ISO 27001:2022 Annex A Control 5.16

Identity Management

Book a demo

group,of,happy,coworkers,discussing,in,conference,room

The revised ISO 27001:2022 Annex A 5.16 Identity Management establishes a framework for approving, registering, and administering human and non-human identities on any network – defined as the “full lifecycle.

Computer networks use identities to identify the underlying ability of an entity (a user, group of users, device, or IT asset) to access a set of hardware and software resources.

What Does ISO 27001:2022 Annex A 5.16 Do?

The purpose of Annex A 5.16 is to describe how an organisation can identify who (users, groups of users) or what (applications, systems, and devices) is accessing data or IT assets at any given moment, and how those identities are granted access rights.

As a preventative measure, Annex A 5.16 aims to maintain risk by establishing the main perimeter for all related information security and cyber security operations, as well as the primary mode of governance that determines an organisation’s Identity and Access Management process.

Ownership of Annex A 5.16

Considering ISO 27001:2022 Annex A 5.16 serves as a primarily maintenance function, ownership should be given to IT staff with Global Administrator rights (or equivalent for non-Windows infrastructure).

In addition to other built-in roles that allow users to manage identities (such as Domain Administrator), Annex A 5.16 should be owned by the individual responsible for the entire network of the organisation, including all subdomains and Active Directory tenants.

Get a Headstart on ISO 27001
  • All updated with the 2022 control set
  • Make 81% progress from the minute you log in
  • Simple and easy to use
Book your demo
img

General Guidance on ISO 27001:2022 Annex A 5.16

Annex A 5.16 compliance is achieved by expressing identity-based procedures clearly in policy documents and monitoring staff adherence on a daily basis.

Six procedures are listed in Annex A 5.16, to ensure that an organisation meets the requisite standards of infosec and cybersecurity governance:

  1. Whenever an identity is assigned to a person, that person is the only one who can authenticate with that identity and/or use it when accessing network resources.
  2. Achieving compliance means IT policies must stipulate clearly that users are not to share login information, or allow other users to roam the network using any identity other than the one they have been given.

  3. In some cases, it may be necessary to assign a single identity to several people, also known as a ‘shared identity’. Only use this approach when an explicit set of operational requirements is needed.
  4. To achieve compliance, registration of shared identities should be handled separately from single user registration, with a dedicated approval process.

  5. ‘Non-human’ entities (any identity that isn’t tied to a real person) should be treated differently from user-based identities at registration.
  6. A non-human identity should also have its own approval and registration process, acknowledging the fundamental difference between assigning an identity to a person and granting one to an asset, application or device.

  7. In the event of a departure, redundant assets, or other non-required identities, a network administrator should disable them or remove them completely.
  8. The IT department should conduct regular audits to determine which identities are being used, and which entities can be suspended or deleted. It is important for HR staff to include identity management in offboarding procedures, and to inform IT staff immediately when a leaver leaves.

  9. It is imperative to avoid duplicate identities at all costs. A ‘one entity, one identity’ rule should be followed by all organisations.
  10. To comply, IT staff should ensure that entities do not receive access rights based on more than one identity when assigning roles across a network.

  11. Identities management and authentication information should be documented adequately for all ‘significant events.
  12. It is possible to interpret the term ‘significant event’ differently, but on a basic level, organisations need to make sure that their governance procedures include a comprehensive list of assigned identities at any given time, robust change request protocols with appropriate approval procedures, and an approved change request protocol.

Additional Supplementary Guidance for Annex A 5.16

When creating an identity and granting it access to network resources, Annex A 5.16 also lists four steps that businesses need to follow (amending or removing access rights is shown in ISO 27001:2022 Annex A 5.18):

  1. Before creating an identity, establish a business case.
  2. Every time an identity is created, identity management becomes exponentially more challenging. It is advisable for organisations to create new identities only when it is clearly necessary.

  3. Make sure that the entity (human or non-human) assigned an identity has been independently verified.
  4. Identities and Access Management procedures should ensure that, once the business case has been approved, an individual or asset receiving new identities has the required authority before an identity is created.

  5. Creating an identity
  6. Your IT staff should build an identity in line with the business case requirements, and it should be limited to what is outlined in any change request documentation.

  7. The final configurations steps for an identity
  8. As the final step in the process, an identity is assigned to each of its access-based permissions and roles (RBAC) as well as any authentication services required.

What Are the Changes From ISO 27001:2013?

ISO 27001:2022 Annex A 5.16 replaces ISO 27001:2013 A.9.2.1 (formerly known as ‘User Registration and Deregistration’).

While the two controls share some striking similarities – primarily in maintenance protocols and deactivating redundant IDs – Annex A 5.16 contains a comprehensive set of guidelines that deal with Identity and Access Management as a whole.

Annex A 5.16 Human vs. Non-human Identities Explained

There are some differences between the 2022 Annex and its predecessor in that despite differences in registration processes, humans and non-humans are no longer treated separately when it comes to general network administration.

It has become more common in IT governance and best practice guidelines to talk about human and non-human identities interchangeably since the advent of modern Identity and Access Management and Windows-based RBAC protocols.

In Annex A 9.2.1 of ISO 27001:2013, there is no guidance on how to manage non-human identities, and the text is concerned only with managing what it calls ‘User IDs’ (i.e. login information along with a password that’s used to access a network).

ISO 27001:2022 Annex A 5.16 Documentation

Annex A 5.16 provides explicit guidance on both the general security implications of identity governance, and how organisations should record and process information prior to the assigning of identities, as well as throughout the lifecycle of the identity.

Comparatively, ISO 27001:2013 A.9.2.1 only briefly mentions the IT governance role that surrounds the administration of identities, and limits itself to the physical practice of identity administration.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

How ISMS.online Helps You Achieve Annex A 5.16 Compliance

As long as you update your security management system’s processes to reflect the improved controls, you will be in compliance with ISO 27001:2022. This can be handled by ISMS.online if you do not have the necessary resources in house.

We simplify ISO 27001:2022 implementation through our intuitive workflow and tools, including frameworks, policies, controls, actionable documentation, and guidance. With our cloud-based software, you can manage all your ISMS solutions in one place.

Our platform allows you to define the scope of your ISMS, identify risks, and implement controls easily.

To learn more about how ISMS.online can assist you in achieving your ISO 27001 objectives, please get in touch today to book a demo.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Assured Results Method
100% ISO 27001 success

Your simple, practical, time-saving path to first-time ISO 27001 compliance or certification

Book your demo

Streamline your workflow with our new Jira integration! Learn more here.