UnixTime

Research Note

ISO 27001 A.5.16 - Identity Management

Every user identity should be created, changed, reviewed, disabled, and removed through a controlled process.

On this page

Requirement

Requirement lens

Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.

“The full life cycle of identities shall be managed.”

Plain-language meaning

Every user identity should be created, changed, reviewed, disabled, and removed through a controlled process.

The identity lifecycle includes registration, authorization, provisioning, changes, review, de-registration, and handling of exceptional shared identities.

Why this matters

If identities are not managed, accounts remain live after people leave, privileges drift after role changes, and shared accounts destroy accountability.

Identity management applies to all users of information processing facilities, including:

  • employees;
  • contractors;
  • managers;
  • administrators;
  • application users;
  • technical support;
  • developers;
  • third-party users;
  • service accounts where applicable.

Implementation guidance

Implementer focus

Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.

1. Uniquely register identities

Each user should have a unique identity wherever possible.

Unique identities support:

  • accountability;
  • access review;
  • incident investigation;
  • non-repudiation where relevant;
  • prompt deactivation;
  • least privilege.

Shared accounts should be avoided because they make it difficult or impossible to know who did what.

2. Manage the full lifecycle

Identity lifecycle stages:

Stage Control objective
Joiner Identity created from authorized onboarding request
Access assignment Access linked to business need and approval
Mover Identity and access updated when role changes
Leaver Identity disabled or removed promptly
Periodic review Live identities and privileges checked
Exception Shared or emergency identity controlled and justified

The process should be documented and logged.

3. Match identities to documented authorizations

System identities should match registered users and approved access.

Audit failure pattern:

  • HR says user left.
  • System account is still active.
  • Access review did not catch it.
  • Logs show activity but no one knows whether it was authorized.

4. Do not reissue redundant identities

Do not reuse old user IDs for new users.

Reissuing identities risks:

  • inheriting old access;
  • confusing logs;
  • corrupting accountability;
  • exposing old data or permissions.

5. Control unavoidable shared identities

Shared identities should be rare and justified.

If unavoidable:

  • document the risk assessment;
  • authorize the shared identity;
  • restrict use;
  • prevent simultaneous uncontrolled use where possible;
  • log who used it and when;
  • change credentials when custody changes;
  • review continued need;
  • replace with individual identities when technically feasible.

Manual tracking is a compensating control, not a preferred design.

Audit guidance

Auditor focus

Look for evidence that the process operates in practice, not just that a document exists.

Auditors should test whether identity management works in practice, not just whether account creation forms exist.

Audit tests:

  • sample starters, movers, and leavers;
  • compare HR records to system accounts;
  • compare documented authorizations to actual privileges;
  • check account creation and deletion logs;
  • review live identities for orphaned accounts;
  • inspect administrator and service identities;
  • review shared identities and their risk justification;
  • verify that redundant identities are not reused.

The auditor should include all user types, not only ordinary employees.

Evidence examples

Evidence quality

Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.

Evidence What it proves
Identity lifecycle procedure Process is documented
Joiner/mover/leaver records Identity changes follow personnel events
Account creation/deletion logs Provisioning and deprovisioning are logged
Authorization records Identities and access are approved
Live identity review records Orphaned accounts are detected
HR-to-system reconciliation Accounts match active users
Shared account risk assessment Exceptions are justified
Shared account usage log Accountability is partially restored
Credential custody records Shared identity control is maintained
Non-reuse rule Old identities are not reassigned

Strong evidence

  • Identities are unique and tied to registered users.
  • Joiner, mover, and leaver processes are documented and logged.
  • Leavers are promptly disabled or removed.
  • Live identities are periodically reviewed against HR or authoritative source records.
  • System privileges match documented authorization.
  • Shared identities are rare, risk-assessed, authorized, logged, and reviewed.
  • Redundant identities are not reissued.

Weak evidence

  • Shared accounts are common.
  • Accounts remain active after termination.
  • Identity creation is informal.
  • No reconciliation between HR and systems.
  • System accounts do not match documented authorizations.
  • Privileges drift after role changes.
  • Shared account passwords are not changed when custody changes.
  • Old usernames are reused.

Common failures

Implementation watchouts

These are the fastest ways this topic fails in real ISMS work.

Failure Why it matters
Shared accounts Accountability is lost
No prompt leaver process Former users retain access
Movers not processed Access accumulates
No identity review Orphaned accounts persist
User IDs reused Logs and access history become unreliable
Exceptions not risk-assessed Shared or emergency identities become normal
Admin identities excluded Highest-risk accounts remain unmanaged

Exam traps

Exam focus

Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.

  • Identity management is about the full lifecycle, not only account creation.
  • “User” includes administrators, support personnel, programmers, managers, application users, and third-party users.
  • Unique identities support accountability.
  • Shared identities are not automatically acceptable; they need justification and compensating controls.
  • Redundant identities should not be reissued.
  • Identity management and access control are related but different: identity says who the user is; access control says what they can use.

KB-ready summary

Quick refresher

Use this section for last-day review and for explaining the topic to a control owner.

A.5.16 requires the full identity lifecycle to be managed. Each user should have a unique identity where possible. Identities should be created, changed, reviewed, disabled, and removed through documented processes. Shared identities should be rare, justified, authorized, tracked, and reviewed because they weaken accountability.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Organizational controls
  • Identity management
  • User lifecycle
  • Accountability
  • Audit

Note Metadata

Aliases: A.5.16, Identity Management

Source: 02 Annex A Organizational Controls/A.5.16 Identity Management.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

10

links

01
02

Implementation artifacts

Templates and working records that help operate the control.

03

Audit checks

Audit questions, checklists, or review material connected to the control.

04

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.