ISO 27002:2022, Control 5.16 – Identity Management

ISO 27002:2022 Revised Controls

Book a demo

close,up,on,hands,of,a,black,african,american,man

Identities are used by computer networks to identify an entity’s (a user, group of users, device or IT asset) underlying ability to access a predetermined set of hardware and software resources.

Control 5.16 deals with the approval, registration and administration – defined as the ‘full lifecycle’ – of human and non-human identities on any given network.

Purpose

5.16 deals with an organisation’s ability to identify who (users, groups of users) or what (applications, systems and devices) is accessing data or IT assets at any given time, and how those identities are granted access rights across the network.

5.16 is a preventative control that maintains risk by acting as the main perimeter for all associated information security and cybersecurity operations, as well as the primary mode governance that dictates an organisation’s Identity and Access Management framework.

Attributes Table

Control typeInformation security propertiesCybersecurity conceptsOperational capabilitiesSecurity domains
#Preventative#Confidentiality #Integrity #Availability#Protect#Identity and access management#Protection

Ownership

Given that 5.16 serves what is primarily a maintenance function, ownership should be directed towards IT staff who have been assigned Global Administrator rights (or equivalent for non-Windows based infrastructure).

Whilst there are other built-in roles that allow users to administer identities (e.g. Domain Administrator), ownership of 5.16 should rest with the individual who has ultimate responsibility for an organisation’s entire network, including all subdomains and Active Directory tenants.

Get a Headstart on ISO 27001
  • All updated with the 2022 control set
  • Make 81% progress from the minute you log in
  • Simple and easy to use
Book your demo
img

General Guidance

Compliance with control 5.16 is achieved through a combination of ensuring that identity-based procedures are clearly articulated in policy documents, and monitoring day-to-day adherence among staff.

5.16 lists six main procedures that an organisation needs to follow, in order to meet the requisite standards of infosec and cybersecurity governance:

  • Where identities are assigned to a person, only that specific person is allowed to authenticate with and/or use that identity, when accessing network resources.

    Compliance – IT policies need to clearly stipulate that users are not to share login information, or allow other users to roam the network using any identity other than the one they’ve been assigned.

  • Sometimes it may be necessary to assign an identity to multiple people – also known as a ‘shared identity’. This approach should be used sparingly, and only to satisfy an explicit set of operational requirements.

    Compliance – Organisations should treat the registration of shared identities as a separate procedure to single user identities, with a dedicated approval workflow.

  • So-called ‘non-human’ entities (as the name suggests, any identity that isn’t attached to an actual user) should be considered differently to user-based identities at the point of registration.

    Compliance – As with shared identities, non-human identities should in turn have their own approval and registration process that acknowledges the underlying difference between assigning an identity to a person, and granting one to an asset, application or device.

  • Identities that are no longer required (leavers, redundant assets etc.) should be disabled by a network administrator, or removed entirely, as is required.

    Compliance – IT staff should carry out regular audits that list identities in order of use, and identify which entities (human or non-human) are able to be suspended or deleted. HR staff should include identity management in their offboarding procedures, and inform IT staff of leavers in a timely manner.

  • Duplicate identities should be avoided at all costs. Firms should adhere to a ‘one entity, one identity’ rule across the board.

    Compliance – IT staff should remain vigilant when assigning roles across a network, and ensure that entities aren’t granted access rights based on multiple identities.

  • Adequate records should be kept of all ‘significant events’ regarding identity management and authentication information.

    Compliance – The term ‘significant event’ can be interpreted in various ways, but on a basic level organisations need to ensure that their governance procedures include identity registration documentation, robust change request protocols with an appropriate approvals procedure, and the ability to produce a comprehensive list of assigned identities at any given time.

Are you ready for
the new ISO 27002

We’ll give you an 81% headstart
from the moment you log in
Book your demo

Updated for ISO 27001 2022
  • 81% of the work done for you
  • Assured Results Method for certification success
  • Save time, money and hassle
Book your demo
img

Supplementary Guidance

As well as the six main operational considerations, 5.16 also lists four steps that organisations need to follow when creating an identity, and granting it access to network resources (amending or removing access rights is dealt with in control 5.18):

  • Establish a business case prior to an identity being created

    Compliance – It’s important to acknowledge that identity management becomes exponentially more difficult with every new identity that’s created. Organisations should create new identities only when there is a clear need to do so.

  • Ensure that the entity that’s being assigned the identity (human or non-human) has been independently verified.

    Compliance – Once a business case has been approved, Identity and Access Management procedures should contain steps to ensure that the person or asset who is receiving a new identity has the requisite authority to do so, prior to an identity being created.

  • Establishing an identity

    Once the entity has been verified, IT staff should create an identity that’s in-line with the business case requirements, and is limited to what is stipulated in any change request documentations.

  • Final configuration and activation

    The final step in the process involves assigning an identity to its various access-based permissions and roles (RBAC), and any associated authentication services that are required.

Changes from ISO 27002:2013

General

27002:2022 / 5.16 replaces 27002:2013/9.2.1 (User Registration and De-registration) – which itself formed part of 27002:2013’s User Access Management control set. Whilst there are some similarities between the two controls – mostly in maintenance protocols, and deactivating redundant IDs – 5.16 contains a far more comprehensive set of guidelines that seek to address Identity and Access Management as an end-to-end concept.

Human vs. Non-human Identities

The main difference between the 2022 control and its 2013 predecessor is the acknowledgement that whilst there are differences in the registration process, human and non-human identities are no longer treated as distinct from one another, for general network administration purposes.

