WHITE PAPER
The Fundamentals
Introduction
For many organizations,
compliance with data security
standards doesn’t seem to
be getting easier. IT security
compliance efforts are forever
competing with projects that may
or may not address information-
security threats, operational
vulnerabilities and daily business
risks, and the compliance projects
often lose the battle for resources
and funding.
However, in any industry
where compliance is an issue,
Demonstrating a robust ISO 27001 information
security management system with identity
governance and access management
Written by Joseph Grettenberger
organizations cannot afford to
ignore it. Sooner or later, such
organizations will be required to
demonstrate that they have the
appropriate internal IT controls
in place that minimize the risk of
fraud and/or data breach.
You can get ahead of the game
by understanding your control
objectives and selecting solutions
that ensure consistency of
foundational, high-performance
processes, such as managing
user identities, roles, group
memberships and related
attestation reviews. Effectively
managing user identities and
entitlements can satisfy multiple
control objectives, thereby
enabling your organization
to achieve and demonstrate
compliance while also automating
compliance-related tasks.
In this paper, you’ll learn about
IT security compliance for ISO/
IEC 27001 from an auditor’s
perspective. Although the control
objectives prescribed in ISO/IEC
27001 represent only a portion
of the data security compliance
obligations faced by many
organizations, the standard is
one of the most widely used
information security management
frameworks worldwide. For
information about other mandates
intended to protect sensitive data,
please see my related papers on
the Health Insurance Portability
and Accountability Act (HIPAA),
the Payment Card Industry Data
Security Standard (PCI DSS) and
the Sarbanes-Oxley Act (SOX).
The ISO/IEC 27001 Standard
ISO/IEC 27001 is an information
security management standard
published by the International
Organization for Standardization
(ISO) and by the International
Electrotechnical Commission
(IEC). The most recent version
is officially titled “ISO/IEC
27001:2013, Information
technology — Security
techniques — Information
security management systems —
Requirements,” which is commonly
abbreviated to “ISO 27001.”
Worldwide, ISO 27001 is used
more than any other standard to
2
establish, implement, maintain,
assess and continually improve
a robust information security
management system (ISMS).
Specifically, the standard
identifies the requirements
for establishing a framework
for meeting an organization’s
information security objectives.
Among the requirements
it specifies are leadership
commitment, an information
security policy and the official
assignment of information
security roles.
While ISO 20001 does not
specify which controls an
organization must adopt, it
requires them to implement
treatment options for identified
risks that could realistically lead
to a loss of security. Thus, ISO
27001 requires organizations to
derive their own set of control
requirements, based in part on
a risk assessment, to ensure
implementation of all of its ISMS
requirements. To help, ISO 27001
provides a comprehensive catalog
of control objectives and controls
“One Identity’s IAM solutions enable
you to consolidate multiple user
identities to establish unique user
accounts across disparate platforms.”
(Annex A) that organizations can
use, and points to a companion
standard (ISO/IEC 27002:2013)
that provides implementation
details on each control listed.
One Identity’s IAM solutions
Identity and access management
(IAM) is critical to a robust ISO
27001 information security
management system.
It is noteworthy that 28 of
the 35 control objectives
listed in ISO 27001 Annex
A — a full 80 percent — either
imply or explicitly address
identity governance or access
management in some measure.
One Identity IAM solutions can
help your organization comply
with these control objectives and
related industry best practices.
You can monitor and report on
privileged activities in all phases
of the system development
lifecycle — and easily
demonstrate your organization’s
compliance and respond to audit
inquiries with customizable
 reports. Plus, the One Identity
IAM solutions provide a separate
database of activity records
“One Identity that you can use to substantiate
solution enables security policy violations, such
as when providing support of
you to mitigate personnel sanctions.
risk for your One Identity’s IAM solutions
organization; enable you to consolidate multiple
user identities to establish
control user and unique user accounts across
disparate platforms, establish
privileged access; access policies, manage user
govern identities; entitlements, monitor for data
access policy violations and
secure data; and maintain related history across
all system components that lack
get more done access management, thereby
with less.” filling a fundamental security
gap in traditionally weak
infrastructure controls. While
these solutions will not replace
your network monitoring tools,
when regularly used as part of
an information system security
program, they can greatly reduce
a host of unauthorized access and
system changes, thus preventing
numerous policy violations before
they happen.
Simplifying identity
governance and
streamlining compliance
For a proper controls reliance
strategy, organizations need to
