Scribd Logo
Upload

Welcome to Scribd!

  • ISO 27001:2022 - ISO 27002:2022: Annex A Clause 5.16 Identity Management

    Uploaded by

    fadwa turki
    78 views2 pages

    Original Title

    Untitled

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    78 views2 pages

    ISO 27001:2022 - ISO 27002:2022: Annex A Clause 5.16 Identity Management

    Uploaded by

    fadwa turki

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    ISO 27001:2022 | ISO 27002:2022

    ANNEX A CLAUSE 5.16 IDENTITY MANAGEMENT


    Control Type Infosec Properties Cybersecurity Operational Security Domains
    concepts capabilities
    #Preventive #Confidentiality #Protect #Identity_and_Access_ #Protection
    #Integrity Management
    #Availability

    Control Statement
    The full life cycle of identities should be managed.

    Requirement
    The primary requirement of ‘Access Control’ is managing the “identity”. The
    ‘identity’ can be associated with a human individual or a system. These identities
    uniquely identify the entities accessing the information assets and a formal user
    registration and de-registration process needs to be followed to enable the
    appropriate assignment of access rights.

    Implementation
    Every user should be formally and uniquely registered by the organization, and a record
    maintained of each information system, network or service which a user has a business
    requirement to access. Failure to control registration can result in a breach of
    confidentiality, unauthorized modification, and/or loss.
    The sharing of user IDs almost guarantees the loss of accountability, as actions cannot be
    unambiguously traced to individuals. This can then lead to a loss of confidentiality,
    integrity, and availability. Users should therefore each have a unique identifier for every
    system they have the authorization to access.
    In those few cases where it is not possible to have individual IDs, the organization
    should implement a manual process to track who is using the ID at any given time,
    ensure that it cannot be used my more than one person at any time and change
    authentication credentials whenever the ID is passed to a new custodian.

    • A process should be in place to register a user, grant access, revoke access, and
    deregister a user.
    • When a user joins an organization an identity should be registered with the bare
    minimum and default access like email, device login, and intranet business
    applications.
    • Providing or revoking any additional access should be documented via a service desk
    system and should have a valid business justification.
    • It is recommended that any additional access should have an authorization approval
    mechanism in place.
    • Guidelines should be in place for configuring and activating the identity.
    • Additional access rights should be revoked when there is no longer a business need.

    https://www.linkedin.com/in/dipendas1979/
    ISO 27001:2022 | ISO 27002:2022
    • ANNEX A CLAUSE 5.16 IDENTITY MANAGEMENT
    Control Type Infosec Properties Cybersecurity Operational Security Domains
    concepts capabilities
    #Preventive #Confidentiality #Protect #Identity_and_access_ #Protection
    #Integrity management
    #Availability

    • Deregister the user if the user leaves the organization


    • Change the access rights when user changes its role.

    Some basic guidelines to be followed


    ➢ .# For human identities, only one identity should be linked to one person.
    ➢ # A human can own more than one identity but ownership should be defined.
    ➢ # Default identities like “root”, “admin” etc should be assigned to a human entity.
    ➢ # All the identities including built-in identities should be labeled with an identifier
    like employee number.(Use description/comments field)
    ➢ # Ownership of all identities should be established to maintain accountability.
    ➢ # Shared identities are permitted with business justification but accountability of
    shared identities should be maintained.
    ➢ # An oversight should be maintained for ‘service’ identities and ownership should be
    defined for ‘service’ identities as well.
    ➢ # It is recommended to have a dedicated separate identity for performing privileged
    activities.
    ➢ # Privileged Identities (Admin accounts) should be granted via a proper approval
    mechanism recorded (with business justification) in a service desk application.
    ➢ # Regular ‘business-as-usual’ identities should not be used to perform admin
    activities. i.e. admin rights should not be granted to regular identities.
    ➢ # Identitie’s access should be changed whenever the role of the owner changes. (i.e.
    there is no longer a business need)
    ➢ # Identities should be removed or disabled if the identity owner leaves the
    organization.
    ➢ # Records of all access grants/access revokes including approvals should be
    maintained e.g. in a helpdesk system.
    ➢ # Logging should be enabled to record all activities performed by the identities.
    ➢ # Use advanced mechanisms as multi-factor authentication.

    https://www.linkedin.com/in/dipendas1979/

    You might also like