Uploaded by youssri haw

Get a Headstart on ISO 27001

advertisement
Get a Headstart on ISO 27001



All updated with the 2022 control set
Make 81% progress from the minute you log in
Simple and easy to use
Book your demo
General Guidance
Compliance with control 5.16 is achieved through a combination of ensuring that identity-based
procedures are clearly articulated in policy documents, and monitoring day-to-day adherence
among staff.
5.16 lists six main procedures that an organisation needs to follow, in order to meet the requisite
standards of infosec and cybersecurity governance:


Where identities are assigned to a person, only that specific person is allowed to
authenticate with and/or use that identity, when accessing network resources.
Compliance – IT policies need to clearly stipulate that users are not to share login
information, or allow other users to roam the network using any identity other than the one
they’ve been assigned.
Sometimes it may be necessary to assign an identity to multiple people – also known as a
‘shared identity’. This approach should be used sparingly, and only to satisfy an explicit set
of operational requirements.
Compliance – Organisations should treat the registration of shared identities as a separate
procedure to single user identities, with a dedicated approval workflow.




So-called ‘non-human’ entities (as the name suggests, any identity that isn’t attached to an
actual user) should be considered differently to user-based identities at the point of
registration.
Compliance – As with shared identities, non-human identities should in turn have their
own approval and registration process that acknowledges the underlying difference between
assigning an identity to a person, and granting one to an asset, application or device.
Identities that are no longer required (leavers, redundant assets etc.) should be disabled by
a network administrator, or removed entirely, as is required.
Compliance – IT staff should carry out regular audits that list identities in order of use, and
identify which entities (human or non-human) are able to be suspended or deleted. HR staff
should include identity management in their offboarding procedures, and inform IT staff of
leavers in a timely manner.
Duplicate identities should be avoided at all costs. Firms should adhere to a ‘one entity,
one identity’ rule across the board.
Compliance – IT staff should remain vigilant when assigning roles across a network, and
ensure that entities aren’t granted access rights based on multiple identities.
Adequate records should be kept of all ‘significant events’ regarding identity management
and authentication information.
Compliance – The term ‘significant event’ can be interpreted in various ways, but on a
basic level organisations need to ensure that their governance procedures include identity
registration documentation, robust change request protocols with an appropriate approvals
procedure, and the ability to produce a comprehensive list of assigned identities at any
given time.
Download