Annex A 5.16 verified ISO/IEC 27001:2022
Identity life cycle management
Ensure all user and system identities are managed from creation to deactivation.
record_voice_over
Plain language
This control is about managing who can access your organisation's information by properly handling identities from the moment they are created until they are no longer needed. If you don't keep track of identities like usernames and passwords, former employees or unauthorised users could access sensitive information, leading to data breaches or other security problems.
01 - Overview
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Organisational controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
18 May 2026
Maturity levels
N/A
Official control statement
The full life cycle of identities shall be managed.
verified ISO/IEC 27001:2022 Annex A 5.16
priority_high
Why it matters
Poor identity life cycle management leaves stale and orphaned accounts active, increasing the chance of unauthorised access and data breaches.
settings
Operational notes
Regularly review joiner/mover/leaver events, reconcile identity records, and disable or remove accounts promptly to prevent orphaned access paths.
02 - Implement
build
Implementation tips
- The IT manager should ensure unique identities are assigned to each employee. This can be done by keeping a central database where each staff member is given a unique login ID, and ensuring no duplicate accounts exist for the same individual.
- HR should coordinate with IT to make sure that all identity creation or removal is logged and reviewed regularly. When someone joins or leaves the company, HR must notify IT promptly to create or disable the necessary accounts.
- The operations manager should approve any shared identities, ensuring they are strictly necessary and logged. They must also assign responsibility for monitoring these shared accounts to prevent misuse.
- IT managers must disable or remove identities promptly when they are no longer in use. Regular checks should verify that only current employees have active identities, aligning with processes outlined in the ISO 27002:2022 guidance.
- Ensure all changes to user identities are documented and reviewed regularly. This includes auditing third-party identity use, like social media logins, ensuring they meet your organisation's security standards and any risks are managed as suggested by ISO 27002:2022 and Australian regulations.
03 - Audit
fact_check
Audit / evidence tips
- AskA list of all registered user identities GoodEach person having only one assigned identity, with no duplicates across the system
- AskDocumentation of user identity approvals GoodA clear record showing shared identities are necessary and authorised by management
- AskRecords showing the lifecycle management of identities GoodIdentities being deactivated promptly when no longer needed
- AskLogs of access control changes GoodA systematic process where access rights are reviewed and adjusted as soon as a role change occurs
- AskEvidence of periodic reviews of identity management processes GoodDocumented reviews aligning with ISO 27002:2022 recommendations and findings reported to upper management
04 - Mappings
link
Cross-framework mappings
How Annex A 5.16 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (11) expand_less | ||
| ISM-0414 | ISM-0414 requires personnel granted system access to be uniquely identifiable for accountability | |
| ISM-0415 | ISM-0415 requires shared user accounts to be strictly controlled and used in a way that makes each individual user uniquely identifiable | |
| ISM-0420 | ISM-0420 requires that where systems process, store or communicate AUSTEO, AGAO or REL data, personnel who are foreign nationals are expl... | |
| ISM-1583 | ISM-1583 requires organisations to ensure personnel who are contractors are clearly identified as contractors within systems | |
| ISM-1591 | ISM-1591 requires organisations to remove or suspend access as soon as practicable when a user is detected performing malicious activity | |
| ISM-1593 | ISM-1593 mandates that users provide sufficient evidence to verify their identity upon requesting new credentials, such as during issuanc... | |
| ISM-1619 | ISM-1619 requires service accounts to be created specifically as group Managed Service Accounts (gMSAs) to improve security of service id... | |
| ISM-1834 | ISM-1834 requires organisations to ensure duplicate Service Principal Names (SPNs) do not exist within an Active Directory domain to pres... | |
| ISM-1943 | ISM-1943 requires strong mapping controls to ensure certificates are accurately and securely linked to user identities in Active Directory | |
| ISM-1945 | ISM-1945 requires the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag to be removed from certificate templates so users cannot supply their own ce... | |
| ISM-1951 | ISM-1951 requires that hard match takeover is disabled on Microsoft Entra Connect servers to prevent unauthorised account takeover via id... | |
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-0380 | Annex A 5.16 requires managing identities across creation, change, review and deactivation, including ensuring accounts are retired when ... | |
| ISM-0446 | Annex A 5.16 requires identity lifecycle management so that identity attributes, roles and entitlements are controlled as personnel join,... | |
| ISM-2053 | ISM-2053 requires organisations to define end-of-life procedures for software, including how to archive or destroy user accounts and asso... | |
| handshake Supports (5) expand_less | ||
| ISM-0407 | Annex A 5.16 requires the identity lifecycle to be managed, which relies on maintaining evidence of identity creation, authorisation, cha... | |
| ISM-1263 | ISM-1263 requires unique privileged user accounts to be used for administering individual server applications | |
| ISM-1932 | ISM-1932 requires organisations to minimise the number of AD service accounts configured with SPNs, reducing proliferation of long-lived ... | |
| ISM-1950 | Annex A 5.16 requires organisations to manage identities across their lifecycle, including maintaining integrity of identity records and ... | |
| ISM-2013 | ISM-2013 focuses on enforcement of client authentication and authorisation at the time of internal API calls | |
| link Related (2) expand_less | ||
| ISM-0430 | Annex A 5.16 requires organisations to manage identities through their full life cycle, including timely deprovisioning when access is no... | |
| ISM-1845 | Annex A 5.16 requires organisations to manage identities through to deactivation, ensuring access paths are removed when an account is di... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
school
Want to implement this control?
Mindset Cyber runs PECB-accredited ISO/IEC 27001 training that maps directly to the controls in this library.