unify user identities across all
applications that grant access
to confidential or personally
identifiable information (PII),
and they must also supplement
application-based security
features with access controls that
protect environments subject
to compliance regulations. And
given the complexity of those
regulations and the ever-changing
threat landscape, organizations
need to simplify identity
governance and reduce risks
related to user privileges.
One Identity IAM solutions
automate many of the network,
3
system, and business-application
user governance mandates
while also providing foundational
IT security measures. One
Identity IAM solutions enable
organizations to achieve such
governance by:
• Consolidating and unifying user
•
identities across the enterprise
Automating the enforcement of
access management, including
requests, reviews, approvals,
denials, attestations and revocations
• Identifying risk factors to track
users with access to account data
and assign risk levels based on risk
criteria: e.g. days in current role
(without role change) and policy
•
violation history
Responding to management and
audit inquiries with reports that
demonstrate historical compliance
with many information security
policies and procedures
• Monitoring and reporting on active
and historical privileges granted,
including those with reporting
period, system clock or time stamp
edit privileges during sensitive time
periods or outside the course of
normal business operations
• Substantiating evidence of policy
violations, such as those involving
conflicts of interest.
A more complete and
effective solution
In short, One Identity IAM
solutions are designed to
unify user identities, simplify
the user provisioning and de-
provisioning process, and provide
privilege governance (through
authorization, attestations and
privilege history across enterprise
applications to the platforms
and environments that support
critical applications and house
sensitive data. In doing so, they
fill a critical security gap for
traditionally weak IT controls.
In addition, the solutions equip
organizations to identify sensitive
data and enforce security policies
that control access to that data;
and they apply user-risk rankings
based on data sensitivity,
granted privileges and policy
violation history.
While not a replacement for
governance, risk and compliance
tools, when regularly used as part
of an information governance
program, One Identity IAM
solutions can help organizations
achieve IT governance. It can do
this by detecting where account
data resides and identifying high-
risk users, and by enforcing access
authorization, which will eliminate
unauthorized access to sensitive
data and unauthorized system-
configuration changes — and
thereby preventing policy violations.
By ensuring controlled access
based on need-to-know and
providing detailed history of
when authorizations to access
account data were granted and
by whom, One Identity IAM
solutions help organizations
control user access to enterprise
applications and unstructured
data in their production operating
environments and ensure that
critical access controls are
applied to security architectures
in all phases of the system
development lifecycle.
One Identity IAM solutions
included in this paper are:
4
1. Identity Manager
2. Identity Manager -
Data Governance Edition.
Identity Manager
Organizations need to mitigate
risk by identifying sources of
controlled data, securing that
data (from entitlement creep,
outdated user access, etc),
meeting uptime requirements,
satisfying compliance obligations
and increasing productivity by
giving users faster access to
the data and applications they
need to do their jobs—and
nothing more. Identity Manager
streamlines user provisioning, de-
provisioning and access-approval
processes. This One Identity
solution enables you to mitigate
risk for your organization; control
user and privileged access;
govern identities; secure data;
and get more done with less.
With it, you can be the security
“Risk Mitigator” that your
organization needs.
Using One Identity solutions, IAM
can finally be driven by business
needs, not IT capabilities. With
Identity Manager you can
unify security policies, meet
compliance needs and achieve
governance while improving
business agility with a modular
and scalable Identity and access
management solution.
Identity Manager Data
Governance Edition
Identity Manager – Data
Governance Edition protects
your organization by giving
access control to the business
owners who actually know who
should have access to which
resources. So, the people who are
familiar with roles and business
needs now are empowered
to grant access to sensitive
data, and analyze, approve and
fulfill unstructured data-access
requests to files, folders and
shares across NTFS, NAS devices
and SharePoint. Identity Manager
– Data Governance Edition helps
data owners (not IT) determine
who should have access and
automates the request-and-
approval workflow, keeping your
company from being the next
security headline while reducing
the burden on IT.
How One Identity IAM Solutions
map to ISO 27001 requirements
This section provides a detailed
mapping of the controls listed in
ISO/IEC 27001:2013 Annex A to
the capabilities of One Identity
IAM solutions. You can use this
mapping to proactively identify and
address gaps in your ISO ISMS
with One Identity IAM solutions.
 ISO/IEC 27001:2013 controls from Annex A

