Get a Headstart on ISO 27001 All updated with the 2022 control set Make 81% progress from the minute you log in Simple and easy to use Book your demo General Guidance Compliance with control 5.16 is achieved through a combination of ensuring that identity-based procedures are clearly articulated in policy documents, and monitoring day-to-day adherence among staff. 5.16 lists six main procedures that an organisation needs to follow, in order to meet the requisite standards of infosec and cybersecurity governance: Where identities are assigned to a person, only that specific person is allowed to authenticate with and/or use that identity, when accessing network resources. Compliance – IT policies need to clearly stipulate that users are not to share login information, or allow other users to roam the network using any identity other than the one they’ve been assigned. Sometimes it may be necessary to assign an identity to multiple people – also known as a ‘shared identity’. This approach should be used sparingly, and only to satisfy an explicit set of operational requirements. Compliance – Organisations should treat the registration of shared identities as a separate procedure to single user identities, with a dedicated approval workflow. So-called ‘non-human’ entities (as the name suggests, any identity that isn’t attached to an actual user) should be considered differently to user-based identities at the point of registration. Compliance – As with shared identities, non-human identities should in turn have their own approval and registration process that acknowledges the underlying difference between assigning an identity to a person, and granting one to an asset, application or device. Identities that are no longer required (leavers, redundant assets etc.) should be disabled by a network administrator, or removed entirely, as is required. Compliance – IT staff should carry out regular audits that list identities in order of use, and identify which entities (human or non-human) are able to be suspended or deleted. HR staff should include identity management in their offboarding procedures, and inform IT staff of leavers in a timely manner. Duplicate identities should be avoided at all costs. Firms should adhere to a ‘one entity, one identity’ rule across the board. Compliance – IT staff should remain vigilant when assigning roles across a network, and ensure that entities aren’t granted access rights based on multiple identities. Adequate records should be kept of all ‘significant events’ regarding identity management and authentication information. Compliance – The term ‘significant event’ can be interpreted in various ways, but on a basic level organisations need to ensure that their governance procedures include identity registration documentation, robust change request protocols with an appropriate approvals procedure, and the ability to produce a comprehensive list of assigned identities at any given time.