This rule is about identity management, which means a company must have a system to handle who and what can access its information and IT systems. It covers the entire life of an identity, from when it’s created until it’s deleted.
Table of contents
What Is Identity Management?
Identity management is a way to make sure that only the right people, systems, or devices can get to your data. It helps you keep track of who or what is on your network and what they are allowed to do. This rule is a way to prevent risks before they happen.
What is ISO 27001 Annex A 5.16?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Identity management”.
What is the ISO 27001 Annex A 5.16 control objective?
The formal definition and control objective in the standard is: “The full life cycle of identities shall be managed.“
What is the purpose of ISO 27001 Annex A 5.16?
The purpose of ISO 27001 Annex A 5.16 is “To allow for the unique identification of individuals and systems accessing the organisation’s information and other associated assets and to enable appropriate assignment of access rights.“
Is ISO 27001 Annex A 5.16 Mandatory?
ISO 27001 Annex A control 5.16 (Identity Management in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 5.16 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
- One for One: Every person or system should have a single, unique identity. This helps you know who is doing what and keeps things organised.
- Handle with Care: You need to treat human identities (for people) and non-human identities (for devices or applications) in different ways. Each type needs its own process for approval and setup.
- Get Rid of Old IDs: When someone leaves the company or a device is no longer used, their identity should be turned off or removed right away. This is important to stop security issues.
- Keep Good Records: You should always keep a record of when identities are created, changed, or removed. This creates a history that you can check later.
- Check Often: You should regularly look at all identities to make sure they are still needed and that they have the right level of access.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will look for:
- A written policy for identity management.
- Evidence that you follow the process for creating and deleting identities.
- Proof that you have a way to check identities and access rights on a regular basis.
You can learn more about identity management and ISO 27001 by watching this video: ISO 27001 Identity Management Explained.
