How to Implement ISO 27001 Annex A 5.16 [+ Examples]

Harry West
February 22, 2023
Table of Contents

Struggling to make sense of ISO 27001 Annex A 5.16?

You're not alone.

This critical part of ISO 27001 can seem daunting, but it doesn't have to be.

In this blog post, we'll break down Annex A 5.16 into simple, actionable steps. We'll also provide real-world examples to help you see how these steps work in practice.

By the end, you'll have a clear understanding and a practical plan to enhance your cyber resilience.

Ready to make ISO 27001 Annex A 5.16 work for you?

Keep reading to learn more.

Enhancing Identity Management with ISO 27001

ISO 27001 Annex A 5.16 is a valuable tool for strengthening your identity management practices.

By aligning with this internationally recognized standard, you can ensure they have robust processes in place to manage identities effectively.

Before diving into the implementation details, let's first understand the purpose of ISO 27001 Annex A 5.16.

Understanding the Purpose of ISO 27001 Annex A 5.16

When we talk about identities, we are referring too entities that access information and other associated assets within your organisation.

These include:

  • Individuals (e.g. corporate users, guest users, 3rd party suppliers)
  • Systems (e.g. system accounts required for a system to function)
  • Non-human entities (e.g. service accounts that perform tasks on behalf of humans such as automation and CI/CD pipelines)

Managing these identities is a critical feature of any security framework.

ISO 27001 Annex A 5.16 aims to provide guidelines for establishing, implementing, maintaining, and continually improving your identity management processes.

Defining ISO 27001 Annex A 5.16 Identity Management

ISO 27001 Annex A 5.16 defines identity management as a systematic approach to managing individual, system, and non-human entity identities throughout their lifecycle.

Effective identity management enables you to control access to resources, prevent unauthorized activities, and maintain a secure operating environment.

Identity management involves various processes, including:

| Process | Description | |--------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Defining roles and responsibilities | The act of defining what each person should do to protect the company's data. This helps everyone understand their tasks, such as monitoring for threats or handling data safely, and ensures the team works together to keep information secure and prevent cyberattacks. | | Identity provisioning | The process of creating user accounts and assigning their access rights. It includes tasks like signing up new users, activating their accounts, and giving them the right roles and permissions. By using good identity provisioning practices, you can make it easier to add and remove users, and lower the chance of unauthorized access. | | Authentication | The process of validating that someone is who they say they are when they try to access a system or resource. This can be done using things like passwords, fingerprints, or multiple methods together. By using strong authentication methods, you can make sure that only the right people can see important information or do important tasks. | | Authorization | The process of giving or not giving access to certain resources based on who the person is and what permissions they have. It makes sure people can only use the resources they are allowed to, which helps prevent data leaks or other unauthorized actions. | | Identity governance | The policies and procedures for manage user identities in your organisation. This includes regular checks on who has access, making sure no one has too many permissions, and giving people only the access they need. By using good identity governance practices, you can keep your organization secure and prevent problems from within. |

What's New in ISO 27001 Annex A 5.16 for 2022?

An infographic that illustrates what's new in ISO 27001 Annex A 5.16 in 2022 by GRCMana

Let's explore what's new in ISO 27001 Annex A 5.16 for 2022.

#1 Introduction of advanced authentication methods

One of the big changes in the 2022 version of ISO 27001 Annex A 5.16 is the addition of advanced ways to verify identity.

Traditional usernames and passwords are no longer enough. Experts encourage more advanced authentication methods to help secure your systems.

Examples include:

  • Multi-factor authentication
  • Biometrics
  • Security Tokens (e.g. FIDO2)

#2 Emphasis on continuous monitoring and audit

Another noteworthy addition to ISO 27001 Annex A 5.16 is the emphasis on continuous monitoring and auditing of identity management systems.

It is no longer sufficient to implement identity management controls and consider the job done.

You must regularly assess the effectiveness of your identity management practices to identify any vulnerabilities or weaknesses that may arise over time.

