Exam focus
Access control, identity management, authentication information, and access rights are connected but test different ideas.
Topic Summary
The access-related controls form a chain: define access rules, manage identities, protect authentication secrets, and grant/review/remove actual access rights.
Key Concepts
- A.5.15: access control rules and principles.
- A.5.16: identity lifecycle.
- A.5.17: authentication information such as passwords, tokens, keys, and recovery secrets.
- A.5.18: access rights request, approval, provisioning, review, modification, and removal.
Common Exam Traps
- Treating user IDs as authentication secrets.
- Treating access reviews as only checking whether users still exist.
- Treating identity creation as the whole identity lifecycle.
Related Notes
- Iso27001
- Exam
Note Metadata
Source: 09-Exam-Preparation/EXAM-009-Access-Identity-Authentication-Rights.md