top of page

ISO27001:2022 - A5.16 Identity management

Updated: May 14

You’ll often find in ISO27001 that there are controls which sound very technical in nature, but in fact they are relatively easy to understand once you understand what the purpose of the control is. 


A5.16 is an example of the standard asking for something which many might see as being relatively obvious.


What does the standard require?

The standard states that “The full life cycle of identities should be managed.” (A5.16 Identity Management)


Before we start asking why this is required, let’s understand what is required.


When ISO27001 talks about ‘identities’, it’s referring to the identity of people or systems that might access your logical or physical processing facilities. 


Why is this required?

Under Annex A control A8.15 Logging, we’ll start talking about logging of events on your systems, but if everyone is using the same ‘identity’, or login details then how would you differentiate between individuals? 


We once helped a business who had suffered a catastrophic loss of data in their customer relationship management (CRM) system. All their 65,000 records had been downloaded, then erased from their system. It looked like a malicious attacker from outside their business had carried out the attack.


However, in the course of our investigation, we discovered that one user ID (identity) and password had been used to access their CRM. All of their 80 members of staff had the ID and password and used it regularly.  There was no way of knowing if the attack came from outside, or inside their business. Everyone was under suspicion, and it caused a lot of reputational damage with their clients, and negative feelings amongst the team.


(spoiler: We were able to identify through CCTV and physical access logs that the person responsible for the action was a disgruntled employee. But it took a lot of work to get this information and evidence together).


In addition to the risks posed by sharing passwords and login details, there is a very real possibility that sharing an ID and passwords is going to breach licence rules of the system.  Many software packages will charge a ‘per seat’ licence. Meaning they charge by the number of user IDs in their system. If we someone is using a shared ID you are breaching contractual obligations, and therefore in breach of ISO27001 (and the law!).


What the auditor is looking for

The auditor is not looking for a specific policy around identity management, but they want to know how you allocate new user IDs and passwords for people accessing your systems.  Your onboarding process should include a step whereby your IT representative will allocate the user with a new email address, login details and password.


You should be able to evidence a process that also sees the user ID being disabled in a timely manner. This again doesn’t need to be a documented process, but you should be able to talk through your ‘leaver process’, whereby the account is disabled at the time of dismissal or when the person has returned all assets.


One more thing; The auditor may ask if there are any occasions where you share login details and passwords, and the answer to this question is – never!


Q & A

Do I need a written policy?

No there is no need a documented policy or procedure for this control, but you should be able to talk through how IDs are allocated. The key areas for this will be your onboarding process, and leaver process. Again, these do not need to be documented processes, but you should be able to show how it works and provide evidence of it in action.


Is it possible to get this wrong?

If you share user IDs and passwords then you are in breach of a number of areas in ISO27001, but more importantly you are likely to be in breach of licence agreements, and therefore breaking the law.


Difficulty rating

We rate this a 1 out of 5 difficulty rating. This means that it requires little if any technical skill to implement. When you sign-up to a new system or service you should ensure there are enough licences purchased for your needs, and then outline who is responsible for allocating and revoking  the user IDs.


More questions?

Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused by how to implement an RBAC process or identify the key roles in your organisation, just get in touch and we’ll be happy to help.


For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001” which is available on Amazon.

7 views0 comments


bottom of page