Professional Documents
Culture Documents
ISO 27001:2022 - ISO 27002:2022: Annex A Clause 5.16 Identity Management
ISO 27001:2022 - ISO 27002:2022: Annex A Clause 5.16 Identity Management
ISO 27001:2022 - ISO 27002:2022: Annex A Clause 5.16 Identity Management
Control Statement
The full life cycle of identities should be managed.
Requirement
The primary requirement of ‘Access Control’ is managing the “identity”. The
‘identity’ can be associated with a human individual or a system. These identities
uniquely identify the entities accessing the information assets and a formal user
registration and de-registration process needs to be followed to enable the
appropriate assignment of access rights.
Implementation
Every user should be formally and uniquely registered by the organization, and a record
maintained of each information system, network or service which a user has a business
requirement to access. Failure to control registration can result in a breach of
confidentiality, unauthorized modification, and/or loss.
The sharing of user IDs almost guarantees the loss of accountability, as actions cannot be
unambiguously traced to individuals. This can then lead to a loss of confidentiality,
integrity, and availability. Users should therefore each have a unique identifier for every
system they have the authorization to access.
In those few cases where it is not possible to have individual IDs, the organization
should implement a manual process to track who is using the ID at any given time,
ensure that it cannot be used my more than one person at any time and change
authentication credentials whenever the ID is passed to a new custodian.
• A process should be in place to register a user, grant access, revoke access, and
deregister a user.
• When a user joins an organization an identity should be registered with the bare
minimum and default access like email, device login, and intranet business
applications.
• Providing or revoking any additional access should be documented via a service desk
system and should have a valid business justification.
• It is recommended that any additional access should have an authorization approval
mechanism in place.
• Guidelines should be in place for configuring and activating the identity.
• Additional access rights should be revoked when there is no longer a business need.
https://www.linkedin.com/in/dipendas1979/
ISO 27001:2022 | ISO 27002:2022
• ANNEX A CLAUSE 5.16 IDENTITY MANAGEMENT
Control Type Infosec Properties Cybersecurity Operational Security Domains
concepts capabilities
#Preventive #Confidentiality #Protect #Identity_and_access_ #Protection
#Integrity management
#Availability
https://www.linkedin.com/in/dipendas1979/