ISO 27001 – Control 5.16 – Identity Management

Control 5.16 Wording

Control 5.16 – Identity Management states “The full life cycle of identities should be managed.”

What this means

Control 5.16 focuses on managing digital identities throughout their complete lifecycle – from creation to deletion. Think of it as a comprehensive system for tracking and controlling every digital identity in your organisation, ensuring that the right people and systems have the right identities and access. It’s not just about creating usernames; it’s about maintaining a secure, accountable environment where every action can be traced to its source.

The Rules of Identity Management

There are four fundamental principles for identity management. These are:

  • Single Person, Single Identity – Each individual should have only one digital identity to ensure accountability and prevent confusion
  • Controlled Sharing – Shared identities should only exist when absolutely necessary for business operations, with proper approval and documentation
  • Timely Updates – Identities must be promptly disabled or removed when no longer needed, such as when employees leave or change roles
  • Comprehensive Records – All significant events concerning identity usage and management must be logged and maintained

Key Elements of an Effective Identity Management Strategy

1. Start with Clear Identity Policies

Your identity management policy should be comprehensive yet practical. It needs to address:

  • How identities are created, verified, and assigned
  • When and how shared identities may be used
  • How non-human entities (systems, applications) receive identities
  • Procedures for identity deactivation and removal
  • Record-keeping requirements for identity-related events

2. Implement Proper Identity Verification

Follow these essential practices:

  • Verify the identity of individuals before creating digital identities
  • Use trusted documents and verification processes
  • Implement re-verification procedures for identity updates
  • Ensure third-party identities meet your security requirements

3. Consider Different Types of Identities

Modern identity management must handle:

  • Individual Identities: Unique to each person for accountability
  • Shared Identities: Used only when necessary with strict controls
  • Non-Human Identities: For systems, applications, and automated processes
  • Third-Party Identities: From external providers like social media platforms

4. Manage the Complete Identity Lifecycle

Your identity management should cover:

  • Initial business justification for creating an identity
  • Identity verification before account creation
  • Proper configuration and activation
  • Regular reviews and updates
  • Timely deactivation when no longer needed

5. Regular Monitoring and Maintenance

Your identity management system should include:

  • Regular audits of all active identities
  • Monitoring for duplicate or orphaned accounts
  • Periodic re-verification of identity information
  • Documentation of all identity-related changes
  • Review of third-party identity providers

Making It Work in Practice

Remember that effective identity management requires balancing security with usability:

  • Start with a clear inventory of all identities in your organisation
  • Implement automated processes where possible
  • Ensure proper segregation of duties for identity approval
  • Maintain detailed logs for audit purposes
  • Regular training for staff on identity management procedures

The Bottom Line

Identity management is the foundation of your security infrastructure. Without proper control over who has access to your systems, other security measures become less effective. By implementing robust identity management practices, you create a secure environment where every action is accountable and every access is intentional.

Remember: Good identity management is like having a detailed guest list with a vigilant doorkeeper – everyone who enters is known, their permissions are clear, and their activities can be tracked.

If you want to talk about information security in your organisation then please book a free call here or email us here