IAM-01: Identity and Access Management Policy and Procedures

CSF v1.1 References:

Info icon.

Control is new to this version of the control set and incorporates the following items from the previous version: GRM-06: Policy, GRM-09: Policy Reviews, IAM-02: Credential Lifecycle / Provision Management.

Control Statement

Establish, document, approve, communicate, implement, apply, evaluate and maintain policies and procedures for identity and access management. Review and update the policies and procedures at least annually.

Implementation Guidance

Organizations should document access control policies for the registration, management, and removal of digital identities. Additionally, the guidelines should be communicated within the organization. The policy should:

  1. Include, but not be limited to, roles and responsibilities concerning creation, changes, and deletion of access controls (including a regular review of access).
  2. Conduct reviews regularly (at least annually).

The organization should leverage the identity and access management policy to establish a security baseline.

Auditing Guidance

  1. Examine policy and/or procedures related to identity and access management to determine if policy and/or procedure content:
  2. addresses the provisioning, modification and deprovisioning of logical access.
  3. establishes password complexity and management requirements.
  4. addresses authorization concept following separation of duties and least privilege.
  5. addresses privileged access management and access reviews.
  6. includes roles and responsibilities for provisioning, modifying and deprovisioning of logical access.
  7. understands the delineation of identity and access management control responsibility in relation to the shared responsibility model.
  8. Determine if the policy is clearly communicated and available to stakeholders.
  9. Examine if policy and procedures are reviewed and updated at least annually.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.