CIS Control 5.6: Centralize Account Management
Centralized account management eliminates shadow IT and reduces identity-related breaches by 60%. This control requires organizations to manage all user accounts through a unified directory or identity service, making compliance audits faster and user provisioning dramatically simpler.
What this means
Control 5.6 mandates that all user accounts and access credentials be managed through a single, centralized directory system—typically Active Directory, Okta, Azure AD, or similar identity providers. Rather than maintaining separate user databases across applications and systems, this control ensures every account creation, modification, and deletion flows through one source of truth. This eliminates orphaned accounts, reduces provisioning delays, and provides auditors with a single place to verify access controls.
How to comply
- 1.Select and deploy a centralized directory service (Active Directory, Okta, Azure AD, or equivalent) as your identity platform
- 2.Integrate all critical business applications with the directory service for single sign-on (SSO) and automated account lifecycle management
- 3.Establish account naming conventions and standardized attributes across the directory to ensure consistency
- 4.Configure automated user provisioning and deprovisioning workflows tied to HR systems or employee lifecycle events
- 5.Document all accounts and their permissions in the directory with regular reconciliation (quarterly minimum)
- 6.Implement multi-factor authentication (MFA) at the directory level to protect account management itself
- 7.Conduct monthly account access reviews to identify and remove orphaned or unnecessary accounts
- 8.Log and monitor all account creation, modification, and deletion events within the directory service
Evidence auditors look for
- Directory service inventory showing all integrated applications and their sync status
- Account provisioning/deprovisioning request tickets with approval trails and completion timestamps
- Quarterly user access reviews with sign-off from department managers
- MFA enrollment reports showing percentage of accounts with multi-factor authentication enabled
- Directory audit logs covering account lifecycle events for the past 90 days
- Integration documentation between HR systems and the directory service
- Account naming convention policy document with implementation date
- Automated account cleanup reports showing disabled or deleted orphaned accounts
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates the monthly user access reviews required by CIS 5.6, comparing your directory against active application access to flag orphaned accounts and permission drift in minutes instead of days.
See how GRCWatch handles this control automatically
Start free trial