Control 5.16 : Identity Management

Summary

The full life cycle of identities should be managed, including the identification, authentication, and authorization of users and devices. This ensures that every entity interacting with the organization's data is verified and accountable.

Applicability

In-Scope: Critical for maintaining the security of the digital perimeter. It is essential for organizations with remote workforces, external contractors, or automated service accounts.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

• Lifecycle Management: Use Entra ID Governance to automate the Joiner-Mover-Leaver process, ensuring identities are created and retired based on HR data.

• Authentication: Enforce Multifactor Authentication (MFA) and move toward passwordless methods (e.g., FIDO2, Windows Hello for Business) to strengthen identity verification.

• Identity Protection: Enable Entra ID Identity Protection to automatically detect and remediate identity-based risks, such as leaked credentials or impossible travel logins.

Evidence Checklist

• Identity Policy: Procedures covering the creation, management, and deletion of user and service identities.

• Unique IDs: Evidence that every user has a unique identity and that shared accounts are prohibited or strictly controlled.

• Authentication Logs: Logs showing successful and failed authentication attempts, including the use of MFA.

Practical Audit Advice

Here are some questions the auditor might ask:

• How do you ensure that every digital identity can be traced back to a specific, identifiable human or business process?

• What is the process for managing service accounts or application identities that do not belong to a person?

• How does the organization respond when an identity is suspected of being compromised (e.g., a reported lost phone or leaked password)?

• Can you provide evidence of a recent identity audit or review where unauthorized or unnecessary identities were removed?