No. Control name How One Identity IAM solutions help

A.5.1.1 Policies for information

security Identity Manager and Identity Manager – Data Governance Edition
support the enterprise-wide access control and access management
A.5.1.2 Review of the policies for requirements that are part of every information security policy.
information security In particular, these tools help ensure that policies addressing
role assignments, including information security management
A.6.1.1 Information security roles entitlements and segregation of duty (SoD) requirements are defined
and responsibilities and enforced across your network. In addition, Identity Manager –
Data Governance Edition can support the information security policy
A.6.1.2 Segregation of duties review process.

A.6.1.3 Contact with authorities Identity Manager and Identity Manager – Data Governance Edition
store entitlement attestations and user provisioning process logs in a
secure, encrypted vault. These features provide organizations with a
legally defensible repository of user identity traceability and privilege
assignment audit trails from which they can retrieve court-admissible
evidence using proper chain of custody controls.

A.6.1.5 Information security in With One Identity IAM solutions, organizations can address questions
project management that come from an information security risk assessment conducted at
an early stage of a project by providing controls around IT resource
access requests and approvals. For example, Identity Manager
can be used when a project begins to clean up all non-unique and
orphaned accounts while Identity Manager – Data Governance Edition
can be used to define security roles that prevent unauthorized
changes to files, folders and NTFS or NAS shares and enforce access
policies on all project users, including remote users and contractors.

A.6.2.1 Mobile device policy Identity Manager and Identity Manager – Data Governance Edition
can be used to provision custom objects such as accounts on smart
A.6.2.2 Teleworking phones, tablets and remote access VPNs. In addition, these solutions
(remote access) can manage the assignment of identities and privileges on servers
and applications that IT uses to manage mobile devices and remote
access users to ensure mobile device and VPN administrator activities
are properly authorized, traceable to specific users and conform to
the organization’s mobile device and remote access policies.

A.7.1.1 Screening

5
 ISO/IEC 27001:2013 controls from Annex A

No. Control name How One Identity IAM solutions help

A.7.1.2 Terms and conditions Identity Manager and Identity Manager – Data Governance Edition
of employment enable you to establish and enforce access authorization to systems
that store, process or transmit legally protected and confidential
information thereby limiting access to not only those individuals whose
job requires such access, but to only those have successfully passed
a background check and have a need to know. Specifically, these
solutions are designed to:
• Define access needs across enterprise applications, NTFS, NAS
devices and SharePoint servers for each role, including file
servers and data resources that each role needs to access for
their job function
• Restrict user access to least privileges necessary to perform
job responsibilities
• Put user access administration into the hands of appropriate
authority personnel to delegate access granting privileges and
manage entitlement creep for on-going maintenance of access
restrictions
• Support policies requiring authority personnel to assign,
periodically review and attest to the legitimacy of access privileges
based on individual personnel’s job classification and function.
• Support policies requiring documented approval by authorized
parties specifying required privileges and/or approving access
requests.
• Establish access control for systems with multiple users that
restricts access based on a user’s need to know
• Ensure that access controls (e.g. rules and policies) equivalent
to default “deny all” configurations are in place for all system
components with multiple users
• Provide a full-featured model for the complete management and
review of user identities and access rights

A.7.2.1 Management Deploying Identity Manager and Identity Manager – Data Governance
responsibilities Edition provides an excellent way for management to demonstrate its
support of the organization’s information access policies and procedures
by enforcing them.

A.7.3.1 Termination or change Identity Manager is designed to manage the information security
of employment aspects of employee and contractor terminations and job
responsibilities reassignments (such as orphaned accounts) by quickly terminating
access privileges to sensitive information and reducing or removing
access to system accounts — even if a user has multiple identities from
holding different roles over many years with the organization. Identity
Manager enables you to adjust or revoke system access privileges
across your ERP system, NTFS, NAS devices and SharePoint servers
in a timely manner for workforce members who have changed roles or
have left the organization. Moreover, with Identity Manager you can
easily review and remove or disable inactive user accounts across all
these systems and monitor for orphaned accounts in accordance with
your organization’s account aging policy.

6
 ISO/IEC 27001:2013 controls from Annex A

No. Control name How One Identity IAM solutions help

A.8.1.1 Inventory of assets Identity Manager can identify critical technology assets and
personnel (with contact information) associated with your
A.8.1.2 Ownership of assets organization’s ERP system, NTFS systems, NAS devices and
SharePoint servers. In fact, One Identity’s IAM solution provides
a number of features that can help you inventory critical
A.8.1.3 Acceptable use of assets technology assets and determine device owner information. For
example, to augment the usage restrictions that are configured
during user account setup, usage policies can be established
with rules for when and how user accounts can access system
components. Once established, reports such as the Resource
Activity Report can provide a list of all access activity on those
critical technologies, the personnel authorized to use the devices
and whether usage policies have been violated.

