The basics
ISO 27001 control A.5.16 Identity management requires companies to ensure user identities are managed throughout their lifecycle – from their creation to their deletion, in order that only required people have proper access rights all the time.
Documentation
ISO 27001 control A.5.16 Identity management can be documented:
- For smaller and mid-size companies – by writing an Access Control Policy
- For larger companies – by writing an Identity Management Procedure
These documents are not mandatory but are recommended.
Implementation
In order to comply with control A.5.16 Identity management you might implement the following:
- Technology — the technology to enable identity management mainly involves software (e.g., Active Directory, user management systems, etc.). Small companies may use identity management features available on their local computers to restrict what they can and cannot do regarding their identities, while bigger companies may use networked systems to allow centralized and remote identity management.
- Organization/processes — you should set up a process for defining how to create and group identities, who is responsible for creating/updating identities, how information about a user’s identity must be delivered, and how active identities must be reviewed and updated. You can document those processes through an Access Control Policy or an Identity Management Procedure.
- People — make employees aware of why managing users’ identities is needed, and train IT staff on how to create identities and deliver them to users in a secure way.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.5.16 Identity management: if user identities are managed throughout their lifecycle.
