ISO27001A.8.2voice-validated
ISO27001 A.8.2: A.8.2
ISO/IEC 27001:2022 Information Security Management
AL
Founder at SQUR · last verified 2026-06-19
Regulation text
The allocation and use of privileged access rights shall be restricted and managed. Theme: Technological controls. (Full guidance: ISO/IEC 27002:2022 §8.2.)
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1078 | 1. Attackers compromise and use valid privileged accounts for various malicious activities. Control A.8.2 directly counters this by restricting and managing these accounts, limiting unauthorized access and potential misuse. | 100% |
| T1003 | 1. Attackers dump credentials, often targeting privileged accounts, to gain elevated access. Control A.8.2's focus on managing privileged access reduces the attack surface for credential theft and subsequent unauthorized use. | 90% |
| T1068 | 1. This control directly addresses the prevention of unauthorized privilege escalation by restricting and managing privileged access rights. Exploitation for privilege escalation is mitigated by robust access controls as per A.8.2. | 100% |
| T1053 | 1. Attackers with privileged access can create or modify scheduled tasks for persistence or to execute code with elevated rights. Control A.8.2 limits this by restricting who can allocate and use such rights. | 90% |
| T1098 | 1. Attackers manipulate existing accounts, including privileged ones, to maintain access or elevate privileges. Control A.8.2's management of privileged access rights prevents unauthorized modifications. | 90% |
| T1136 | 1. Attackers create new accounts, often with privileged access, for persistence or to facilitate other attacks. Control A.8.2 restricts and manages the allocation of such rights, preventing unauthorized account creation. | 90% |
| T1021 | 1. Attackers use privileged credentials to access remote services and move laterally within a network. Control A.8.2's management of these rights limits the ability for unauthorized lateral movement. | 90% |
| T1070 | 1. Privileged access is often required to clear event logs or delete forensic artifacts, hindering detection. Control A.8.2 restricts such access, making defense evasion more difficult. | 80% |
| T1059 | 1. Attackers execute commands and scripts, often requiring or seeking privileged access to achieve their objectives. Control A.8.2 limits the scope of execution by restricting who holds privileged rights. | 90% |
| T1087 | 1. Attackers discover privileged accounts to target them for compromise or exploitation. Control A.8.2's management of these accounts can include measures to limit their discoverability or exposure. | 90% |
| T1048 | 1. An attacker with privileged access can more easily exfiltrate data, potentially bypassing standard controls. Control A.8.2 reduces the likelihood of such access, thereby mitigating exfiltration risks. | 70% |
| T1486 | 1. Privileged access is often required to encrypt data across a system or network for impact, such as in ransomware attacks. Control A.8.2 limits the scope of such destructive actions by restricting privileged rights. | 70% |
| T1005 | 1. Privileged access allows attackers to collect sensitive data from local systems more comprehensively. Control A.8.2's restrictions on privileged rights limit the scope of data collection. | 80% |
| T1041 | 1. Privileged access can facilitate the setup and use of C2 channels for exfiltration, especially if network controls are bypassed. Control A.8.2 reduces the ability to establish such channels. | 70% |
| T1018 | 1. Privileged access can aid in discovering remote systems and their configurations, which can then be targeted for lateral movement. Control A.8.2 limits this reconnaissance capability. | 70% |
Defending mitigations · 6
| Mitigation | What it does | Confidence |
|---|---|---|
| M1026 | 1. This mitigation directly implements the control's requirement to restrict and manage privileged access rights, including principles like least privilege and just-in-time access, as per ISO27001 A.8.2. | 100% |
| M1017 | 1. Effective user account management, including the creation, modification, and deletion of accounts, is fundamental to restricting and managing privileged access, supporting ISO27001 A.8.2. | 90% |
| M1030 | 1. Network segmentation limits the scope of compromise if privileged access is obtained, preventing lateral movement to other critical systems, thereby supporting the intent of ISO27001 A.8.2. | 80% |
| M1035 | 1. Restricting network access to resources, especially those requiring privileged access, reduces the attack surface for remote exploitation, aligning with ISO27001 A.8.2. | 90% |
| M1043 | 1. Multi-factor authentication adds a critical layer of security to privileged accounts, making it significantly harder for attackers to use stolen credentials, directly supporting ISO27001 A.8.2. | 90% |
| M1047 | 1. Auditing and logging privileged access activities enable detection of unauthorized use or attempts to bypass restrictions, providing essential oversight for ISO27001 A.8.2. | 90% |
Underlying weaknesses · 6
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-269 | 1. This weakness directly reflects a failure to properly restrict and manage privileged access rights, leading to excessive or unmonitored privileges, which ISO27001 A.8.2 aims to prevent. | 100% |
| CWE-284 | 1. Inadequate access control mechanisms can lead to unauthorized users gaining or escalating to privileged access, violating the principle of least privilege, which ISO27001 A.8.2 addresses. | 90% |
| CWE-285 | 1. Flaws in authorization logic can grant privileged access to users who should not have it, or allow them to perform actions beyond their intended scope, directly countered by ISO27001 A.8.2. | 90% |
| CWE-798 | 1. Hard-coded credentials, especially for privileged accounts, present a significant risk if discovered, enabling unauthorized access. ISO27001 A.8.2 implicitly requires secure credential management. | 80% |
| CWE-306 | 1. Critical functions requiring privileged access, if lacking proper authentication, can be exploited by unauthorized actors to gain elevated rights, a scenario ISO27001 A.8.2 seeks to prevent. | 80% |
| CWE-732 | 1. Incorrect permissions on critical resources can allow unprivileged users to gain access or modify configurations that lead to privilege escalation, directly addressed by ISO27001 A.8.2. | 90% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0190 compute · voice-rubric self-validated