With the onset of modern Identity and Access Management and Windows-based RBAC protocols, IT governance and best practice guidelines speak of human and non-human identities more or less interchangeably. 27002:2013/9.2.1 contains no guidance on how to administer non-human identities, and concerns itself solely with the management of what it refers to as ‘User IDs’ (i.e. login information that’s used to access a network, along with a password).

Documentation

As we’ve seen, 27002:2013/5.16 contains explicit guidance on not only the general security implications of identity governance, but also how organisations should record and process information prior to an identity being assigned, and throughout its lifecycle. In comparison, 27002:2013/9.2.1 only briefly mentions the accompanying role that IT governance plays, and limits itself to the physical practice of identity administration, as carried out by IT staff.

Get a Headstart
on ISO 27002

The only compliance
solution you need
Book your demo

New Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
5.7NewThreat intelligence
5.23NewInformation security for use of cloud services
5.30NewICT readiness for business continuity
7.4NewPhysical security monitoring
8.9NewConfiguration management
8.10NewInformation deletion
8.11NewData masking
8.12NewData leakage prevention
8.16NewMonitoring activities
8.23NewWeb filtering
8.28NewSecure coding

Organisational Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
5.105.1.1, 05.1.2Policies for information security
5.206.1.1Information security roles and responsibilities
5.306.1.2Segregation of duties
5.407.2.1Management responsibilities
5.506.1.3Contact with authorities
5.606.1.4Contact with special interest groups
5.7NewThreat intelligence
5.806.1.5, 14.1.1Information security in project management
5.908.1.1, 08.1.2Inventory of information and other associated assets
5.1008.1.3, 08.2.3Acceptable use of information and other associated assets
5.1108.1.4Return of assets
5.12 08.2.1Classification of information
5.1308.2.2Labelling of information
5.1413.2.1, 13.2.2, 13.2.3Information transfer
5.1509.1.1, 09.1.2Access control
5.1609.2.1Identity management
5.17 09.2.4, 09.3.1, 09.4.3Authentication information
5.1809.2.2, 09.2.5, 09.2.6Access rights
5.1915.1.1Information security in supplier relationships
5.2015.1.2Addressing information security within supplier agreements
5.2115.1.3Managing information security in the ICT supply chain
5.2215.2.1, 15.2.2Monitoring, review and change management of supplier services
5.23NewInformation security for use of cloud services
5.2416.1.1Information security incident management planning and preparation
5.2516.1.4Assessment and decision on information security events
5.2616.1.5Response to information security incidents
5.2716.1.6Learning from information security incidents
5.2816.1.7Collection of evidence
5.2917.1.1, 17.1.2, 17.1.3Information security during disruption
5.30NewICT readiness for business continuity
5.3118.1.1, 18.1.5Legal, statutory, regulatory and contractual requirements
5.3218.1.2Intellectual property rights
5.3318.1.3Protection of records
5.3418.1.4Privacy and protection of PII
5.3518.2.1Independent review of information security
5.3618.2.2, 18.2.3Compliance with policies, rules and standards for information security
5.3712.1.1Documented operating procedures

People Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
6.107.1.1Screening
6.207.1.2Terms and conditions of employment
6.307.2.2Information security awareness, education and training
6.407.2.3Disciplinary process
6.507.3.1Responsibilities after termination or change of employment
6.613.2.4Confidentiality or non-disclosure agreements
6.706.2.2Remote working
6.816.1.2, 16.1.3Information security event reporting

Physical Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
7.111.1.1Physical security perimeters
7.211.1.2, 11.1.6Physical entry
7.311.1.3Securing offices, rooms and facilities
7.4NewPhysical security monitoring
7.511.1.4Protecting against physical and environmental threats
7.611.1.5Working in secure areas
7.711.2.9Clear desk and clear screen
7.811.2.1Equipment siting and protection
7.911.2.6Security of assets off-premises
7.1008.3.1, 08.3.2, 08.3.3, 11.2.5Storage media
7.1111.2.2Supporting utilities
7.1211.2.3Cabling security
7.1311.2.4Equipment maintenance
7.1411.2.7Secure disposal or re-use of equipment

Technological Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
8.106.2.1, 11.2.8User endpoint devices
8.209.2.3Privileged access rights
8.309.4.1Information access restriction
8.409.4.5Access to source code
8.509.4.2Secure authentication
8.612.1.3Capacity management
8.712.2.1Protection against malware
8.812.6.1, 18.2.3Management of technical vulnerabilities
8.9NewConfiguration management
8.10NewInformation deletion
8.11NewData masking
8.12NewData leakage prevention
8.1312.3.1Information backup
8.1417.2.1Redundancy of information processing facilities
8.1512.4.1, 12.4.2, 12.4.3Logging
8.16NewMonitoring activities
8.1712.4.4Clock synchronization
8.1809.4.4Use of privileged utility programs
8.1912.5.1, 12.6.2Installation of software on operational systems
8.2013.1.1Networks security
8.2113.1.2Security of network services
8.2213.1.3Segregation of networks
8.23NewWeb filtering
8.2410.1.1, 10.1.2Use of cryptography
8.2514.2.1Secure development life cycle
8.2614.1.2, 14.1.3Application security requirements
8.2714.2.5Secure system architecture and engineering principles
8.28NewSecure coding
8.2914.2.8, 14.2.9Security testing in development and acceptance
8.3014.2.7Outsourced development
8.3112.1.4, 14.2.6Separation of development, test and production environments
8.3212.1.2, 14.2.2, 14.2.3, 14.2.4Change management
8.3314.3.1Test information
8.3412.7.1Protection of information systems during audit testing

ISMS.online will save you time and money

Get your quote

Explore ISMS.online's platform with a self-guided tour - Start Now