#3 Reinforcement of Role-based Access Control

ISO 27001 Annex A 5.16 reinforces the concept of role-based access control (RBAC).

RBAC allows you to assign permissions to individuals based on their roles and responsibilities.

This approach ensures that employees have access only to the information and resources necessary for their job functions, reducing the risk of unauthorized access or data breaches.

#4 Criticality of user awareness and training

ISO 27001 Annex A 5.16 highlights the importance of user awareness and training.

You are encouraged to provide training programs to employees about the significance of identity management and the potential risks associated with poor practices.

By promoting a culture of security awareness, you can empower your employees to be active participants in safeguarding sensitive information.

#5 Cloud-based identity management

ISO 27001 2022 recognizes the growing importance of cloud-based solutions.

As more organisation's migrate to the cloud, identity management is crucial.

The updated standard provides guidance on implementing effective identity management practices in cloud environments, addressing the unique challenges and considerations associated with cloud-based systems.

In conclusion, the 2022 version of ISO 27001 Annex A 5.16 brings several significant updates to enhance identity management practices in the face of evolving threats and technologies.

By adopting:

  • advanced authentication methods,
  • emphasizing continuous monitoring and auditing,
  • implementing role-based access control,
  • promoting user awareness and training, and
  • addressing cloud-based identity management,

You can strengthen your security posture and protect your valuable data assets.

7 Steps to Implementing ISO 27001 Annex A 5.16 Identity Management

An infographic that illustrates the 7 steps to implementing ISO 27001 Annex A 5.16 by GRCMana

Implementing identity management requires careful planning and execution.

To help you achieve success, here's my 6 step guide to implementing identity management using ISO 27001 Annex A 5.16.

TL:DR

  • Step #1 - Understand your business needs
  • Step #2 - Identify your assets
  • Step #3 - Perform an access review
  • Step #4 - Perform a risk assessment
  • Step #5 - Develop policies and procedures
  • Step #6 - Implement identity management controls
  • Step #7 - Training and awareness
  • Step #8 - Continual improvement

Let's explore each of these steps in more depth.

Step #1 - Understand your business needs

Understanding the business requirements for identity creation is vital to prevent overprovisioning or under provisioning access rights.

Collaborating with key stakeholders and defining clear guidelines for identity creation based on job roles, responsibilities, and access requirements significantly reduces the risk of inappropriate access and improves overall identity management.

Step #2 - Identify your assets

Next we need to identify the assets in scope of your identity management program.

These often include, but are not exclusive too:

  • Operating systems (e.g. End user devices, servers, virtual machines)
  • Network devices (e.g. Routers, switches, wireless networks, firewalls)
  • Applications and databases
  • Cloud services (e.g. Azure, Microsoft 365, Salesforce, Dropbox)
  • Tools, scripts and utilities used to manage and operate your environment
  • Document management (e.g. shared drives, SharePoint, OneDrive)

These assets should be captured in an asset register and include key information such as:

  • Asset owner
  • Asset categorisation
  • Asset classification (e.g. is it business critical or not)

Understanding your asset landscape helps you understand of what you have and what you need to protect.

Step #3 - Performing an access review

This is a tough but necessary step.

You should perform an access review for each of the assets / asset types that you've identified in Step #2.

Performing an access review is about evaluating:

  • Who has access to what
  • How they access it, and
  • When they access it
  • Whether that access is necessary

The purpose of this step is to determine whether the right people have access to the right things, at the right time.

In doing so, you will baseline the state of your landscape and establish a clearer picture of how identity management needs to function within your organisation.

Step #4 - Perform a risk assessment

The next step is to perform a risk assessment.

The purpose of the risk assessment is to identify and assess Identity Management risk.

This creates clarity around the actual problems you're trying to address and helps determine the controls you need.

