This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.5.16 Identity management.
ISO 27001: 2022 Control Description
The full lifecycle of identities shall be managed.
Purpose
To ensure the unique identification of individuals and systems accessing the organisation’s information and other associated assets, enabling the appropriate assignment of access rights.
Guidance on implementation
The processes used in the context of identity management should ensure that:
a) For identities assigned to persons, a specific identity is only linked to a single person, allowing accountability for actions performed with that specific identity;
b) Identities assigned to multiple persons (e.g. shared identities) are only permitted when necessary for business or operational reasons and are subject to dedicated approval and documentation;
c) Identities assigned to non-human entities are subject to appropriately segregated approval and independent ongoing oversight;
d) Identities are disabled or removed promptly when no longer required (e.g. if their associated entities are deleted or no longer used, or if the person linked to an identity has left the organisation or changed roles);
e) Within a specific domain, a single identity is mapped to a single entity, ensuring that multiple identities are not mapped to the same entity within the same context (i.e. avoiding duplicate identities);
f) Records of all significant events concerning the use and management of user identities and authentication information are maintained.
The organisation should have a supporting process in place to handle changes to information related to user identities. These processes may include re-verification of trusted documents related to a person.
When using identities provided or issued by third parties (e.g. social media credentials), the organisation should ensure that these third-party identities provide the required level of trust and that any associated risks are known and sufficiently addressed. This may involve implementing controls related to third parties as well as controls associated with authentication information.
Other Information
Providing or revoking access to information and other associated assets is usually a multi-step procedure:
a) Confirming the business requirements for an identity to be established;
b) Verifying the identity of an entity before allocating them a logical identity;
c) Establishing an identity;
d) Configuring and activating the identity, which includes the configuration and initial setup of related authentication services;
e) Providing or revoking specific access rights to the identity, based on appropriate authorisation or entitlement decisions.