How are identities and access managed?
Demonstrate that the organization maintains a complete, current inventory of identities with documented access rights aligned to business roles, enforces strong authentication controls, and performs periodic access reviews with remediation of excessive privileges.
Description
What this control does
Identity and Access Management (IAM) encompasses the policies, processes, and technologies used to provision, authenticate, authorize, and deprovision user accounts across enterprise systems. This control ensures that only verified identities receive access appropriate to their role, that authentication mechanisms meet security standards (e.g., multi-factor authentication), and that access rights are regularly reviewed and adjusted as personnel responsibilities change. Effective IAM reduces insider threat risk, prevents unauthorized lateral movement, and provides audit trails linking actions to accountable individuals.
Control objective
What auditing this proves
Demonstrate that the organization maintains a complete, current inventory of identities with documented access rights aligned to business roles, enforces strong authentication controls, and performs periodic access reviews with remediation of excessive privileges.
Associated risks
Risks this control addresses
- Unauthorized users gaining initial access through weak or stolen credentials due to inadequate authentication requirements
- Former employees or contractors retaining active accounts after termination, enabling persistent unauthorized access
- Excessive or dormant privileged accounts being exploited for lateral movement and privilege escalation
- Shared or generic accounts obscuring accountability and preventing accurate forensic attribution
- Lack of centralized identity governance allowing shadow IT accounts to proliferate outside organizational visibility
- Failure to revoke access promptly upon role change, resulting in privilege creep and violation of least-privilege principles
- Inadequate logging of authentication and authorization events preventing detection of credential compromise or abuse
Testing procedure
How an auditor verifies this control
- Obtain and review the current IAM policy document, including identity lifecycle procedures, authentication standards, and access review schedules.
- Request an export of all active user accounts from each identity provider and directory service (Active Directory, Azure AD, cloud IAM systems) with associated roles, groups, and permissions.
- Select a stratified sample of 25-30 user accounts spanning regular employees, privileged administrators, contractors, and service accounts.
- For each sampled account, trace the provisioning request through HR onboarding records or access request tickets to verify authorization and role appropriateness.
- Review authentication controls for sampled accounts, confirming multi-factor authentication enrollment status, password policy compliance, and conditional access rules where applicable.
- Examine access review logs for the most recent review cycle, verifying that reviewers certified or modified permissions and that remediation actions were completed for flagged anomalies.
- Test deprovisioning controls by selecting five recently terminated employees and validating that all accounts were disabled or deleted within the documented timeframe.
- Analyze authentication logs for the past 90 days to identify anomalies such as accounts with no recent activity, failed login patterns, or sign-ins from unusual geographies, and verify investigation or remediation occurred.