This article is not intended be a deep dive into risk management, but at a high-level, this  involves:

  1. Identifying the nature of the risk and the assets in scope
  2. Assessing the likelihood of the risk occurring
  3. Assessing the impact of the risk occurring
  4. Identifying strategies to reduce either the likelihood or impact of the risk occurring (ideally both, but that's not always possible.) 
  5. Update your risk register with the information that you've gathered (so far)
  6. Communicate the risk assessment to top management, typically with some sort of risk treatment plan
  7. Seek approval from top management to implement the risk treatment plan
  8. Implement risk treatment plan
  9. Update risk register, with supporting evidence that the risk treatment plan has delivered the intended result

Step #5 - Develop policies and procedures

Create clear and concise policies and procedures that align with the standard's requirements and your organisation's specific needs.

Key policies you will need include:

  • Access Control Policy, and
  • Password Policy
  • Any other topical policies that are relevant to your environment

You will also need to think about procedures for the following:

  • Joiners, Movers and Leavers (JML)
  • Identity creation
  • Identity synchronisation (e.g. on-premise to cloud, cloud-to-cloud)
  • Identity activation
  • Change management (e.g. role changes that result in different permissions)
  • Revocation and offboarding of identities
  • Monitoring processes and procedures

Important things to keep in mind:

  1. Don't forget about your control of documented information.
  2. How will you manage 3rd party access to systems?
  3. Automation is your friend. Look at how you can use automation to streamline and digitise your processes.

Step #6 - Implement identity management controls

Now it's time to implement identity management controls.

The controls you implement should be determined by:

  1. The needs of your business
  2. The risks that you have identified through your risk assessment
  3. The policies and procedures that you have developed

Examples of identity management controls for you to consider include:

  • Password policies
  • Password managers
  • Role Based Access Control (RBAC)
  • Removal of default admin accounts
  • Revoking local administration privileges
  • Directory synchronisation
  • Single Sign On (SSO)
  • Multi-factor authentication
  • Biometrics
  • Physical access controls (e.g. locks, ID cards)
  • Location based access controls (e.g. Microsoft Entra Conditional Access)
  • Risk-based access controls (e.g. Microsoft Entra Conditional Access)
  • Just In Time (JIT) Access
  • Automated Access Reviews
  • Identity Threat Detection & Response (ITDR)

You should also take into account your users. You need to find the right balance between security and user experience.

Step #7 - Training and awareness

Train your staff on the importance of identity management and their role in maintaining it.

Key things to consider include:

  • Communicating and socialising policies and procedures
  • Guidance around suitable passwords
  • Education on how to operate any tools/technologies
  • How to report a security incident or data breach

Step #8 - Continual improvement

Establish a cadence for reviewing identity management as part of your continual improvement plan.

This should include:

  • Periodic risk assessments to identify any new or emerging threats and risks
  • Periodic access reviews to ensure that the right people continue to have access to the right things, at the right time
  • Regular review of logging and monitoring tools to identify any suspicious activity.
  • Regular review of documentation to reflect changes within your organisation.
  • Periodic internal audit activities
  • Periodic management review

Key Considerations for Successful Identity Management

An infographic that illustrates the key considerations for successful identity management by GRCMana

While implementing ISO 27001 Annex A 5.16 is an essential step towards enhanced identity management, you must also consider other key factors to ensure success.

Let's explore some critical considerations when managing identities.

One Identity per User: Best Practice

Assigning one identity per user is a fundamental best practice in identity management.

This approach ensures accountability, simplifies access controls, and mitigates the risk of unauthorized access.

By defining and enforcing a "one person, one identity" policy, you can strengthen your overall security posture.

Managing Multiple Persons with a Single ID

In some cases, multiple individuals may share a single identity due to shared responsibilities or job functions.

Managing such cases requires careful planning and oversight to ensure appropriate access rights and adequate segregation of duties.

You should establish clear procedures and controls to manage shared identities effectively.

Non-Human IDs: Managing System Accounts

Identity management is not limited to human users; it also encompasses non-human entities such as:

  • system accounts,
  • service accounts, and
  • application identities.

