Requirement
Requirement lens
Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.
“The full life cycle of identities shall be managed.”
Plain-language meaning
Every user identity should be created, changed, reviewed, disabled, and removed through a controlled process.
The identity lifecycle includes registration, authorization, provisioning, changes, review, de-registration, and handling of exceptional shared identities.
Why this matters
If identities are not managed, accounts remain live after people leave, privileges drift after role changes, and shared accounts destroy accountability.
Identity management applies to all users of information processing facilities, including:
- employees;
- contractors;
- managers;
- administrators;
- application users;
- technical support;
- developers;
- third-party users;
- service accounts where applicable.
Implementation guidance
Implementer focus
Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.
1. Uniquely register identities
Each user should have a unique identity wherever possible.
Unique identities support:
- accountability;
- access review;
- incident investigation;
- non-repudiation where relevant;
- prompt deactivation;
- least privilege.
Shared accounts should be avoided because they make it difficult or impossible to know who did what.
2. Manage the full lifecycle
Identity lifecycle stages:
| Stage | Control objective |
|---|---|
| Joiner | Identity created from authorized onboarding request |
| Access assignment | Access linked to business need and approval |
| Mover | Identity and access updated when role changes |
| Leaver | Identity disabled or removed promptly |
| Periodic review | Live identities and privileges checked |
| Exception | Shared or emergency identity controlled and justified |
The process should be documented and logged.
3. Match identities to documented authorizations
System identities should match registered users and approved access.
Audit failure pattern:
- HR says user left.
- System account is still active.
- Access review did not catch it.
- Logs show activity but no one knows whether it was authorized.
4. Do not reissue redundant identities
Do not reuse old user IDs for new users.
Reissuing identities risks:
- inheriting old access;
- confusing logs;
- corrupting accountability;
- exposing old data or permissions.
5. Control unavoidable shared identities
Shared identities should be rare and justified.
If unavoidable:
- document the risk assessment;
- authorize the shared identity;
- restrict use;
- prevent simultaneous uncontrolled use where possible;
- log who used it and when;
- change credentials when custody changes;
- review continued need;
- replace with individual identities when technically feasible.
Manual tracking is a compensating control, not a preferred design.
Audit guidance
Auditor focus
Look for evidence that the process operates in practice, not just that a document exists.
Auditors should test whether identity management works in practice, not just whether account creation forms exist.
Audit tests:
- sample starters, movers, and leavers;
- compare HR records to system accounts;
- compare documented authorizations to actual privileges;
- check account creation and deletion logs;
- review live identities for orphaned accounts;
- inspect administrator and service identities;
- review shared identities and their risk justification;
- verify that redundant identities are not reused.
The auditor should include all user types, not only ordinary employees.
Evidence examples
Evidence quality
Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.
| Evidence | What it proves |
|---|---|
| Identity lifecycle procedure | Process is documented |
| Joiner/mover/leaver records | Identity changes follow personnel events |
| Account creation/deletion logs | Provisioning and deprovisioning are logged |
| Authorization records | Identities and access are approved |
| Live identity review records | Orphaned accounts are detected |
| HR-to-system reconciliation | Accounts match active users |
| Shared account risk assessment | Exceptions are justified |
| Shared account usage log | Accountability is partially restored |
| Credential custody records | Shared identity control is maintained |
| Non-reuse rule | Old identities are not reassigned |
Strong evidence
- Identities are unique and tied to registered users.
- Joiner, mover, and leaver processes are documented and logged.
- Leavers are promptly disabled or removed.
- Live identities are periodically reviewed against HR or authoritative source records.
- System privileges match documented authorization.
- Shared identities are rare, risk-assessed, authorized, logged, and reviewed.
- Redundant identities are not reissued.
Weak evidence
- Shared accounts are common.
- Accounts remain active after termination.
- Identity creation is informal.
- No reconciliation between HR and systems.
- System accounts do not match documented authorizations.
- Privileges drift after role changes.
- Shared account passwords are not changed when custody changes.
- Old usernames are reused.
Common failures
Implementation watchouts
These are the fastest ways this topic fails in real ISMS work.
| Failure | Why it matters |
|---|---|
| Shared accounts | Accountability is lost |
| No prompt leaver process | Former users retain access |
| Movers not processed | Access accumulates |
| No identity review | Orphaned accounts persist |
| User IDs reused | Logs and access history become unreliable |
| Exceptions not risk-assessed | Shared or emergency identities become normal |
| Admin identities excluded | Highest-risk accounts remain unmanaged |
Exam traps
Exam focus
Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.
- Identity management is about the full lifecycle, not only account creation.
- “User” includes administrators, support personnel, programmers, managers, application users, and third-party users.
- Unique identities support accountability.
- Shared identities are not automatically acceptable; they need justification and compensating controls.
- Redundant identities should not be reissued.
- Identity management and access control are related but different: identity says who the user is; access control says what they can use.
Related controls and concepts
- A.5.15 Access Control
- A.5.11 Return of Assets
- A.5.2 Information Security Roles and Responsibilities
- A.5.3 Segregation of Duties
- Internal Audit
- Risk Assessment
- Access Control Matrix
KB-ready summary
Quick refresher
Use this section for last-day review and for explaining the topic to a control owner.
A.5.16 requires the full identity lifecycle to be managed. Each user should have a unique identity where possible. Identities should be created, changed, reviewed, disabled, and removed through documented processes. Shared identities should be rare, justified, authorized, tracked, and reviewed because they weaken accountability.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Organizational controls
- Identity management
- User lifecycle
- Accountability
- Audit
Note Metadata
Aliases: A.5.16, Identity Management
Source: 02 Annex A Organizational Controls/A.5.16 Identity Management.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
10
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- ISO27001 ISMS KB - Start Here
- Access Control
- Internal Audit
- Risk Assessment
- ISO 27001 A.5.11 - Return of Assets
- ISO 27001 A.5.15 - Access Control
- ISO 27001 A.5.17 - Authentication Information
- ISO 27001 A.5.18 - Access Rights
- ISO 27001 A.5.19 - Information Security in Supplier Relationships
- ISO 27001 A.5.2 - Information Security Roles and Responsibilities
- ISO 27001 A.5.3 - Segregation of Duties
- A.5 Organizational Controls MOC
- A.5.16 Audit Evidence Pack
- A.5.17 Audit Evidence Pack
- AQ-ISO27001-A.5.16 Identity Management
- ISO 27001 A.8.1 - User End Point Devices
- ISO 27001 A.8.2 - Privileged Access Rights
- ISO 27001 A.8.3 - Information Access Restriction
- ISO 27001 A.8.5 - Secure Authentication
- A.8 Technological Controls MOC
- A.5 Organizational Controls Implementation Guide
- ISO27001-A.5.16 Identity Management
- A.5 Controls Implementation Audit Risk Mapping
- EXAM-009 - Access, Identity, Authentication, and Rights
- ISO 27002 Annex A Control Interpretation Map
- A.5.16 Audit Checklist
- Access Control Matrix
- Access Review Checklist
- Authentication Information Handling Standard
- Identity Lifecycle Register
- Annex A Controls MOC