Framework - ISO 27001 (Cyber)

Access control and identity management together form the operational backbone of modern cybersecurity governance. Where previous controls ensured that information was properly labeled and transferred, these controls determine who may interact with it and under what conditions. The intent of A.5.15 and A.5.16 is to align every access decision with a legitimate business purpose, ensuring that identity—not location or device—becomes the definitive source of truth for authorization. Policy-driven and evidence-backed authorization replaces ad hoc permissions, creating an auditable lifecycle that traces from credential issuance to revocation. This lifecycle approach ensures that access is both justifiable and reversible, establishing governance discipline that protects against privilege creep, insider misuse, and compliance failures while maintaining operational efficiency.

Choosing the right authorization model is central to maintaining effective control without unnecessary complexity. Role-Based Access Control (RBAC) fits stable environments where job roles rarely change and can be pre-defined with clear permission sets. Attribute-Based Access Control (ABAC) adds flexibility by considering contextual attributes such as user department, device posture, or time of access. In cloud and distributed environments, policy-based and claims-driven models extend these principles, leveraging federated identity tokens and conditional logic for fine-grained control. Selecting the appropriate model requires balancing risk tolerance with operational practicality. Overly rigid models can slow productivity, while overly flexible ones invite inconsistency. The key is to map authorization approaches directly to how the organization functions in reality, not how it looks on paper.

Access request and approval flows represent the procedural face of access governance. A standardized entitlement catalog allows employees to request predefined permissions, reducing ambiguity and administrative overhead. High-risk resources, such as financial systems or customer databases, require multi-stage approvals involving both business and technical stakeholders. Every request must include a documented justification that ties access to a business need. Temporary or project-based access should be configured with automatic expiration, ensuring closure once work concludes. These workflows create transparency, providing auditable records that show not just who approved access, but why it was granted. Automation helps enforce consistency, while human oversight ensures context remains part of every decision.

Periodic re-certification and attestation cycles are essential to maintain alignment between entitlements and actual job functions. Managers and asset owners review who has access to what, confirming that privileges remain valid and revoking those that no longer serve a purpose. These reviews also check for toxic combinations—conflicting permissions that violate separation of duties—and ensure timely remediation under defined service-level agreements. Dashboards visualize progress, highlighting overdue reviews or recurring discrepancies that signal control weakness. This structured cadence prevents access sprawl, where privileges accumulate unnoticed over time. Re-certification turns static compliance into dynamic assurance, reinforcing a culture of continual accountability rather than one of set-and-forget governance.

Enforcement mechanisms operationalize access decisions across systems and networks. Directory groups, access control lists (ACLs), and centralized policy engines define who can reach which applications and data stores. Gateway and proxy layers provide additional enforcement points, filtering requests before they hit sensitive systems. Network micro-segmentation complements identity-based controls, restricting lateral movement by tying network permissions to verified credentials. At the data layer, permissions align with information classification, ensuring that only authorized individuals can interact with sensitive datasets. This multi-layered enforcement model ensures that even if one boundary fails, others remain intact. It exemplifies defense in depth—each layer independently verifying that access requests are appropriate and secure.

Monitoring and detection extend these controls into the realm of continuous assurance. Systems must analyze activity to identify anomalous usage patterns, such as logins from impossible geographic locations or unusual access volumes. Privilege escalation attempts, unauthorized lateral movements, and abnormal session behaviors are key indicators of compromise. Session recording for high-risk administrative functions provides audit evidence and deterrence. Alerts generated from these detections feed directly into incident response playbooks, ensuring swift investigation and containment. Continuous monitoring closes the loop between policy and reality, transforming access control from a static compliance function into an adaptive security capability responsive to emerging threats.

Evidence collection substantiates compliance with A.5.15 and demonstrates to auditors that controls are functioning as intended. Access matrices define what entitlements exist and who holds them, while catalog definitions explain their purpose. Approval records with timestamps and named approvers show accountability in granting decisions. Re-certification reports document periodic validations, while remediation logs prove that outdated permissions were revoked promptly. Sampling exercises can even demonstrate “deny-by-default” in action, showing that unauthorized attempts are appropriately blocked. Together, these artifacts form a defensible audit trail, proving that access control is systematic, verifiable, and aligned with the organization’s risk posture.

For more cyber related content and books, please check out cyber author dot me. Also, there are other prepcasts on Cybersecurity and more at Bare Metal Cyber dot com.

Identity management, as defined in A.5.16, provides the structural foundation upon which access control depends. Without verified, traceable identities, permissions lose meaning and accountability disappears. This control requires that every user—human or machine—has a unique identity that can be managed throughout its lifecycle. The process begins with the joiner-mover-leaver model: onboarding establishes identity and initial access, role changes adjust entitlements, and offboarding ensures complete deprovisioning. Identity proofing, or verifying that the individual is who they claim to be, must be proportionate to risk: a system administrator or vendor with access to sensitive networks should undergo stronger validation than a temporary intern. Federation and single sign-on solutions extend this control by enabling secure interoperability between systems while maintaining centralized oversight. In essence, identity management transforms abstract authorization policies into real, accountable human and service relationships.