Identity Manager – Data Governance Edition can ensure that

only asset owners or those authorized by asset owners can
grant access privileges to specific assets (i.e. to only those
areas, applications and functions required for assigned tasks)
and provides centralized reporting for all access violations on
Windows file servers, SharePoint and NAS devices.

A.8.2.2 Labeling of information Once an information classification scheme has been adopted
and information assets have been labeled per the scheme, you
can configure the corresponding access request and approval
requirements that are based on the scheme into various
procedural workflows in Identity Manager.

A.9.1.1 Access control policy Using the fine-grained access control configuration settings for
users, groups, domains, and services, Identity Manager lets you
A.9.1.2 Access to networks and implement the rules identified in the “implementation guidance”
network services and “other information” for logical access control citied in ISO
27002:2013, sections 9.1.1 and 9.1.2. For example, Identity
Manager lets you implement segregation of access control roles,
formal authorization of access requests, and mandatory periodic
reviews of access rights (attestations) within an Identity Manager
network. Likewise, Identity Manager – Data Governance
Edition can enforce every logical access rule identified in the
“implementation guidance” and “other information” sections
of ISO 27002:2013, sections 9.1.1 and 9.1.2 within an Identity
Manager network.

7
 ISO/IEC 27001:2013 controls from Annex A

No. Control name How One Identity IAM solutions help

A.9.2.1 User registration and de- Identity Manager and Identity Manager – Data Governance
registration Edition provide organizations with a ready-made framework
designed to inherit and/or set up, manage and support:
A.9.2.2 User access provisioning • User authentication information
• A formal user registration and de-registration process to
A.9.2.3 Management of privileged enable assignment of access rights
access rights
• A formal user access provisioning process to assign or revoke
access rights for all user types to all systems and services
A.9.2.4 Management of secret
authentication information • A full-featured model for the complete management and
review of access rights
of users
Identity Manager and Identity Manager – Data Governance
A.9.2.5 Review of user access rights Edition enable organizations to implement access authorization,
access rights review and access revocation policies for granting
and maintaining least-privilege access to sensitive data across a
A.9.2.6 Removal or adjustment of
variety of platforms. Features include the assignment of unique
access rights
user IDs; the means to review and adjust or revoke system
access privileges across ERP, NTFS, NAS devices and SharePoint
servers in a timely manner for users who have changed roles
or have left the organization; and the assured elimination of
redundant user IDs across multiple platforms through a secure,
centralized repository for user credentials,

A.9.3.1 Use of secret authentication Identity Manager uses various native authentication modules
information but can also be configured to specify whether the authentication
module used with the product (AD, LDAP, local system user
or other) uses dynamic or role based secret authentication
information (including a single-sign-on option that eliminates
the need to remember passwords or record them in an unsecure
manner). In addition, Identity Manager supports policies for
secure initial password distribution, password renewal, password
complexity and password change frequency.

A.9.4.1 Information access restriction Identity Manager restricts access to sensitive information
by associating users with permissions groups and through
group permission inheritance in AD, SharePoint, and SAP
groups. Identity Manager – Data Governance Edition restricts
access to sensitive information per your organization’s access
control policy. Specifically, these solutions enable you to avoid
unchecked privileged access and entitlement creep by ensuring
authorized personnel carefully review and attest to the validity
of user access permissions and grant access to privileged
information via an access request/approval workflow.

8
 ISO/IEC 27001:2013 controls from Annex A

No. Control name How One Identity IAM solutions help

A.9.4.2 Secure log-on procedures Identity Manager and Identity Manager – Data Governance Edition
support the secure log-on procedures included with the authentication
module selected when setting up or reconfiguring the product (AD,
LDAP, local system user or other). Virtually all of these options
address most or all of the secure logon procedure requirements of
ISO 27002 section 9.4.2, i.e. logon screens and associated logic 1)
do not display application or platform software identifiers, 2) have
a warning message that only authorized users should access the
system, 3) do not provide help that would aid an unauthorized user,
4) do not tell a user which part of a failed logon attempt is incorrect,
5) protect against brute force attempts, 6) log unsuccessful login
attempts, 7) raise a security event for failed or successful logon
breaches, 8) display details of last successful log-on and unsuccessful
logon attempts, 9) obfuscate passwords being entered, 10) render
passwords sent over a network unreadable, 11) terminate logon
sessions after defined period of inactivity, and 12) restrict connection
times for higher risk applications to predefined limits.

