Implementing ISO 27001 Annex A 5.16 is a technical necessity for securing digital ecosystems through a rigorous, automated identity lifecycle. By aligning HR records with technical provisioning, organizations achieve the primary implementation requirement of non-repudiation while gaining the business benefit of reduced operational overhead and eliminated unauthorized access gaps.
ISO 27001 Annex A Identity Management Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 5.16 by establishing a rigorous, automated lifecycle for digital identities. Compliance depends on technically binding the creation, modification, and deletion of user accounts directly to the HR record, removing human error and “ticket-based” delays from the process.
1. Integrate HRIS as the Single Source of Truth
Control Requirement: The full lifecycle of identities must be managed.
Required Implementation Step: Configure an API connector or SCIM bridge between your HR system (e.g., Workday, BambooHR) and your Identity Provider (Active Directory/Entra ID). Ensure that the creation of a “New Hire” record in HR automatically triggers the creation of a disabled user account in AD, eliminating manual transcription errors by IT helpdesk staff.
Minimum Requirement: IT does not manually type names into Active Directory; data flows exclusively from HR.
2. Enforce Strict Identity Verification (ID Proofing)
Control Requirement: Identities must be verified before being issued.
Required Implementation Step: Update your onboarding procedure to require a government-issued photo ID (Passport/Driving Licence) validation before credentials are released. For remote staff, use a digital ID verification service (e.g., Onfido) or a video call where the ID is held up to the camera. Store the reference number (not the scan) in the user’s attribute field.
Minimum Requirement: Credentials are never emailed to a personal address without visual verification of the recipient.
3. Ban Shared and Generic Accounts
Control Requirement: Users must be uniquely identifiable.
Required Implementation Step: Audit your directory for generic names like “Reception”, “Intern”, or “SalesUser”. Disable these accounts immediately. Convert necessary shared mailboxes to “Shared Mailbox” objects (which cannot perform interactive logins) and delegate access permissions to specific named users.
Minimum Requirement: Every interactive login event can be traced back to a specific human’s legal name.
4. Standardise Naming Conventions via Script
Control Requirement: User IDs must follow a consistent standard.
Required Implementation Step: Implement a PowerShell script or IdP rule that enforces a strict naming convention (e.g., First.Last or FLast). Configure the system to automatically handle duplicates (e.g., JSmith2) deterministically, preventing helpdesk staff from inventing random variations like JohnS_Admin.
Minimum Requirement: All user IDs follow a predictable, documented format without exception.
5. Segregate Privileged Identities
Control Requirement: Identities with elevated rights must be separate from standard use.
Required Implementation Step: For every IT administrator, create a secondary identity specifically for elevated tasks (e.g., adm-jdoe). Apply technical controls (GPO or Conditional Access) that block the standard account (jdoe) from accessing server management interfaces and block the admin account (adm-jdoe) from accessing email and internet browsing.
Minimum Requirement: Administrators have two distinct user accounts; one for email, one for server config.
6. Automate Immediate De-Provisioning
Control Requirement: Access must be revoked immediately upon termination.
Required Implementation Step: Configure the HR-to-IT sync to run every 15-30 minutes. Ensure that setting a user to “Terminated” in the HR portal triggers a critical script that disables the AD account, revokes active OAuth tokens, and clears sessions instantly. Do not wait for an end-of-day batch job.
Minimum Requirement: A fired employee’s access is cut off before they return to their desk.
7. Implement Automated Stale Account Cleanup
Control Requirement: Dormant identities must be identified and removed.
Required Implementation Step: Configure a scheduled task or Azure Automation runbook to query LastLogonDate. If an account has not authenticated for 45 days, disable it automatically and move it to a “Disabled Users” OU. If it remains inactive for 90 days, delete the account.
Minimum Requirement: No enabled accounts exist that haven’t been used in the last 90 days.
8. Centralise Identity via SSO Federation
Control Requirement: One identity should be used across multiple services.
Required Implementation Step: Audit all SaaS applications (Salesforce, Slack, Zoom). Reconfigure them to use SAML or OIDC Single Sign-On (SSO) pointing to your central IdP (Azure AD/Okta). Disable local username/password authentication on these platforms to prevent “Shadow Identities” that persist after the central account is disabled.
Minimum Requirement: Users do not have separate passwords for SaaS apps; they use their core corporate identity.
9. Enforce Uniqueness of Attribute Data
Control Requirement: Attributes used for identification must be unique.
Required Implementation Step: Configure your directory schema to enforce uniqueness constraints on critical fields such as “EmployeeID” and “EmailAddress”. This prevents the “John Smith” problem where a new hire inadvertently inherits permissions or email aliases from a previous employee with the same name.
Minimum Requirement: The system technically rejects the creation of a duplicate email address or employee ID.
10. Log Identity Lifecycle Events
Control Requirement: Changes to identities must be recorded.
Required Implementation Step: Enable verbose logging for your Identity Provider (e.g., Azure AD Audit Logs). specifically monitor “User Created”, “User Deleted”, and “Group Membership Changed” events. Stream these logs to your SIEM solution to detect unauthorised account creation by compromised admin credentials.
Minimum Requirement: You can produce a report showing exactly who created a specific user account and when.
ISO 27001 Annex A 5.16 SaaS / GRC Platform Implementation Failure Checklist
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| HR Integration | GRC tool asks: “Is there a new starter process?” (Yes/No). | Fails if the process is an email sent to IT. Emails get missed. Compliance requires API integration between HR and IT. |
| Identity Proofing | Policy says “Check ID”. | Fails if the manager forgets. You need a recorded field in the user profile: “ID Verified By: [Name] on [Date]”. |
| Unique IDs | Tool checks active user count. | Fails if “Marketing@company.com” is a shared login used by 5 interns. Non-repudiation is impossible here. |
| De-provisioning | Checklist: “Did you remove Bob?” | Fails if Bob was removed 3 days late because the ticket sat in a queue. Automation is the only way to meet the requirement. |
| Shadow Identities | Tool scans for “SaaS usage”. | Fails if users are creating local accounts on Trello/Canva. Only forcing SSO stops the sprawl of unmanaged identities. |
| Stale Accounts | Annual review of user list. | Fails if an attacker hijacks a dormant account 2 months before the annual review. You need automated 90-day pruning. |
| Privileged ID | “Admins use MFA”. | Fails if Admins use their daily account for email (phishing risk) and server admin. Segregated accounts are mandatory. |
About the author
