ISO 27001:2022 Control 5.16 (A.5.16)
Explaining Control 5.16 (A.5.16) Identity management
ISO 27001 Control 5.16, Identity management, establishes the requirements for managing the full lifecycle of identities, ensuring that each identity is uniquely assigned, securely maintained, and promptly revoked when no longer needed. This control applies to human users, non-human entities (such as applications and devices), and third-party identities.
Control Type
- Preventive
Information Security Properties
- Confidentiality
- Integrity
- Availability
Cybersecurity Concepts
- Protect
Operational Capabilities
- Identity and Access Management
Security Domains
- Protection
Objective of Control 5.16
The primary objective of Control 5.16 is to implement a structured approach to identity management, ensuring that:
- Each identity is uniquely assigned and verifiable, ensuring accountability and traceability of actions.
- Access rights are granted and managed throughout the identity lifecycle to prevent unauthorized access.
- Non-human identities (such as system accounts, service accounts, and API keys) are appropriately controlled with oversight mechanisms.
- Identity records are updated in real-time to reflect changes, such as employee onboarding, role changes, and departures.
- Dormant or unnecessary identities are disabled or removed promptly to reduce security risks.
Purpose of Identity Management
Effective identity management ensures that individuals and systems accessing your organization’s resources are accurately identified, authorized, and monitored. The core purposes of implementing this control include:
1. Enhancing Security
Properly managed identities reduce the risk of unauthorized access, privilege escalation, and insider threats. Organizations that fail to manage identities correctly may expose themselves to attacks such as credential theft, phishing, and unauthorized privilege escalation.
2. Facilitating Compliance
Identity management is a fundamental requirement in multiple regulatory frameworks, including ISO 27001, GDPR, NIST, HIPAA, and PCI DSS. Implementing strong identity governance ensures your organization remains compliant with these regulations.
3. Improving Operational Efficiency
An organized identity lifecycle management process allows for seamless user provisioning and deprovisioning. Automated identity governance prevents excessive manual administrative tasks and reduces human error.
4. Enabling Accountability
Every identity within the system should be uniquely assigned to a single individual or entity. This ensures that all actions taken within the system can be traced back to a responsible user, helping in forensic investigations, incident response, and auditing.
5. Preventing Unauthorized Access
Without identity management, unauthorized individuals could gain access to sensitive information, resulting in data breaches or operational disruptions. By implementing identity governance controls, your organization ensures that only authorized personnel have access to specific resources.
Identity Lifecycle Management
Managing identities throughout their lifecycle is crucial for maintaining security and operational efficiency. The identity lifecycle follows a structured process that includes:
1. Identity Creation and Approval
- Business Justification: Every identity must have a valid business requirement before being created.
- Verification Process: The identity of an individual or system must be verified using trusted documentation.
- Approval Mechanisms: Organizations should implement an approval process before creating new user accounts or system identities.
- Assignment of Unique Identifiers: Each user or system must have a unique identifier to prevent duplicate identities.
2. Identity Maintenance
- Regular Review and Revalidation: User identities should be periodically reviewed to ensure they remain necessary and properly assigned.
- Monitoring for Duplicate Identities: Duplicate identities can lead to security loopholes. Your organization should implement mechanisms to detect and merge duplicate accounts.
- Change Management: When employees change roles, their access rights should be modified accordingly to avoid privilege creep.
3. Identity Deactivation and Removal
- Automated Deactivation Processes: Organizations should establish an automated system for deactivating unused accounts.
- Timely Revocation: Identities should be disabled immediately upon termination of employment, contract expiration, or when they are no longer required.
- Access Revocation Logging: Maintain records of identity revocations for auditing and compliance purposes.
Managing Non-Human Identities
Non-human identities (such as service accounts, API keys, and application identities) require a different management approach compared to human identities. Best practices for managing non-human identities include:
- Approval and Justification: Each non-human identity should be created only when necessary and require documented approval.
- Regular Audits: Non-human accounts should be periodically reviewed to ensure they are still required.
- Usage Restrictions: Limit privileges to the minimum necessary for each non-human identity.
- Secure Authentication: Ensure that non-human identities follow strong authentication mechanisms (e.g., certificate-based authentication).
Shared Identities and Their Risks
Shared identities pose a significant security risk as multiple individuals can access systems using the same credentials, making accountability difficult. If shared identities are necessary, your organization should:
- Document Justification: Clearly outline why a shared identity is required.
- Implement Approval Processes: Ensure that shared identities undergo strict approval.
- Monitor Usage: Maintain audit logs to track activities associated with shared identities.
- Consider Alternatives: If possible, use role-based access control (RBAC) instead of shared identities.
Event Logging and Identity Monitoring
Identity-related activities must be logged and monitored to detect suspicious behavior and ensure compliance. Key considerations include:
- Audit Logging: Track login attempts, account modifications, privilege escalations, and access removals.
- Real-time Monitoring: Use Security Information and Event Management (SIEM) solutions to detect anomalies.
- Incident Response: Establish procedures to respond to identity-related security incidents, such as unauthorized access attempts.
Managing Third-Party Identities
If your organization uses third-party authentication providers (such as social media logins or federated authentication), you must assess and mitigate associated risks. Best practices include:
- Trust Evaluation: Ensure that third-party identity providers meet your security standards.
- Risk Assessment: Identify potential vulnerabilities associated with using external identity providers.
- Authentication Controls: Enforce multi-factor authentication (MFA) for third-party identities.
- Periodic Reviews: Regularly review the security posture of third-party identity services.
Relevant ISO 27001 Controls Related to Identity Management
Control 5.16 is closely linked to several other controls within ISO 27001, including:
- Control 5.15 – Access Control: Defines how access permissions are granted and managed.
- Control 5.17 – Authentication Information: Governs password policies, encryption of credentials, and secure authentication methods.
- Control 5.18 – Access Rights: Specifies how access rights are assigned and reviewed.
- Control 5.19 – Supplier Security: Addresses identity management when working with third-party vendors.
Supporting Templates for Identity Management
To assist in implementing ISO 27001 Control 5.16, the following templates from our website may be helpful:
- Identity Management Policy Template: Establishes a formal identity governance framework.
- Access Request Form: Standardizes the process of requesting and approving access.
- Identity Deactivation Checklist: Ensures all steps are followed when removing an identity.
- Role-Based Access Control (RBAC) Matrix: Helps map access levels based on roles.
