在ISO 27001:2013 與ISO 27001:2005差異比較#4說明新版ISO27001/27002新增了12項控制措施(controls),將一一進行解說與分享:
A.9.2.2 User access provisioning
使用者存取規定
Control 控制措施
A formal user access provisioning process should be implemented to assign or revoke access rights for all user types to all systems and services.
宜實作正式使用者存取規定過程, 針對所有系統與服務之各類型使用者指定或撤回存取權限。
Implementation guidance實作指引
The provisioning process for assigning or revoking access rights granted to user IDs should include:
a) obtaining authorization from the owner of the information system or service for the use of the information system or service (see control 8.1.2); separate approval for access rights from management may also be appropriate;
b) verifying that the level of access granted is appropriate to the access policies (see 9.1) and is consistent with other requirements such as segregation of duties (see 6.1.2);
c) ensuring that access rights are not activated (e.g. by service providers) before authorization procedures are completed;
d) maintaining a central record of access rights granted to a user ID to access information systems and services;
e) adapting access rights of users who have changed roles or jobs and immediately removing or blocking access rights of users who have left the organization;
f ) periodically reviewing access rights with owners of the information systems or services (see 9.2.5).

新版的ISO 27001/27002將使用者存取規定描述更為仔細, 包括最好建立一個包含各個使用者存取各系統及服務權限的集中紀錄(central record).