Buy the 27001 Toolkit

ISO 27001 Control 5.16: Identity Management

ISO 27001 Control 5.16: Identity Management

Identity Management: A Foundation of Information Security

Effective identity management is a critical element in securing organisational assets and ensuring that only authorised entities can access sensitive systems and data. By implementing ISO 27001 control 5.16 which requires a robust identity management framework, organisations can maintain accountability, improve access control, and reduce the risks of unauthorised access.

Return to Organisational Controls Overview
Get the ISO 27002 Official Guidance on Controls

Purpose of Identity Management

The key objectives of identity management are to:

  • Ensure unique identification of individuals and systems accessing organisational resources.
  • Facilitate accurate and appropriate assignment of access rights.
  • Maintain accountability for actions performed using specific identities.

Principles for Managing Identity Lifecycles

A comprehensive identity management process should adhere to the following principles:

1. Unique and Accountable Identities

  • Each identity must be uniquely linked to a single individual to ensure full accountability.
  • Shared identities are permitted only for business-critical purposes and must undergo dedicated approval and documentation processes.

2. Management of Non-Human Entities

  • Identities assigned to non-human entities (e.g., systems, devices) must be subject to rigorous approval processes and ongoing oversight.

3. Prompt Deactivation of Identities

  • Identities must be disabled or removed as soon as they are no longer needed, such as:
    • When an individual leaves the organisation or changes roles.
    • When associated systems or devices are decommissioned.

4. Avoidance of Duplicate Identities

  • Each domain should assign a single identity to each entity, ensuring no duplication within the same context.

5. Event Record Maintenance

  • Maintain comprehensive records of significant events related to identity management, including identity creation, modification, and deactivation.

Processes for Identity Management

Organisations should establish clear processes to handle:

  • Updates to user identity information, including re-verification of documentation.
  • Integration and validation of third-party identities (e.g., social media credentials), ensuring trustworthiness and mitigating associated risks.

Lifecycle Stages of Identity Management

  1. Confirm Business Requirements: Validate the necessity of establishing an identity.
  2. Verify Identity: Authenticate the entity before issuing an identity.
  3. Establish Identity: Create and configure a unique identity.
  4. Activate Identity: Set up authentication mechanisms and activate the identity.
  5. Assign or Revoke Access Rights: Manage access permissions based on authorisation decisions.

Third-Party Identity Management

When using third-party-provided identities:

  • Ensure the third-party identities meet organisational trust requirements.
  • Mitigate risks by implementing appropriate controls over third-party authentication and access.

Benefits of Effective Identity Management

1. Enhanced Security

  • Minimise unauthorised access by ensuring proper identity verification and robust authentication processes.

2. Increased Accountability

  • Hold individuals accountable for actions performed under their assigned identities.

3. Efficient Access Control

  • Streamline the provisioning and revocation of access rights to meet organisational needs.

4. Compliance Assurance

  • Satisfy legal, regulatory, and contractual obligations related to data access and security.

FAQs

What is the goal of Control 5.16 in ISO 27001?

The goal is to ensure that every user has a unique and verifiable identity for accessing systems and data. This control helps prevent unauthorised access by making sure that only properly identified individuals can use your organisation’s resources.

What does identity management involve?

Identity management includes:

Creating user identities (onboarding)
– Assigning roles and permissions
– Managing changes (like promotions or transfers)
– Deactivating accounts when users leave (offboarding)

It ensures users get the right level of access — no more, no less.

Why is unique user identification important?

It works closely with:

Control 5.18 (Access Rights) – determining what users can do.
– Control 5.17 (Authentication Information) – how users prove their identity.
– Control 5.19 (Supplier Relationships) – managing third-party access.

Together, they form the foundation of a secure access control system.

Can identity management help with compliance, like GDPR?

Yes. GDPR requires that only authorized people access personal data.

Effective identity management:

– Supports data protection principles
– Helps demonstrate accountability
– Reduces risk of unauthorized access or breaches

Conclusion

Comprehensive identity management under ISO 27001 control 5.16 is indispensable for maintaining a secure organisational environment. By ensuring the unique identification of entities, managing identity lifecycles effectively, and implementing robust oversight, organisations can enhance their security posture, streamline operations, and comply with regulatory requirements. Adopting these practices fosters trust, accountability, and resilience in the face of evolving threats.

Iseo Blue Limited - UK Registered Company Number : 10215427

Privacy Policy  

Registered office address: Belmont Suite Paragon Business Park, Chorley New Road, Bolton, England, United Kingdom, BL6 6HG