What Is the Purpose of Control 5.16?
5.16 deals with an organisation’s ability to identify who (users, groups of users) or what (applications, systems and devices) is accessing data or IT assets at any given time, and how those identities are granted access rights across the network.
5.16 is a preventative control that maintains risk by acting as the main perimeter for all associated information security and cybersecurity operations, as well as the primary mode governance that dictates an organisation’s Identity and Access Management framework.
Attributes of Control 5.16
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventative | #Confidentiality | #Protect | #Identity and access management | #Protection |
| #Integrity | ||||
| #Availability |
Ownership
Given that 5.16 serves what is primarily a maintenance function, ownership should be directed towards IT staff who have been assigned Global Administrator rights (or equivalent for non-Windows based infrastructure).
Whilst there are other built-in roles that allow users to administer identities (e.g. Domain Administrator), ownership of 5.16 should rest with the individual who has ultimate responsibility for an organisation’s entire network, including all subdomains and Active Directory tenants.
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
General Guidance
Compliance with control 5.16 is achieved through a combination of ensuring that identity-based procedures are clearly articulated in policy documents, and monitoring day-to-day adherence among staff.
5.16 lists six main procedures that an organisation needs to follow, in order to meet the requisite standards of infosec and cybersecurity governance:
- Where identities are assigned to a person, only that specific person is allowed to authenticate with and/or use that identity, when accessing network resources.
Compliance – IT policies need to clearly stipulate that users are not to share login information, or allow other users to roam the network using any identity other than the one they’ve been assigned.
- Sometimes it may be necessary to assign an identity to multiple people – also known as a ‘shared identity’. This approach should be used sparingly, and only to satisfy an explicit set of operational requirements.
Compliance – Organisations should treat the registration of shared identities as a separate procedure to single user identities, with a dedicated approval workflow.
- So-called ‘non-human’ entities (as the name suggests, any identity that isn’t attached to an actual user) should be considered differently to user-based identities at the point of registration.
Compliance – As with shared identities, non-human identities should in turn have their own approval and registration process that acknowledges the underlying difference between assigning an identity to a person, and granting one to an asset, application or device.
- Identities that are no longer required (leavers, redundant assets etc.) should be disabled by a network administrator, or removed entirely, as is required.
Compliance – IT staff should carry out regular audits that list identities in order of use, and identify which entities (human or non-human) are able to be suspended or deleted. HR staff should include identity management in their offboarding procedures, and inform IT staff of leavers in a timely manner.
- Duplicate identities should be avoided at all costs. Firms should adhere to a ‘one entity, one identity’ rule across the board.
Compliance – IT staff should remain vigilant when assigning roles across a network, and ensure that entities aren’t granted access rights based on multiple identities.
- Adequate records should be kept of all ‘significant events’ regarding identity management and authentication information.
Compliance – The term ‘significant event’ can be interpreted in various ways, but on a basic level organisations need to ensure that their governance procedures include identity registration documentation, robust change request protocols with an appropriate approvals procedure, and the ability to produce a comprehensive list of assigned identities at any given time.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
Supplementary Guidance
As well as the six main operational considerations, 5.16 also lists four steps that organisations need to follow when creating an identity, and granting it access to network resources (amending or removing access rights is dealt with in control 5.18):
- Establish a business case prior to an identity being created
Compliance – It’s important to acknowledge that identity management becomes exponentially more difficult with every new identity that’s created. Organisations should create new identities only when there is a clear need to do so.
- Ensure that the entity that’s being assigned the identity (human or non-human) has been independently verified.
Compliance – Once a business case has been approved, Identity and Access Management procedures should contain steps to ensure that the person or asset who is receiving a new identity has the requisite authority to do so, prior to an identity being created.
- Establishing an identity
Once the entity has been verified, IT staff should create an identity that’s in-line with the business case requirements, and is limited to what is stipulated in any change request documentations.
- Final configuration and activation
The final step in the process involves assigning an identity to its various access-based permissions and roles (RBAC), and any associated authentication services that are required.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Changes from ISO 27002:2013
General
27002:2022 / 5.16 replaces 27002:2013/9.2.1 (User Registration and De-registration) – which itself formed part of 27002:2013’s User Access Management control set. Whilst there are some similarities between the two controls – mostly in maintenance protocols, and deactivating redundant IDs – 5.16 contains a far more comprehensive set of guidelines that seek to address Identity and Access Management as an end-to-end concept.
Human vs. Non-human Identities
The main difference between the 2022 control and its 2013 predecessor is the acknowledgement that whilst there are differences in the registration process, human and non-human identities are no longer treated as distinct from one another, for general network administration purposes.
With the onset of modern Identity and Access Management and Windows-based RBAC protocols, IT governance and best practice guidelines speak of human and non-human identities more or less interchangeably. 27002:2013/9.2.1 contains no guidance on how to administer non-human identities, and concerns itself solely with the management of what it refers to as ‘User IDs’ (i.e. login information that’s used to access a network, along with a password).
Documentation
As we’ve seen, 27002:2013/5.16 contains explicit guidance on not only the general security implications of identity governance, but also how organisations should record and process information prior to an identity being assigned, and throughout its lifecycle. In comparison, 27002:2013/9.2.1 only briefly mentions the accompanying role that IT governance plays, and limits itself to the physical practice of identity administration, as carried out by IT staff.
New ISO 27002 Controls
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | NEW | Threat intelligence |
| 5.23 | NEW | Information security for use of cloud services |
| 5.30 | NEW | ICT readiness for business continuity |
| 7.4 | NEW | Physical security monitoring |
| 8.9 | NEW | Configuration management |
| 8.10 | NEW | Information deletion |
| 8.11 | NEW | Data masking |
| 8.12 | NEW | Data leakage prevention |
| 8.16 | NEW | Monitoring activities |
| 8.23 | NEW | Web filtering |
| 8.28 | NEW | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | NEW | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