A.9.4.3 Password management Identity Manager allows logged-in users to change their passwords
system as defined by ISO 27002 section 9.4.3.

A.9.4.4 Use of privileged utility Identity Manager and Identity Manager – Data Governance Edition do
programs not permit privileged utility programs to circumvent their own access
controls or any of the systems and applications compatible with them.

A.9.4.5 Access control to program Beyond the logical divisions in Active Directory that normally
source code prevent unauthorized users from accessing program source code
and associated items, Identity Manager and Identity Manager –
Data Governance Edition can be used to ensure all unauthorized
groups (helpdesk or support personnel, for example), do not have
access to program source libraries and that developers do not
have access that would allow them to make changes in the live
operating environment.

A.11.2.6 Security of equipment and
assets off premises
A risk assessment should be performed when evaluating controls
needed because of additional risks introduced by remote users.
Part of the assessment should include remote user access
authorization. Identity Manager and Identity Manager – Data
Governance Edition provide calculated risk values for higher risk
users and help assessors of remote user risk review key areas of
information security such as whether or not:
• Network and server access is based on more stringent
authorization policies for remote users,
• AD roles for remote users have been established on the
principle of “least privilege”
• Additional approvals are required for AD role and group access
requests originating from remote users,
• Entitlements granted to remote users are valid / have been
recently validated
• Network access privileges of terminated workforce members
with remote access are revoked in a timely manner

9
 ISO/IEC 27001:2013 controls from Annex A

No. Control name How One Identity IAM solutions help

A.12.1.1 Documented operating By setting up groups and access policies that permit only
procedures authorized persons to access the sensitive output of automated
procedures, Identity Manager and Identity Manager – Data
Governance Edition can help you support a variety of documented
routine operating procedures. For example, by providing both
access authorization and access restriction models that limit
who can see the daily results of routine backup procedures,
batch jobs, audit trails and system log files, policy violations
and high-risk exposure changes (e.g. changes to the list of high-
risk users), these solutions can play a foundational role in the
larger task of controlling the modification and maintenance of
operational activities associated with information processing and
communication facilities.

A.12.1.2 Change management Changes management is a foundational control for keeping

unauthorized changes out of production operating environments.
Identity Manager and Identity Manager – Data Governance
Edition provide a full-featured access governance solution that
can enforce change approval processes in both development and
production environments including the access controls needed
during data migrations.

A.12.1.3 Capacity management Regarding the capacity management of human resources, Identity
Manager and Identity Manager – Data Governance Edition are
well-suited to address the extraordinary user provisioning and
de-provisioning needs of organizations going through a merger or
acquisition or those that have user populations that are seasonal
or which fluctuate throughout the year.

A.12.1.4 Separation of development, With Identity Manager and Identity Manager – Data Governance
testing and operational Edition, you can implement and enforce the access governance
environments controls necessary for maintaining the integrity of separate
operational, testing, and development environments. For example,
these solutions can ensure implementation of a policy that requires
users to not have access to more than one of these environments
or a policy where users with access to the operational environment
and the test environment are required to have different user
profiles for security purposes.

A.12.2.1 Controls against malware Identity Manager and Identity Manager – Data Governance Edition
area designed to protect against session hijacking code and other
malware that may be used in your network.

A.12.3.1 Information backup Identity Manager and Identity Manager – Data Governance Edition
can be used to ensure (through access policies, mandatory access
requests, approval workflows, and periodic attestations) that only
authorized persons are able to access backup files and manage
backup procedures (scheduled and unscheduled).

10
 ISO/IEC 27001:2013 controls from Annex A

No. Control name How One Identity IAM solutions help

A.12.4.1 Event logging Identity Manager and Identity Manager – Data Governance Edition
both provide a number of logging and monitoring capabilities. For
A.12.4.2 Protection of log information example, Identity Manager can be configured to alert appropriate
personnel via email or text message for any specified number of
repeated failed logins. The solution can also be used in a review
A.12.4.3 Administrator and capacity that supports monitoring of login attempts. Both Identity
operator logs Manager and Identity Manager – Data Governance Edition enable
you to limit viewing access of system logs to only those individuals
whose job requires such access and have a job-related need.

Identity Manager includes process monitoring functionality that

permits authorized persons to configure change tracking methods
that monitor changes made in Identity Manager. These methods
can be used to monitor all user actions if needed. Change history
in Identity Manager can be tracked in at least three ways:
• Logging changes to data (operations on objects)
• Logging process information (ID, action, user, time, etc.)

