  • A.9.4.5: Access Control to Program Source Code

Control A.9.1.1: Access Control Policy

Audit Questions:

  • Is there a documented access control policy?

  • Does the policy define roles and responsibilities for access control?

  • How is the policy communicated to employees?

Common Non-Conformities (NC):

  • Lack of a documented access control policy.

  • Roles and responsibilities not defined.

  • Inadequate communication of the policy.

Control A.9.1.2: Access to Networks and Network Services

Audit Questions:

  • Are there controls to manage access to networks and network services?

  • How is unauthorized access detected and prevented?

Common Non-Conformities (NC):

  • Insufficient controls for network access.

  • Lack of monitoring for unauthorized access.

Control A.9.2.1: User Registration and De-registration

Audit Questions:

  • What processes are in place for user registration and de-registration?

  • How are access rights granted and revoked?

Common Non-Conformities (NC):

  • No formal process for user registration and de-registration.

  • Delays in revoking access for terminated users.

Control A.9.2.2: User Access Provisioning

Audit Questions:

  • How are user access rights provisioned?

  • Are there approvals required for granting access?

Common Non-Conformities (NC):

  • Inconsistent access provisioning.

  • Lack of approval process for granting access.

Control A.9.2.3: Management of Privileged Access Rights

Audit Questions:

  • How are privileged access rights managed?

  • Are there procedures for monitoring and reviewing privileged access?

Common Non-Conformities (NC):

  • Poor management of privileged access rights.

  • Lack of monitoring for privileged access.

Control A.9.2.4: Management of Secret Authentication Information of Users

Audit Questions:

  • What measures are in place to manage secret authentication information?

  • How is secret authentication information protected?

Common Non-Conformities (NC):

  • Inadequate protection of secret authentication information.

  • Lack of management controls for secret authentication information.

Control A.9.2.5: Review of User Access Rights

Audit Questions:

  • How often are user access rights reviewed?

  • Are there records of these reviews?

Common Non-Conformities (NC):

  • User access rights not reviewed regularly.

  • No records of access rights reviews.

Control A.9.2.6: Removal or Adjustment of Access Rights

Audit Questions:

  • What procedures are in place for removing or adjusting access rights?

  • How are changes to access rights communicated?

Common Non-Conformities (NC):

  • No formal procedures for removing or adjusting access rights.

  • Changes to access rights not communicated effectively.

Control A.9.3.1: Use of Secret Authentication Information

Audit Questions:

  • Are there guidelines for the use of secret authentication information?

  • How are these guidelines enforced?

Common Non-Conformities (NC):

  • Lack of guidelines for secret authentication information.

  • Poor enforcement of usage guidelines.

Control A.9.4.1: Information Access Restriction

Audit Questions:

  • How is access to information restricted based on the need to know?

  • Are there controls to prevent unauthorized access?

Common Non-Conformities (NC):

  • Insufficient access restrictions.

  • Unauthorized access not prevented effectively.

Control A.9.4.2: Secure Log-on Procedures

Audit Questions:

  • Are there secure log-on procedures in place?

  • How are these procedures communicated and enforced?

Common Non-Conformities (NC):

  • No secure log-on procedures.

  • Inadequate communication of log-on procedures.

Control A.9.4.3: Password Management System

Audit Questions:

  • What password management systems are used?

  • Are password policies enforced?

Common Non-Conformities (NC):

  • No password management system in place.

  • Weak enforcement of password policies.

Control A.9.4.4: Use of Privileged Utility Programs

Audit Questions:

  • How is the use of privileged utility programs controlled?

  • Are there logs of privileged utility program usage?

Common Non-Conformities (NC):

  • Uncontrolled use of privileged utility programs.

  • No logs of privileged utility program usage.

Control A.9.4.5: Access Control to Program Source Code

Audit Questions:

  • What controls are in place to restrict access to program source code?

  • How is access to source code monitored?

Common Non-Conformities (NC):

  • Insufficient controls for source code access.

  • Lack of monitoring for source code access.

Previous4. Asset ManagementNext6. Cryptographic Controls

Last updated 4 months ago

Was this helpful?