GRCWatch
Sign inStart free trial

ISO 27001 5.16: Identity Management & Access Lifecycle

Identity management is the foundation of access control. Control 5.16 requires you to manage the complete identity lifecycle—from creation through deprovisioning—to ensure only authorized users access your information assets. Without disciplined identity governance, you risk unauthorized access, credential sprawl, and compliance violations.

What this means

Control 5.16 mandates managing identities across their entire lifecycle. This means establishing processes for creating user accounts, provisioning access rights, maintaining accurate records as roles change, and promptly removing access when users leave or change roles. The control ensures that access rights stay aligned with job responsibilities and that no orphaned accounts remain in your systems.

How to comply

  1. 1.Define and document identity lifecycle policies covering creation, provisioning, maintenance, and deprovisioning phases
  2. 2.Establish a centralized identity repository or directory service to manage all user accounts and access rights
  3. 3.Create approval workflows for account creation and access provisioning tied to job roles and business justification
  4. 4.Implement regular access reviews to ensure active accounts and permissions align with current job responsibilities
  5. 5.Develop automated deprovisioning procedures triggered by terminations, role changes, or project completions
  6. 6.Enforce unique user identifiers and prohibit shared or generic accounts across all systems
  7. 7.Maintain detailed audit logs of all identity lifecycle changes including who made changes, when, and why
  8. 8.Test and validate deprovisioning processes to confirm access is fully removed within defined timeframes

Evidence auditors look for

  • Identity management policy document with lifecycle phases and responsibilities
  • Active Directory or identity provider configuration showing user creation and provisioning rules
  • Access request forms showing approval chains and business justification requirements
  • Quarterly access review reports with sign-offs from business owners
  • Automated deprovisioning scripts or workflow configurations
  • Offboarding checklists documenting system access removal for terminated employees
  • Audit logs showing account creation, modification, and deletion timestamps
  • System reports identifying and remediating orphaned or inactive accounts

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates identity lifecycle tracking and generates audit-ready evidence for access reviews, deprovisioning verification, and lifecycle audit logs—eliminating manual spreadsheets and speeding up your 5.16 compliance validation.

See how GRCWatch handles this control automatically

Start free trial

Related controls

ISO 27001 5.15 Access ControlISO 27001 5.17 Access RightsISO 27001 5.18 Information Security in Supplier RelationshipsISO 27001 8.3 Information and Other Asset Lifecycle