ISO 27001 Control 5.16: Identity Management

Identity Management: A Foundation of Information Security

Effective identity management is a critical element in securing organisational assets and ensuring that only authorised entities can access sensitive systems and data. By implementing a robust identity management framework, organisations can maintain accountability, improve access control, and reduce the risks of unauthorised access.

Purpose of Identity Management

The key objectives of identity management are to:

• Ensure unique identification of individuals and systems accessing organisational resources.

• Facilitate accurate and appropriate assignment of access rights.

• Maintain accountability for actions performed using specific identities.

Principles for Managing Identity Lifecycles

A comprehensive identity management process should adhere to the following principles:

1. Unique and Accountable Identities

• Each identity must be uniquely linked to a single individual to ensure full accountability.

• Shared identities are permitted only for business-critical purposes and must undergo dedicated approval and documentation processes.

2. Management of Non-Human Entities

• Identities assigned to non-human entities (e.g., systems, devices) must be subject to rigorous approval processes and ongoing oversight.

3. Prompt Deactivation of Identities

• Identities must be disabled or removed as soon as they are no longer needed, such as:

  • When an individual leaves the organisation or changes roles.

  • When associated systems or devices are decommissioned.

4. Avoidance of Duplicate Identities

• Each domain should assign a single identity to each entity, ensuring no duplication within the same context.

5. Event Record Maintenance

• Maintain comprehensive records of significant events related to identity management, including identity creation, modification, and deactivation.

Processes for Identity Management

Organisations should establish clear processes to handle:

• Updates to user identity information, including re-verification of documentation.

• Integration and validation of third-party identities (e.g., social media credentials), ensuring trustworthiness and mitigating associated risks.

Lifecycle Stages of Identity Management

1. Confirm Business Requirements: Validate the necessity of establishing an identity.

2. Verify Identity: Authenticate the entity before issuing an identity.

3. Establish Identity: Create and configure a unique identity.

4. Activate Identity: Set up authentication mechanisms and activate the identity.

5. Assign or Revoke Access Rights: Manage access permissions based on authorisation decisions.

Third-Party Identity Management

When using third-party-provided identities:

• Ensure the third-party identities meet organisational trust requirements.

• Mitigate risks by implementing appropriate controls over third-party authentication and access.

Benefits of Effective Identity Management

1. Enhanced Security

• Minimise unauthorised access by ensuring proper identity verification and robust authentication processes.

2. Increased Accountability

• Hold individuals accountable for actions performed under their assigned identities.

3. Efficient Access Control

• Streamline the provisioning and revocation of access rights to meet organisational needs.

4. Compliance Assurance

• Satisfy legal, regulatory, and contractual obligations related to data access and security.

Conclusion

Comprehensive identity management is indispensable for maintaining a secure organisational environment. By ensuring the unique identification of entities, managing identity lifecycles effectively, and implementing robust oversight, organisations can enhance their security posture, streamline operations, and comply with regulatory requirements. Adopting these practices fosters

trust, accountability, and resilience in the face of evolving threats.