Identities are used by computer networks to identify an entity’s (a user, group of users, device or IT asset) underlying ability to access a predetermined set of hardware and software resources.
Control 5.16 deals with the approval, registration and administration – defined as the ‘full lifecycle’ – of human and non-human identities on any given network.
5.16 deals with an organisation’s ability to identify who (users, groups of users) or what (applications, systems and devices) is accessing data or IT assets at any given time, and how those identities are granted access rights across the network.
5.16 is a preventative control that maintains risk by acting as the main perimeter for all associated information security and cybersecurity operations, as well as the primary mode governance that dictates an organisation’s Identity and Access Management framework.
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| #Preventative | #Confidentiality #Integrity #Availability | #Protect | #Identity and access management | #Protection |
Given that 5.16 serves what is primarily a maintenance function, ownership should be directed towards IT staff who have been assigned Global Administrator rights (or equivalent for non-Windows based infrastructure).
Whilst there are other built-in roles that allow users to administer identities (e.g. Domain Administrator), ownership of 5.16 should rest with the individual who has ultimate responsibility for an organisation’s entire network, including all subdomains and Active Directory tenants.
Compliance with control 5.16 is achieved through a combination of ensuring that identity-based procedures are clearly articulated in policy documents, and monitoring day-to-day adherence among staff.
5.16 lists six main procedures that an organisation needs to follow, in order to meet the requisite standards of infosec and cybersecurity governance:
Compliance – IT policies need to clearly stipulate that users are not to share login information, or allow other users to roam the network using any identity other than the one they’ve been assigned.
Compliance – Organisations should treat the registration of shared identities as a separate procedure to single user identities, with a dedicated approval workflow.
Compliance – As with shared identities, non-human identities should in turn have their own approval and registration process that acknowledges the underlying difference between assigning an identity to a person, and granting one to an asset, application or device.
Compliance – IT staff should carry out regular audits that list identities in order of use, and identify which entities (human or non-human) are able to be suspended or deleted. HR staff should include identity management in their offboarding procedures, and inform IT staff of leavers in a timely manner.
Compliance – IT staff should remain vigilant when assigning roles across a network, and ensure that entities aren’t granted access rights based on multiple identities.
Compliance – The term ‘significant event’ can be interpreted in various ways, but on a basic level organisations need to ensure that their governance procedures include identity registration documentation, robust change request protocols with an appropriate approvals procedure, and the ability to produce a comprehensive list of assigned identities at any given time.
We’ll give you an 81% headstart
from the moment you log in
Book your demo
As well as the six main operational considerations, 5.16 also lists four steps that organisations need to follow when creating an identity, and granting it access to network resources (amending or removing access rights is dealt with in control 5.18):
Compliance – It’s important to acknowledge that identity management becomes exponentially more difficult with every new identity that’s created. Organisations should create new identities only when there is a clear need to do so.
Compliance – Once a business case has been approved, Identity and Access Management procedures should contain steps to ensure that the person or asset who is receiving a new identity has the requisite authority to do so, prior to an identity being created.
Once the entity has been verified, IT staff should create an identity that’s in-line with the business case requirements, and is limited to what is stipulated in any change request documentations.
27002:2022 / 5.16 replaces 27002:2013/9.2.1 (User Registration and De-registration) – which itself formed part of 27002:2013’s User Access Management control set. Whilst there are some similarities between the two controls – mostly in maintenance protocols, and deactivating redundant IDs – 5.16 contains a far more comprehensive set of guidelines that seek to address Identity and Access Management as an end-to-end concept.
The main difference between the 2022 control and its 2013 predecessor is the acknowledgement that whilst there are differences in the registration process, human and non-human identities are no longer treated as distinct from one another, for general network administration purposes.
With the onset of modern Identity and Access Management and Windows-based RBAC protocols, IT governance and best practice guidelines speak of human and non-human identities more or less interchangeably. 27002:2013/9.2.1 contains no guidance on how to administer non-human identities, and concerns itself solely with the management of what it refers to as ‘User IDs’ (i.e. login information that’s used to access a network, along with a password).
As we’ve seen, 27002:2013/5.16 contains explicit guidance on not only the general security implications of identity governance, but also how organisations should record and process information prior to an identity being assigned, and throughout its lifecycle. In comparison, 27002:2013/9.2.1 only briefly mentions the accompanying role that IT governance plays, and limits itself to the physical practice of identity administration, as carried out by IT staff.
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | New | Threat intelligence |
| 5.23 | New | Information security for use of cloud services |
| 5.30 | New | ICT readiness for business continuity |
| 7.4 | New | Physical security monitoring |
| 8.9 | New | Configuration management |
| 8.10 | New | Information deletion |
| 8.11 | New | Data masking |
| 8.12 | New | Data leakage prevention |
| 8.16 | New | Monitoring activities |
| 8.23 | New | Web filtering |
| 8.28 | New | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | New | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
ISMS.online will save you time and money
Get your quote
