What is ISO 27001 Annex A 5.16 Identity Management in ISO 27001?
ISO 27001 Annex A 5.16 manages the full lifecycle of digital identities. It requires a documented process to identify and verify users. Organisations must integrate these procedures into internal tools like SharePoint and Jira. This ensures security remains part of daily business operations. It prevents credential misuse through strict verification.
Auditor’s Eye: The Shortcut Trap
Many firms rely on SaaS compliance portals to manage identity policies. This creates surface level compliance. Auditors want to see the identity lifecycle within your native repositories. A green tick in a portal does not prove management ownership. We look for Jira workflows showing manual approvals. We check SharePoint for version controlled policies. Identity management must be a lived process. Relying on automated black box platforms often masks a lack of internal oversight. You must demonstrate that you control the identity lifecycle yourself.
Transition Table (2013 vs 2022)
| Feature | ISO 27001:2013 Reference | ISO 27001:2022 Reference |
|---|---|---|
| Control Title | User registration and de-registration | 5.16 Identity Management |
| Primary Focus | Access management steps (A.9.2.1) | Full identity lifecycle and verification |
| Scope | User accounts | All digital identities (including non-human) |
How to Implement ISO 27001 Annex A 5.16 (Step-by-Step)
Effective implementation requires integrating identity rules into your existing tools. Follow these steps to build a compliant identity management programme. Focus on cultural change rather than software installation. Manual verification remains the foundation of this control.
- Define the Policy: Use SharePoint to host your Identity Management Policy. Document the full lifecycle of a digital identity.
- Document Verification Rules: Create a wiki page in Confluence. Detail the evidence required to verify a new user identity.
- Build Jira Workflows: Manage identity requests through Jira. Require manager sign-off for every new identity created.
- Monitor Identity Providers: Track your identity providers in an internal register. Review their security settings every quarter.
- Record Manual Reviews: Use SharePoint lists to track identity audits. Document all findings in your security meeting minutes.
ISO 27001 Annex A 5.16 Audit Evidence Checklist
Auditors look for manual records that prove human oversight. Internal document versions provide the best evidence. Focus on these items for your next audit:
- Identity Management Policy with a clear SharePoint version history.
- Jira tickets showing the start-to-finish lifecycle of user identities.
- Signed verification forms or digital logs of identity checks.
- Meeting minutes discussing the review of identity providers.
- Internal wiki pages outlining identity naming conventions and rules.
Relational Mapping
Annex A 5.16 connects directly to other organisational controls. It supports Clause 5.15 (Access Control) by providing verified identities. It feeds into Clause 5.18 (Access Rights) to ensure permissions match valid identities. Proper identity management also strengthens Clause 8.2 (Privileged Access Rights). Each control depends on the validity of the underlying identity.
Auditor Interview
Auditor: How do you manage the creation of new digital identities?
User: We use a Jira workflow to capture and approve all identity requests.
Auditor: Where are the verification rules for these identities documented?
User: Our verification procedures are stored in our company wiki on Confluence.
Auditor: How do you prove that identities are deleted when staff leave?
User: We cross-reference our offboarding Jira tickets with our active identity register.
Common Non-Conformities
| Failure Mode | Description of Non-Conformity |
|---|---|
| Automated Complacency | Relying on a SaaS platform’s dashboard without internal procedural evidence. |
| Missing Verification | Creating identities without documenting the identity verification process. |
| Non-human Neglect | Failing to manage the identities of service accounts or software bots. |
Frequently Asked Questions
What is identity management in ISO 27001?
Identity management is a documented process governing the lifecycle of digital identities. It ensures that organisations uniquely identify and verify all users. This process must reside within internal document repositories. It prevents unauthorised access by validating users before granting permissions.
How do you verify identities for ISO 27001?
Verification involves checking official documentation or using multi-factor authentication. Organisations must record these checks in their internal management systems. This provides an audit trail for identity validity. Manual oversight of the verification process is mandatory for compliance.
What is the role of an identity provider?
An identity provider manages digital credentials and provides authentication services. ISO 27001 requires organisations to govern these providers through documented policies. You must monitor their performance and security within your own management tools. This maintains internal control over external dependencies.