• Logging messages in the process history

Change history is saved in the Identity Manger database and

transferred at regular intervals, or exported as XML files, into
a history database. Log files can be stored in specified secured
directories and copied, if needed, to a secure system outside the
control of a system administrator or operator. Historical data is
evaluated using Identity Manager’s TimeTrace function.

A.12.5.1 Installation of software on

Identity Manager and Identity Manager – Data Governance
operational systems Edition enable you to establish and enforce access authorization
policies to control installation of third party software. To manage
A.12.6.1 Management of technical the risk of third party software vendors, Identity Manager and
vulnerabilities Identity Manager – Data Governance Edition can enable authorized
administrators to ensure that only approved 3rd party suppliers
A.12.6.2 Restrictions on software and vendors have access to the resources they need for support
purposes when necessary and with appropriate approval.
installation

A.12.7.1 Information systems audit Identity Manager and Identity Manager – Data Governance
controls Edition offer many evidences (granted permissions, logs, reports,
configuration settings, security rule violations) that indicate the
extent the organization has met identity and access management
audit controls. Identity Manager – Data Governance Edition can
also be used to assign a risk value to every company resource
identified in Identity Manager. A risk index is then calculated for
every user assigned to a risk-rated resource. Security rules too
can be assigned a risk value for audit purposes so that a user’s
rule violations affects his or her risk index. A user’s risk index can
be further refined through various attributes including a user’s
assigned roles and responsibilities. This provides audit teams with
the ability to focus on higher risk areas that can be audited by user
and by system.

11
 ISO/IEC 27001:2013 controls from Annex A

No. Control name How One Identity IAM solutions help

A.13.1.1 Network controls Identity Manager and Identity Manager – Data Governance Edition
enable organizations to implement access authorization and
access revocation policies for granting and maintaining access
rights across ERP, NTFS, NAS devices and SharePoint servers.

A.13.1.2 Security of network services To manage the risk of unnecessary network access by service
providers, Identity Manager and Identity Manager – Data
Governance Edition can enable authorized administrators to restrict
access to only the applications they need for support purposes
when necessary and with appropriate approval.

A.13.1.3 Segregation in networks Identity Manager and Identity Manager – Data Governance Edition
can help organizations demonstrate compliance with access
control policies that keep services, users, and systems segregated
in networks, whether domains are based on trust levels, along
organizational units or some combination of the two.

A.14.1.1 Information security
requirements analysis and
specification
Sensitive information can be found in many places within an
organization’s network, not just in its core business applications,
so all systems and networks containing or accessing sensitive
information must be designed and configured with security in mind
and reviewed periodically for risk. Whether you are designing a
new environment or enhancing an existing one, One Identity IAM
solutions can meet most regulatory and policy-driven requirements
for user rights management and address virtually all security-
related implementation issues related to the user life-cycle (e.g.
ensuring unique user IDs; requiring and defining access request
procedures, department or organizational roles, the granting of
permissions including elevated privileges, and manager delegation
of responsibilities; establish user rules; assigning user risk rankings
and verifying sufficiently secure password management settings).

Once implemented, Identity Manager and Identity Manager –

Data Governance Edition can also be used (such as during an IT
security risk analysis) to:
• Identify orphaned accounts
• Identify duplicate accounts
• Demonstrate whether access authorization is current
• Demonstrate how access rights are assigned
• Review user identity history and authorization history
• What was done to prevent inappropriate access
• Review rule violations

12
 ISO/IEC 27001:2013 controls from Annex A

No. Control name How One Identity IAM solutions help

A.14.1.2 Securing application services
on public networks
A.14.1.3 Protecting application
services transactions
Organizations that allow purchases, payments and other
transactions over public networks should issue a policy that
defines the conditions and restrictions for using the applications
that provide such services. Identity Manager and Identity
Manager – Data Governance Edition provide web access
management features that permit access policy creation and
enforcement to help secure application services on public
networks (e.g., ensure an authorization process is implemented
for access to an application that provide electronic signatures).
Because sending sensitive data over public networks increases
risk, strong access and electronic communications controls are
needed to prevent unauthorized access to application services
that may compromise the integrity of cloud-based, extranet
and internet transactions, including e-commerce, business-to-
business (B2B) and other web-based transactions.
Identity Manager and Identity Manager – Data Governance
Edition support multi-factor authentication and encrypted
communication solutions (using SSH and digital certificates)
to help organizations ensure secure communications for
authorized transactions and prevent unauthorized access to
restricted application services transactions.
A risk assessment should be performed when evaluating
controls needed to secure application services on public
networks and protect the transactions performed over these
networks. Part of the assessment should include user access
authorization. Identity Manager and Identity Manager – Data
Governance Edition provide calculated risk values for higher risk
users, such as those accessing secure applications over public
networks to perform sensitive transactions. Using One Identity
One solutions, assessors of such user risks can review key
areas of information security such as whether or not:
• Network and server access for public networks is based on
more stringent authorization policies,
• Additional approvals are required for public network access
requests,
• Entitlements granted to such users are valid / have been
recently validated
• Network access privileges of terminated workforce members
that have performed sensitive transactions over public
networks are revoked in a timely manner