Credential management serves as the daily defense line protecting those identities from misuse. Multi-factor authentication (MFA) has become a baseline expectation, combining something the user knows, has, or is to prevent unauthorized access even if passwords are compromised. Organizations are now prioritizing phishing-resistant authenticators such as FIDO2 tokens or smartcards to reduce social-engineering risk. Credential rotation schedules and secure recovery procedures ensure that lost or stolen credentials cannot persist undetected. For non-human identities—like applications or automated scripts—secrets must be stored in encrypted vaults and managed through auditable processes. These safeguards close common attack vectors while maintaining usability, ensuring that strong authentication supports, rather than obstructs, daily operations.

The directory and federation architecture acts as the connective tissue between identities, systems, and cloud services. At its core, a single authoritative source of record—often HR or an identity governance system—feeds synchronized identity data into downstream applications. This prevents duplication, orphaned accounts, and inconsistencies that attackers could exploit. Federated identity protocols such as SAML, OIDC, and OAuth underpin modern access models, enabling seamless authentication to SaaS platforms and cloud environments while enforcing centralized policy control. Just-in-time provisioning allows new users or partners to gain access dynamically upon verified authentication, with automatic deprovisioning when conditions no longer apply. Documenting trust boundaries between tenants and domains ensures that federation does not become an unmonitored highway for privilege escalation or data exposure.

Privileged access requires its own layer of specialized control because administrative accounts carry disproportionate power and risk. Best practice dictates that administrators use separate, dedicated credentials distinct from their normal user identities. Privileged Access Management (PAM) systems broker sessions, providing secure check-out and time-limited use of elevated accounts while recording every action. Standing access should be eliminated through just-in-time elevation, where privileges are granted only for the duration of a specific task. Emergency, or “break-glass,” accounts must be sealed, monitored, and automatically expired after use, with detailed logs reviewed by independent oversight. This disciplined segregation ensures that even those with high-level access remain accountable, traceable, and limited by principle rather than trust alone.

Beyond human users, modern organizations depend heavily on service and machine identities—accounts used by applications, bots, and APIs. These non-human identities must follow the same rigor as user accounts: registration, least-privilege configuration, and continuous monitoring. Tokens, certificates, and keys should be rotated regularly and stored in secure, automated vault systems. Permissions granted to workloads should be scoped narrowly, allowing only the minimal operations required. Maintaining an up-to-date inventory of all service accounts prevents unmanaged credentials from becoming invisible entry points. As automation grows, these practices ensure that machine interactions are as controlled and auditable as those of human operators, keeping the organization’s identity perimeter intact.

Maintaining data quality and hygiene within identity systems ensures that the entire access framework remains reliable. Duplicate records can cause conflicting permissions, while outdated or orphaned accounts create security blind spots. Identity data must be updated promptly when individuals change roles, departments, or geographic locations, reflecting new access requirements in real time. Regular reconciliation between HR systems, vendor directories, and access repositories confirms accuracy. Logs of identity changes—who modified what and when—are vital for auditability and forensic analysis. Clean, synchronized identity data prevents systemic drift, making the difference between a controlled environment and one vulnerable to silent privilege accumulation.

Despite strong frameworks, common pitfalls persist across A.5.15 and A.5.16 implementations. Overprivileged defaults—such as granting broad access upon onboarding—create unnecessary exposure and complicate later cleanup. Nested group hierarchies can spiral out of control, obscuring who actually has access to what. Slow deprovisioning after departures leaves dormant accounts open for exploitation. Third-party vendors often operate with unmanaged or forgotten credentials, bypassing the organization’s central controls. Finally, multi-factor authentication gaps, especially in legacy systems or “temporary exceptions,” leave exploitable weaknesses. Recognizing these recurring issues allows organizations to focus on root causes: automation gaps, inconsistent ownership, and cultural complacency that views identity hygiene as optional rather than essential.

Continuous measurement turns identity and access management into a quantifiable discipline rather than a static policy statement. Metrics such as the percentage of accounts protected by MFA, average time to deprovision leavers, and recertification completion rates reveal maturity over time. Tracking violation rates—instances of privilege misuse or policy exceptions—helps identify systemic weak spots. Measuring privileged session counts and approval latency uncovers bottlenecks that might lead to workarounds. Incident correlation analyses tie security events back to misconfigured access, creating a feedback loop that drives practical improvements. When leadership sees these numbers trend in the right direction, confidence grows that identity controls are not just compliant, but actively contributing to operational resilience.

Integration is what transforms identity and access management from a standalone process into an enterprise-wide governance capability. A.5.15 and A.5.16 interact with numerous other clauses—linking to A.5.17 for authentication information handling, aligning with A.5.3 for segregation of duties, feeding telemetry into monitoring controls in A.8.15 through A.8.16, and contributing to performance metrics under Clause 9 and continual improvement under Clause 10. These interconnections ensure that identity and access management do not operate in isolation but underpin nearly every aspect of the Information Security Management System. By embedding access and identity principles into risk, operations, and compliance functions, organizations achieve a coherent, self-reinforcing model that scales with complexity rather than collapsing under it.

A.5.15 and A.5.16 together define the “who” and “how” of digital trust. A.5.15 determines what resources can be accessed and under what conditions, while A.5.16 guarantees that those identities are authentic, well-managed, and revocable. The combination of lifecycle discipline, strong authentication, and continuous recertification sustains confidence in both security and accountability. When implemented cohesively, these controls create a security model that is measurable, enforceable, and aligned with business reality. They lay the groundwork for the next evolution of governance—deepening authentication practices and credential protections under A.5.17 and A.5.18, where the mechanics of trust are refined into the technical details of digital assurance.