Managing these non-human identities is crucial to prevent unauthorized access and protect critical systems.

You should apply the same level of identity management rigor to non-human IDs, including regular reviews and access reviews.

Removing Outdated and Unused IDs

Over time, organisations accumulate unused and outdated identities, often referred to as "orphan accounts."

These identities pose significant security risks, as they may still have access rights to resources long after their purpose has been fulfilled.

Implementing regular identity reviews and timely removal of outdated IDs is essential to maintain a healthy identity management system.

Effective Naming Conventions for Identity Management

Establishing and adhering to effective naming conventions is crucial for identity management.

Consistent and meaningful naming conventions facilitate access management, help identify the purpose of the identity, and simplify audits and compliance reviews.

You should establish naming conventions aligned with their business needs and incorporate them into their identity management practices.

Importance of Logging in Identity Management

Logging is a vital component of identity management.

It provides visibility into identity-related activities, helps detect and investigate security incidents, and supports compliance requirements.

You should define logging requirements, implement robust logging mechanisms, and establish processes for monitoring and analysing identity-related logs.

ISO 27001 Annex A 5.16 - What will the Auditor look for?

An infographic that illustrates what an ISO 27001 auditor looks for by GRCMana

Whether its an ISO 27001 Certification Audit or an ISO 27001 Surveillance Audit, the Auditor is going to check some common things.

1. Documented information

The Auditor is going to review all the relevant documentation related to identity management.

This includes, but is not exclusive too:

  • Policies
  • Processes
  • Procedures
  • Records (e.g. requests, incidents, log data, management reviews, audit reports, communications, training records)

During this document review, they will be looking for some key features:

  • Evidence that you are doing the things that you say you do. (For example, if you say that you will perform a specific thing, can you provide evidence to demonstrate that you have done it?)
  • Appropriate control of documented information (version control etc.)
  • Appropriate information classification
  • Evidence that the documentation has undergone a formal review in the last 12 months

2. You are applying a risk based approach

As part of an audit, the Auditor will want to get assurance that you are identifying and managing risk related to identity management.

The Auditor will look at:

  1. Your risk register to understand what risks you have identified
  2. Your risk treatment plan to understand what actions you said you will take to treat the risks you have identified.
  3. Evidence of risk treatment actions are being performed when you say they will
  4. Evidence of any testing or validation activities to ensure risk treatment actions have delivered the desired result.
  5. Evidence of any management reviews (e.g. board packs, meeting minutes)

3. That you have established appropriate policies and procedures

This is obvious but they are going to look that you have documented what you say you do and that you follow it.

The Auditor is going to check the policies, procedures and access control methodology and make sure you followed them. For example:

  • Asset registers
  • Access control procedures
  • Access reviews

Some of the biggest gotchas when it comes to identity management include:

  • Absence of suitable policies and procedures
  • Having active accounts for users that have left the organisation. This indicates that you don't have or didn't follow a suitable leavers process.
  • Users with excessive permissions following a role change. This indicates that you don't have or didn't follow a suitable movers process.
  • Lack of evidence to demonstrate that you have performed periodic access reviews.
  • Inconsistent naming conventions of service accounts. This indicates that you don't have or didn't follow a suitable identity creation process.

4. That you have deliver appropriate awareness and training

The Auditor is going to look for evidence that you have delivered appropriate awareness and training relating to identity management.

This can include, but is not exclusive too:

  • Evidence of a communications plan
  • Evidence that appropriate policies and procedures have been communicated
  • Evidence of an training plan
  • An appropriate log of who has completed what training and when.

5. You are driving continuous improvement

Lastly, the Auditor is going to be looking for evidence of continuous improvement.

But what does this look like in reality?

  • Evidence that risk treatment actions have been taken and they've achieved the desired results.
  • Evidence of internal audits and that non-conformities have been proactively addressed.
  • Evidence of lessons learned from incidents and that measures have been taken to prevent reoccurrence.

Continuous improvement is simply about something being better than it was last time you looked it. What the Auditor is looking for is evidence of that improvement.

