Access Control Procedure

History Log

Version

Date

Author

1.0

12

th

December 2019

Information Dynamics

1.1

08

th

December 2020

Saravanan

1.2

08

th

December 2021

Saravanan

Access Management Procedure

Internal 2 of 4

1. Scope

The scope will be applicable to all activities under the scope statement of Information Dynamics.

ISO 27001:2013 domain reference: A.9 - Access Control

ISO 27001:2013 Reference

A.9.2.1

User registration and de-registration

A.9.2.2

User access provisioning

A.9.2.3

Management of privilege access rights

A.9.2.5

Review of user access rights

A.9.2.6

Removal or adjustment of access rights

2. Inputs

• Service Request Management

• User Access Request

• User Access modification

• User access Revocation

3. Definitions

• Access Requestor Person initiating the access request.

4. Access Control Procedure

New User Registration Process

Logical Access

HR shall imitate an email to the IT department when the employee joins the firm. The IT

department shall provide the minimum access needed for the employee inclusive provisioning of

desktop.

Physical Access

HR shall initiate a request to the admin department when an employee joins the firm. Based on

this request the admin department configures the employee’s biometrics access to the company

Access Management Procedure

Internal 3 of 4

User access and privilege access

Access is granted by the IT admin to respective systems. However the approval for the same

should be present from the department head and the operations head.

This process is applicable also to privilege users for:

• Servers

• Network Devices

• Databases

• Applications

• Other confidential information

Change of access and removal of access

• Any user transferring between access shall be treated as a case of transfers. In case of

transfers the HR shall update the IT respective team to revoke access of the employee to

the old systems. Any new system access request shall have to go through a formal

request.

• In case of leavers, the HR shall notify the IT team regarding the last day of working of

the employee. The respective IT section shall accordingly revoke all access to the

systems and information sites. This shall also be applicable to all applications which are

not AD integrated.

Review of Access

Access Management Procedure

Internal 4 of 4

All access shall be provided only after formal approvals. All user access and privilege access

shall be reviewed atleast once in 6 months. These access shall be reviewed by the Operations

Head

If any discrepancy found in the access reviews, the access shall be removed on an immediate

basis.

5. Outputs

• Users Access Granting

• User Access reviews

6. Associated documentation

• Access Control Matrix

7. KPIs

KPIs

Frequency

Objective

Source

Target

Access review

Half

Yearly

Review of access shall provide

an understanding of process

effectiveness. Also helps

understand if there are

unauthorized access being

provided

Verification

of current

access in

systems

against

approved

tickets/

emails.

0% deviation.

Access should

match the

approvals

granted.