13
 ISO/IEC 27001:2013 controls from Annex A

No. Control name How One Identity IAM solutions help

A.14.2.1 Secure development policy

A.14.2.2 System change control

procedures By facilitating the implementation of identity and access
governance principles, Identity Manager and Identity Manager
– Data Governance Edition can help organizations ensure
A.14.2.3 Technical review of
information security controls are applied in the development
applications after operating
lifecycle processes of information systems. For example, these
platform changes
solutions can be used 1) to prevent the common problem of
developer accumulation of excess privileges (or “entitlement
A.14.2.4 Restrictions on changes to
creep”) by defining how access policy rules are assigned to
software packages
the various roles in a systems development effort; 2) for
establishing the risk levels that will be used for ranking risk
A.14.2.5 Secure system engineering
during the development process (e.g., based on a developer’s
principles
privileges, trustworthiness, and the sensitivity of data being
accessed); and 3) for establishing baseline risk thresholds for
all objects (e.g., users, roles, groups, rules, and policies). In
A.14.2.6 Secure development
addition, they offer a configurable workflow that ensures all
environment
appropriate reviews, analysis, testing and production update
scheduling is performed before such software is installed.
A.14.2.8 System security testing

A.14.2.9 System acceptance testing

A.14.3.1 Protection of test data For test environments containing sensitive operational data,
Identity Manager and Identity Manager – Data Governance Edition
can ensure that:
• The access request procedures that apply to operational
application systems also apply to test application systems.
• Special authorization is obtained before accessing test
environments containing sensitive data copied from an
operational environment.
• Conflicting entitlements are prevented through enforced policy
(e.g., users with access authorization to test environments
do not have access authorization to environments containing
operational data.)