FAQ about ISO 27001 Annex A 5.16

An infographic that illustrates an FAQ about ISO 27001 Annex A 5.16

What policies do I need for ISO 27001 Annex A 5.16 Access Control?

You will need, at least, a policy that sets out your business rules and your methodology for managing identities.

This often comes in the form of an Access Control Policy.

This policy may be supported by other documents, such as:

  • Password Policy
  • Procedure for Joiners, Movers and Leavers (JML)
  • Procedure for the creation of identities
  • Procedure for the synchronisation of identities (e.g. on-premise to cloud, cloud-to-cloud)
  • Procedure for the activation of identities
  • Change management procedure
  • Procedure for revoking and offboarding identities
  • Processes and procedures for logging and monitoring
  • Procedure for user access reviews
  • Any other topical policies and procedures that may be relevant

Why is ISO 27001 Identity Management Important?

Identities, usernames and passwords are the gateway to your business, your systems and your data.

To protect your systems and data you need to control who has access to it.

You need to be certain that only authorised users are performing authorised actions.

If you don't - you run the risk of compromise and data loss. In extreme cases, this could result in more fraudulent, criminal activity occurring.

This is why ISO 27001 Annex A 5.16 Identity Management is so important. It helps you develop a systematic approach to managing identities so that you can control:

  1. Who has access to your data
  2. When they can access it, and
  3. How they can access it.

Do I have to satisfy ISO 27001 Annex A 5.16 for ISO 27001 Certification?

The short answer is - Yes.

Not because it is mandatory, but because it is:

  1. A fundamental part of information security, and
  2. Key to treating risk.

Let me explain.

Remember that one of the core principles of ISO 27001 is to apply a risk-based approach.

To treat risk, we use the ISO 27001 Annex A controls and include them in our Statement of Applicability.

For ISO 27001 Annex A 5.16 not to apply, you will have to demonstrate that:

  1. You do NOT have information that requires protecting,
  2. You do NOT have identities that need to be managed, and/or
  3. You are NOT exposed to identity-related threats (e.g. phishing or brute force attacks)

Therefore, indicating that you do not have a risk to treat.

But what is the likelihood of that? Moreover, if any one of these 3 items did not apply to your business...would you even need ISO 27001 in the first place?

In conclusion, ISO 27001 Annex A 5.16 may not be mandatory, but it is required, almost by default.

You will have identity-related risks that you need to treat. ISO 27001 Annex A 5.16 helps treat that risk.

What are the identity management principles?

To drive effective identity management, you should apply the following principles:‍

| Principle | Description | |-----------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------| | One user, one identity | Users should have one identity on your systems. This promotes accountability, simplify access controls and mitigate risk of unauthorised access. | | Principle of Least Privilege | Users should be given the least amount of privileges necessary to perform their job functions. | | Role-Based Access Control (RBAC) | Roles are identified in a system and assigned to individuals. | | Zero Trust | A security approach that requires all users, even those inside the organization's enterprise network, to be authenticated, authorized, and continuously validated. | | Single Sign-On (SSO) | A user logs in once and gains access to multiple systems without being prompted to log in again. | | Multi-Factor Authentication (MFA) | A user is required to provide two or more forms of authentication to access a system. |

Conclusion

In today's digital landscape, effective identity management is critical for protecting sensitive information and maintain a secure operating environment.

Implementing ISO 27001 Annex A 5.16 provides a comprehensive framework to enhance identity management practices.

By understanding the purpose, defining key concepts, and following practical implementation guidance, you can successfully implement ISO 27001 Annex A 5.16 and strengthen their overall security posture.

GRCMANA is an online community that offers the latest news, insights and resources to help you unlock your career in the world of Governance, Risk and Compliance.
Company
AboutNewsletter
Learn
GRCISO 27001SOC 2
Resources
BlogFramework Glossary
Legal
TermsCookiesPrivacyAffiliates
© 2024 GRCMana