Access Control Procedure
History Log
Version
Date
Author
1.0
12
th
December 2019
Information Dynamics
1.1
08
th
December 2020
Saravanan
1.2
08
th
December 2021
Saravanan
Access Management Procedure
Internal 2 of 4
1. Scope
The scope will be applicable to all activities under the scope statement of Information Dynamics.
ISO 27001:2013 domain reference: A.9 - Access Control
ISO 27001:2013 Reference
A.9.2.1
User registration and de-registration
A.9.2.2
User access provisioning
A.9.2.3
Management of privilege access rights
A.9.2.5
Review of user access rights
A.9.2.6
Removal or adjustment of access rights
2. Inputs
Service Request Management
User Access Request
User Access modification
User access Revocation
3. Definitions
Access Requestor Person initiating the access request.
4. Access Control Procedure
New User Registration Process
Logical Access
HR shall imitate an email to the IT department when the employee joins the firm. The IT
department shall provide the minimum access needed for the employee inclusive provisioning of
desktop.
Physical Access
HR shall initiate a request to the admin department when an employee joins the firm. Based on
this request the admin department configures the employee’s biometrics access to the company
Access Management Procedure
Internal 3 of 4
User access and privilege access
Access is granted by the IT admin to respective systems. However the approval for the same
should be present from the department head and the operations head.
This process is applicable also to privilege users for:
Servers
Network Devices
Databases
Applications
Other confidential information
Change of access and removal of access
Any user transferring between access shall be treated as a case of transfers. In case of
transfers the HR shall update the IT respective team to revoke access of the employee to
the old systems. Any new system access request shall have to go through a formal
request.
In case of leavers, the HR shall notify the IT team regarding the last day of working of
the employee. The respective IT section shall accordingly revoke all access to the
systems and information sites. This shall also be applicable to all applications which are
not AD integrated.
Review of Access
Access Management Procedure
Internal 4 of 4
All access shall be provided only after formal approvals. All user access and privilege access
shall be reviewed atleast once in 6 months. These access shall be reviewed by the Operations
Head
If any discrepancy found in the access reviews, the access shall be removed on an immediate
basis.
5. Outputs
Users Access Granting
User Access reviews
6. Associated documentation
Access Control Matrix
7. KPIs
Frequency
Objective
Source
Target
Half
Yearly
Review of access shall provide
an understanding of process
effectiveness. Also helps
understand if there are
unauthorized access being
provided
Verification
of current
access in
systems
against
approved
tickets/
emails.
0% deviation.
Access should
match the
approvals
granted.