If you have been working with the ISO 27001 standard for a few years, you likely remember the 2013 version as a fairly rigid framework. It served us well, but as we moved further into the era of cloud computing and remote working, it became clear that the way we manage who people are in our systems needed a fresh look. That is where the ISO 27001:2022 update comes in, specifically with the introduction of Annex A 5.16, which focuses on Identity Management.
You might be asking, “Didn’t we already have this in the 2013 version?” Well, yes and no. The evolution of this control tells us a lot about where modern security is heading. Let’s break down exactly what changed and why it matters for your organisation.
Table of contents
The Shift from User Management to Identity Management
In the 2013 version of ISO 27001, the concept of “identity” was largely tucked away within broader access control measures, specifically under Annex A.9.2, which dealt with “User Access Management.” Back then, the focus was very much on the “user”, usually a human employee and their registration or de registration from a system.
The 2022 update has shifted the terminology significantly. Annex A 5.16 is now titled “Identity Management.” This change in wording is intentional. In today’s tech landscape, an “identity” isn’t always a person; it could be a bot, an API, or an automated service. By moving to Identity Management, the standard now requires you to manage the full lifecycle of any entity that needs to be identified within your network.
Consolidation and Clarity
One of the biggest differences you will notice is how the controls have been reorganised. In the 2013 version, requirements for identifying users were scattered. The 2022 version has streamlined this, pulling together elements that were previously separate to create a more cohesive organizational control.
According to the experts at Hightable.io, Annex A 5.16 essentially takes the core requirements of the old A.9.2.1 (User registration and de-registration) but expands the scope. It isn’t just about giving someone a login anymore; it is about ensuring that the unique identity assigned to a person or service is managed, verified, and revoked correctly across its entire lifecycle.
What is New in Annex A 5.16?
While the fundamental goal remains the same—making sure people are who they say they are—the 2022 version introduces a more rigorous approach to the “identity” itself. Under the 2013 framework, many companies got away with shared accounts or poorly managed system identities. Annex A 5.16 makes it much clearer that every identity must be unique and traceable.
A key focus now is on the “verification” process. You are now expected to have stronger procedures for verifying an identity before granting access. As highlighted by Hightable.io, this means that your onboarding and offboarding processes need to be more tightly integrated with your IT systems than ever before. If an identity is no longer needed—whether because an employee has left or a software trial has ended—the standard now places a heavier emphasis on the prompt removal or deactivation of that identity.
The Role of Technology in the 2022 Update
The 2013 version was written at a time when many systems were still on-premise. The 2022 update, and Annex A 5.16 specifically, acknowledges that we now live in a world of Single Sign-On (SSO) and Multi-Factor Authentication (MFA). While MFA is specifically highlighted in other controls (like A 5.17), Annex A 5.16 provides the foundation for those technologies by ensuring the underlying identity is solid.
For organisations transitioning to the new standard, this means you need to look at your Identity and Access Management (IAM) tools. Are they capable of handling the lifecycle of an identity automatically? If you are still relying on manual spreadsheets to track who has an account where, you may find it difficult to meet the “timely” revocation requirements of the new Annex A 5.16.
Practical Steps for the Transition
If you are upgrading your ISMS from the 2013 version to the 2022 version, your work for Annex A 5.16 involves a few key steps. First, you should review your existing User Access Management policy and rename or restructure it to reflect “Identity Management.”
You’ll also want to ensure that your documentation covers:
- The creation, amendment, and deletion of identities.
- How you verify the identity of a user or service before registration.
- Specific procedures for handling “non-human” identities like service accounts.
- Periodic reviews of identities to ensure they are still valid and necessary.
The goal is to move from a static list of users to a dynamic management system. Hightable.io notes that the 2022 version is much better suited for modern compliance because it aligns with the way modern software actually works.
Why This Change is a Step Forward
The transition from the 2013 version to the 2022 version for Annex A 5.16 might seem like a small change in wording, but it represents a massive shift in security philosophy. By focusing on “Identity,” the standard helps organisations protect themselves against modern threats like credential stuffing and sophisticated social engineering. It forces us to think about security at the individual level, ensuring that every “entity” on our network is accounted for.
For those looking to simplify this transition, using updated templates and gap analysis tools from resources like Hightable.io can make the process much smoother, ensuring you meet the 2022 requirements without overcomplicating your internal processes.