14
 ISO/IEC 27001:2013 controls from Annex A
No. Control name
A.16.1.1 Information security
incident management
- Responsibilities and
procedures
A.16.1.2 Reporting information
security events
A.16.1.4 Assessment of and decision
on information security events
A.16.1.5 Response to information
security incidents
A.16.1.6 Learning from information
security incidents
A.16.1.7 Collection of evidence
A.17.1.2 Implementing information
security continuity
A.17.1.3 Verify, review and evaluate
information security
continuity
A.18.1.3 Protection of records
A.18.2.1 Independent review of
information security
A.18.2.2 Compliance with security
policies and standards
A.18.2.3 Technical compliance review
15
How One Identity IAM solutions help
Identity Manager and Identity Manager – Data Governance Edition
can help organizations respond appropriately to attempted or
actual access violation incidents. Specifically, these solutions assist
with important aspects of:
• Monitoring, analyzing and reporting system user access related
information security events and incidents
• The collection and preservation of access authorization
information and the handling of forensic evidence
• The assessment of attempted or actual access authorization
violations and other user-related information security events
• Preparing detailed information security event reports related
to access authorization non-compliance and supporting
evidence
• Ensuring that all necessary authorization actions are followed
in case of an information security event
Business continuity often requires granting privileged access
to key personnel during a disruptive event. To ensure security
in these situations, organizations can use Identity Manager and
Identity Manager – Data Governance Edition to:
• Ensure compliance with procedures designed to preserve the
integrity of privileged access controls during a disruptive event
• Test information security continuity procedures and
authorization controls to ensure that they are consistent with
the information security continuity objectives
Access authorization history records stored within Identity
Manager and Identity Manager – Data Governance Edition can be
encrypted with strong AES 256 full disk encryption. You can use
appropriate records management controls to securely archive
these records of access authorization for a variety of purposes,
including forensic analysis, provided you use a proper chain of
custody controls, court evidence.
Identity Manager and Identity Manager – Data Governance Edition
can facilitate the implementation and enforcement of temporary
access authorization policies that enable authorized personnel to:
• Grant temporary, limited, read-only access to independent
reviewers of security information
• Ensure compliance with access authorization requirements
from policies, standards and applicable regulations
• Provide temporary authorization to support compliance reviews
of privileged access, including break/fix changes to production
 Conclusion
The identity governance and
access controls included in most
enterprise applications provide
just a portion of the security you
need to achieve, maintain and
demonstrate a robust information
security management system
(ISMS) based on ISO/IEC 27001
Identity and Access Management
(IAM) controls listed in its “Annex
A” and further explained in ISO/
IEC 27002. To affirmatively
answer the identity and access
management questions that
will come up in an ISO 27001
security risk assessment, you
need to manage of all of the
identities, roles, entitlements
and risks associated with users
that have access to sensitive
operational data throughout your
organization (or ISMS scope)
— including all backup systems,
support systems and underlying
platforms that access, store,
protect or transmit such data.
Identity Manager and Identity
Manager – Data Governance
Edition enable IT personnel
to unify user identities across
the enterprise, while enabling
16
business data owners to manage
their own team’s roles and
risks associated with access to
sensitive systems and account
data within the wider business
data environment. Thus,
responsibility for identity and
access governance is optimally
distributed reducing complexity
effectively and efficiently.
While not a replacement for
governance, risk and compliance
tools, when regularly used as part
of an information governance
program, these solutions can help
organizations identify high-risk
resources, identify high-risk users,
manage those risks and greatly
reduce a host of unauthorized
access and transaction processing
scenarios, thereby preventing
policy violations.
For more information, please visit
http://oneidentity.com/
solutions/identity-
governance/
About the Author
Joe Grettenberger, CISA, CCEP
has over 25 years’ experience as
an IT Assurance professional with
9 years of technology auditing
experience both in the public and
private sectors. Having started
his own consulting practice in
2008, Grettenberger is certified
as an information systems
auditor (CISA) and compliance
and ethics professional (CCEP).
He has served clients for over 8
years as an IT governance and
risk management consultant
covering a wide range of IT
assurance issues within the
regulatory, legal, and industry
compliance space. Grettenberger
has held IT audit, assurance and
advisory positions at a number of
organizations including Modern
Compliance Solutions, Quest
Software, Vintela, Center 7,
Franklin Covey and SAIC. He
was a recent participant in
the Internet Security Alliance
initiative to promote cross-
industry IT security standards
and has also participated in
several other standard-setting
best practice initiatives such
as serving on the SunTone
Architecture Council and chairing
the MSP Association’s Best
Practice Committee.
For More Information
© 2017 Quest Software Inc.
ALL RIGHTS RESERVED.
This guide contains proprietary information protected
by copyright. The software described in this guide is
furnished under a software license or nondisclosure
agreement. This software may be used or copied only in
accordance with the terms of the applicable agreement.
No part of this guide may be reproduced or transmitted
in any form or by any means, electronic or mechanical,
including photocopying and recording for any purpose
other than the purchaser’s personal use without the
written permission of Quest Software Inc.
The information in this document is provided in
connection with Quest Software products. No license,
express or implied, by estoppel or otherwise, to any
intellectual property right is granted by this document or
in connection with the sale of Quest Software products.
EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS
AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS
PRODUCT, QUEST SOFTWARE ASSUMES NO LIABILITY
WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED
OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTY OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN
NO EVENT SHALL QUEST SOFTWARE BE LIABLE FOR
ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE,
SPECIAL OR INCIDENTAL DAMAGES (INCLUDING,
WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS,
BUSINESS INTERRUPTION OR LOSS OF INFORMATION)
ARISING OUT OF THE USE OR INABILITY TO USE THIS
DOCUMENT, EVEN IF QUEST SOFTWARE HAS BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Quest Software makes no representations or warranties
with respect to the accuracy or completeness of the
contents of this document and reserves the right to
make changes to specifications and product descriptions
at any time without notice. Quest Software does not
make any commitment to update the information
contained in this document.

About One Identity

The One Identity family of identity and access

management (IAM) solutions, offers IAM for the real
world including business-centric, modular and integrated,
and future-ready solutions for identity governance,
access management, and privileged management.

If you have any questions regarding your potential use

of this material, contact:

Quest Software Inc.

Attn: LEGAL Dept
4 Polaris Way
Aliso Viejo, CA 92656

Refer to our Web site (www.quest.com ) for

regional and international office information.

WhitePaper-[Abbreviated Title]-[Country]-[Designer Initials]-[job#]