ISO 27001:2022 Annex A Control 5.16
Identity Management
Annex A control 5.16 of the 2022 version of the ISO 27001 standard can be mapped to ISO27001:2013 Annex A 9.2.1
Annex A control 5.16 sets out a framework for registering, approving, and administering non-human identities on any network. Computer networks make use of identities to identify an entity’s underlying abilities, whether that entity is a user, a group of users, a device, or an IT asset.
Understanding Annex A control 5.16
Control 5.16 describes how an organisation can identify who or what is accessing data at any given time, and how those identities gained access rights. Accessing data can be separated into two groups: human (users or groups or users) or non-human (applications, systems, and devices).
By maintaining risk and establishing the perimeter of all related information security operations, the control takes a preventative approach, tackling the main mode of governance that determines a business’s Identity and Access Management process.
How to use control 5.16
In order to comply with Annex 5.16 an organisation should clearly express identity-based procedures in policy documents, as well as monitor staff adherence on a daily basis.
To make sure businesses meet cybersecurity standards, control 5.16 outlines six procedures. These are:
- Once an identity is assigned to an individual, only that individual can authenticate or use it to access resources. IT policies must clearly state that users must not share login information or allow others to use a different identity.
- In specific situations, a single identity may need to be shared among several people, known as a “shared identity”. This approach should only be used when absolutely necessary. The registration process for shared identities must be distinct from that of single-user registration.
- Non-human entities require a different treatment compared to user-based identities. A non-human identity needs its own approval and registration process, recognizing the fundamental differences between assigning access to a person and granting an identity to an asset, device, or application.
- When a departure occurs, redundant assets must be disabled and completely removed by a network administrator. Regular audits are essential to identify which identities are in use and which can be deleted. HR staff must promptly inform IT staff when someone leaves.
- Prevent duplicate identities at all costs. The principle of “one entity, one identity” must always be followed. Entities should not be given access rights based on multiple identities when roles are assigned across a network.
- Authentication information and identity management must be thoroughly documented for all significant events. Organisations must ensure their governance procedures include a comprehensive list of assigned identities at any time, robust change request protocols with approval procedures and an approved change request protocol.
Creating identities and granting access
There are four steps that businesses need to follow in control 5.16, outlining the process of creating an identity and granting it resource access rights. These are:
- Develop a business case before creating an identity. Each new identity increases the complexity of identity management, so organisations should only create new identities when absolutely necessary.
- Verify entities independently before assigning identities, whether they are human or non-human. Identity and Access Management procedures must ensure that individuals or assets have the necessary authority before an identity is established.
- IT staff should create identities according to the requirements outlined in the business case and any associated change request documentation.
- Assign identities to each access-based permission and role, along with any required authentication services.
What are the changes from ISO27001:2013?
For the most part, Annex 5.16 covers the same ground as its 2013 counterpart, but the 2022 version also contains a comprehensive set of guidelines to address Identity and Access Management in its entirety. Humans and non-humans are no longer treated separately when it comes to general network administration.
There is no guidance on how to manage non-human entities in the 2013 control. Modern Identity and Access Management protocols mean it has become commonplace to talk interchangeably about human and non-human identities.