Identity management is the process of managing and controlling who has access to what within a system. Think of it like a digital key master who makes sure the right people get the right keys to the right doors. It ensures that only authorised users can access specific resources, like files or applications, and it keeps track of what they do. This is a key part of information security.
Examples
- Logging in to a computer: When you type in your username and password, you are using a form of identity management. The system checks if your identity (username) and secret (password) are correct before letting you in.
- Online banking: Your bank uses identity management to make sure that only you can see your account balance and make transactions. They might even use extra steps, like sending a code to your phone, to be extra sure it’s you.
- Social media: When you sign up for a social media site, you create a profile, which is your digital identity. The site then uses this identity to control what you can see and do.
Context
In simple terms, identity management is about knowing who’s who in a digital world. It’s not just about a username and password. It’s about a complete system that manages all the identities of people and devices. This includes things like:
- Authentication: Proving you are who you say you are. This can be done with a password, a fingerprint, or a face scan.
- Authorization: Deciding what you’re allowed to do once you’re in. For example, a student can view their grades but not change them.
- User provisioning: Creating and deleting user accounts as needed. When a new employee starts, an account is created. When they leave, it’s deleted.
The goal is to keep systems safe and make sure the right people can do their jobs without a hassle.
Relevant ISO 27001 Controls
The following controls from the ISO/IEC 27001:2022 standard are related to Identity Management:
- ISO 27001:2022 Annex A 5.15: Access control: This is the main control for managing access rights.
- ISO 27001:2022 Annex A 5.16:Identity Management: This covers the process of giving, changing, and removing user access.
- ISO 27001:2022 Annex A 5.17: Authentication Information: This control deals with how users prove who they are (e.g., with passwords or keycards)
- ISO 27001:2022 Annex A 5.18: Access rights: This control focuses on setting up and reviewing user access to systems.
- ISO 27001:2022 Annex A 8.2: Privileged Access Rights This is about controlling access for powerful accounts, like system administrators.