ISO 27001 A.5.16: Identity management
What This Control Requires
The full lifecycle of identities shall be managed.
In Plain Language
If someone left your company six months ago and their account is still active, you have an identity management problem. Auditors will check, and this is one of the most common findings. Identity management covers the full lifecycle: creating identities when people join or new services are deployed, keeping them accurate as roles change, and disabling or deleting them when they are no longer needed. Every stage needs a defined process. The point is accountability. Every action on your systems should trace back to a unique individual - no shared logins, no anonymous access. And the lifecycle must be tightly integrated with HR processes so that when someone's employment status changes, their access changes with it.
How to Implement
Set up a centralised identity provider (Active Directory, Azure AD, Okta, or similar) as the single authoritative source for all identities. Integrate it with your applications through SAML or OIDC. Define your lifecycle processes clearly. Registration needs identity verification before any account is created. Use a consistent naming convention. Link every identity to a real individual and track attributes like department, role, manager, and employment status. For service accounts, document purpose, owner, and review schedule. Tie provisioning to HR onboarding. When HR creates a new employee record, that should trigger account creation, role assignment, and notifications. Automate this with identity governance tooling if you can - manual processes create delays and errors. Handle changes proactively. Role changes, transfers, and promotions should trigger identity updates. Run regular reviews to catch dormant accounts and excessive privileges that have crept in. Make deprovisioning fast and thorough. Disable accounts on or before the last working day. Set a retention period before permanent deletion (check your legal requirements). For contractors and temps, set expiry dates at provisioning time so they do not slip through the cracks. Prevent identity duplication by keeping a single authoritative source. Never allow shared accounts where individual accountability is required. Make sure service and system accounts are inventoried, owned, and reviewed regularly.
Evidence Your Auditor Will Request
- Documented identity lifecycle management procedures covering creation, modification, and deactivation
- Evidence of integration between HR systems and identity provisioning processes
- Records of timely identity deactivation for recent departures
- Inventory of service and system accounts with documented owners
- Regular identity review and cleanup records showing removal of dormant accounts
Common Mistakes
- Identity provisioning is not linked to HR processes causing delays in creation and deprovisioning
- Dormant accounts remain active long after users have departed the organization
- Shared accounts are used without individual accountability
- Service accounts have no documented owner or regular review schedule
- No standardized process for identity lifecycle management across all systems
Related Controls Across Frameworks
| Framework | Control ID | Relationship |
|---|---|---|
| SOC 2 | CC6.1 | Related |
| SOC 2 | CC6.2 | Equivalent |
| GDPR | Art.32 | Partial overlap |
| NIS2 | Art.21(2)(i) | Related |
Frequently Asked Questions
How quickly should accounts be disabled when someone leaves?
How should we manage service accounts?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment