Contact
ISO 27001
Annex A Controls — Organizational
Access Rights Management | Annex A 5.16

ISO 27001 Annex A 5.16: Access Rights Management (Identity Management) Explained

ISO 27001 Annex A 5.16 focuses on how organisations manage access rights by governing the full lifecycle of identities. This control ensures that only authorised users, systems, and services can access information assets, and that access is removed when no longer required.

Ask AI to summarize Access Rights Management | Annex A 5.16

At its core, Annex A 5.16 exists to prevent unauthorised access, reduce insider threats, and ensure accountability by tying actions to unique identities. It establishes identity governance as a foundational element of information security rather than a purely technical task.

In modern environments—where cloud platforms, remote work, SaaS tools, and automation dominate—identity has become the new security perimeter. ISO 27001 recognises this by requiring structured, auditable identity and access management practices.

What Annex A 5.16 Requires

Annex A 5.16 requires organisations to establish, document, and operate formal processes for managing identities and access rights throughout their lifecycle.

This includes defining how identities are created, approved, used, reviewed, modified, and revoked. The requirement applies to both human users and non-human identities such as service accounts, APIs, applications, and devices.

The control is preventative by design. It aims to stop unauthorised access before it occurs by enforcing governance, approvals, and monitoring across identity management activities.

The Purpose of Access Rights Management in an ISMS

Access rights management ensures that information is only accessible to those with a legitimate business need. Without structured identity governance, organisations are exposed to excessive access, orphaned accounts, privilege creep, and accountability gaps.

Within an Information Security Management System (ISMS), access rights management supports:

  • Confidentiality by preventing unauthorised access
  • Integrity by limiting who can modify data
  • Availability by ensuring appropriate operational access

This control directly supports risk treatment decisions made during the ISO 27001 risk assessment process and must align with defined risk acceptance criteria.

Identity Management vs Access Control

While often confused, identity management and access control are not the same.

Identity management focuses on who or what is accessing systems. It governs identity creation, uniqueness, lifecycle management, and accountability.

Access control focuses on what those identities can do once access is granted. This is addressed more directly in Annex A 5.15.

Annex A 5.16 ensures identities are trustworthy, controlled, and auditable before access control rules are even applied.

Types of Identities Covered by Annex A 5.16

ISO 27001 requires organisations to manage all identity types, not just employees.

Human Identities

These include employees, contractors, consultants, and temporary workers. Each person must have a unique identity that is never shared.

Shared logins undermine accountability and are strongly discouraged unless strictly justified and controlled.

Non-Human Identities

Non-human identities include:

  • Service accounts
  • API keys
  • Application accounts
  • Robotic process automation (RPA) users
  • Devices and system accounts

These identities often have elevated privileges and long lifespans, making them high-risk if unmanaged.

Annex A 5.16 requires the same governance discipline for non-human identities as for human users.

The Identity Lifecycle Under ISO 27001

A compliant access rights management process must address the entire identity lifecycle.

Identity Creation

Identity creation must follow a defined approval process. Access should not be granted informally or automatically without validation.

Creation processes typically require:

  • Business justification
  • Manager or system owner approval
  • Role assignment
  • Least-privilege access by default

Identity Modification

Access rights must be reviewed and adjusted when roles change. Promotions, department transfers, and project assignments often require access updates.

Failure to manage changes leads to privilege creep, one of the most common audit findings.

Identity Review

ISO 27001 expects periodic access reviews to confirm that access remains appropriate.

Reviews should validate:

  • Continued business need
  • Alignment with job role
  • Removal of unused or excessive permissions

Identity Revocation

When access is no longer required—due to termination, contract end, or system decommissioning—identities must be revoked promptly.

Delayed revocation is a critical risk and frequently cited nonconformity in certification audits.

Unique Identification and Accountability

Each identity must be uniquely identifiable. This ensures that actions can be traced back to a specific individual or system.

Unique identification supports:

  • Audit trails
  • Incident investigations
  • Legal and regulatory accountability
  • Non-repudiation

Shared accounts remove accountability and must be avoided unless absolutely necessary, documented, and compensated with additional controls.

Shared and Privileged Accounts

ISO 27001 does not prohibit shared accounts outright, but it treats them as exceptions requiring strong justification.

Where shared or privileged accounts are necessary, organisations should implement:

  • Restricted usage scenarios
  • Strong authentication
  • Activity logging
  • Regular access reviews
  • Named accountability through compensating controls

Privileged access should always be limited, monitored, and time-bound where possible.

Non-Human Identity Governance

Non-human identities often represent the greatest unmanaged risk.

ISO 27001 expects organisations to:

  • Define ownership for each non-human identity
  • Approve creation formally
  • Limit privileges strictly
  • Rotate credentials where applicable
  • Revoke identities when systems are retired

Unmonitored service accounts are a common cause of breaches and audit failures.

Access Rights Management and Risk Assessment

Access rights decisions must align with the organisation’s risk assessment outcomes.

High-risk systems require stronger identity controls, while low-risk environments may allow simplified access.

Risk-based identity management ensures security controls remain proportionate and defensible during audits.

Evidence Required for Annex A 5.16 Compliance

Auditors expect clear, objective evidence that access rights management is operating effectively.

Typical evidence includes:

  • Identity management policies
  • Access provisioning workflows
  • Joiner-mover-leaver records
  • Access review logs
  • De-provisioning evidence
  • System access reports
  • Authentication and activity logs

Evidence must show consistency, not one-off activity.

Common Audit Findings Related to Annex A 5.16

Organisations frequently fail this control due to operational gaps rather than missing documentation.

Common findings include:

  • Delayed access removal for leavers
  • Incomplete access reviews
  • Unowned service accounts
  • Excessive privileges
  • Shared credentials without justification
  • Lack of audit trails

These issues undermine trust in the ISMS and often lead to major nonconformities.

How Annex A 5.16 Connects to Other ISO 27001 Controls

Access rights management does not operate in isolation.

It directly supports:

  • Clause 6.1 – Risk assessment and treatment
  • Clause 7.2 – Competence
  • Clause 7.3 – Awareness
  • Annex A 5.15 – Access control
  • Annex A 8 series – Operational security

Together, these controls form a coherent identity and access governance model.

Best Practices for High-Maturity Access Rights Management

High-maturity organisations treat identity governance as a continuous process, not an onboarding checklist.

Effective practices include:

  • Centralised IAM tooling
  • Automated joiner-mover-leaver workflows
  • Role-based access models
  • Regular access recertification
  • Strong logging and monitoring
  • Clear ownership for every identity

Automation significantly reduces risk and audit effort while improving consistency.

Why Annex A 5.16 Is Critical in Modern Environments

As organisations adopt cloud services, remote work, and automation, identity becomes the primary security boundary.

Perimeter-based security alone is no longer sufficient. ISO 27001 Annex A 5.16 ensures organisations govern who has access, why they have it, and when it should be removed.

Without strong access rights management, even the best technical controls fail.

Ready to Take Control of Your Privacy Compliance?

Hicomply’s platform provides an all-in-one solution to streamline, automate, and centralise your compliance activities, ensuring complete control and efficiency.

Book a demo
Last updated
December 14, 2025
Category
Annex A Controls — Organizational
Topics
No items found.
Lucy Murphy
Head of Customer Success

Lucy works closely with customers to help them get the most out of the Hicomply platform, from onboarding to audit success. She brings a user-focused mindset to everything she does, making her well-placed to write about day-to-day challenges, shortcuts, and success strategies. Her content is grounded in what real InfoSec and compliance teams need to know — and how to get there faster.Expect helpful walkthroughs, product tips, and practical insights.

Read more industry insights by Lucy Murphy

Popular Access Rights Management | Annex A 5.16 queries, answered!

What is ISO 27001 Annex A 5.16?

Annex A 5.16 requires organisations to manage the full lifecycle of identities and access rights to ensure only authorised users and systems can access information assets. It focuses on identity creation, modification, review, and revocation.

Does Annex A 5.16 apply to service accounts and APIs?

Yes. ISO 27001 explicitly expects organisations to manage both human and non-human identities, including service accounts, applications, devices, and automated processes.

Are shared accounts allowed under ISO 27001?

Shared accounts are discouraged but permitted in limited cases where justified, documented, and controlled with strong compensating measures such as logging and accountability mechanisms.

What evidence do auditors look for under Annex A 5.16?

Auditors look for documented identity policies, access provisioning records, access reviews, leaver de-provisioning evidence, and logs demonstrating identity usage and accountability.

How does Annex A 5.16 differ from access control policies?

Annex A 5.16 focuses on identity governance (who), while access control policies focus on permissions (what). Identity management must be established before access control can be effective.

Contents

Heading 2

Unlock Your Path to ISO 27001 Success

Download our Ultimate ISO 27001 Compliance Checklist for clear, step-by-step guidance to fast-track your certification.

Get the Checklist

End to end ISO 27001 compliance documentation

Your hub for the fundamentals of ISO 27001 compliance, curated best practices, and resources for GRC professionals.

ISO 27001 Overview

Achieve ISO 27001 Certification

ISO 27001 is the globally recognised standard for building a structured Information Security Management System (ISMS) that protects the confidentiality, integrity and availability of information. This article explains what ISO 27001 is, how it works, the core principles behind it, and what organisations must do to achieve certification. You’ll learn the standard’s structure, its key requirements, how the certification process unfolds, and the practical steps needed to implement an ISMS that is both compliant and effective.

Learn more about Achieve ISO 27001 Certification

Benefits Of ISO 27001 For Businesses

ISO 27001 certification is one of the most credible ways for businesses to prove they protect sensitive information with structure, consistency, and internationally recognised best practice. This guide explains what ISO 27001 certification is, why companies pursue it, the core business benefits, the costs involved, and how organisations of any size can achieve and maintain certification. Whether you're preparing for your first audit or strengthening your security posture, this article gives you the clarity, detail, and practical steps to move forward with confidence.

Learn more about Benefits Of ISO 27001 For Businesses

History And Evolution Of ISO 27001

ISO 27001 is now recognised as the world’s leading standard for managing information security, but its journey spans decades of technological change, emerging cyber threats, and global collaboration. This article traces the origins of ISO 27001, from its earliest foundations to the modern 2022 revision. You’ll learn how the framework developed, why it became globally adopted, how ISO 27002 fits into the picture, and how ISO standards evolved more broadly over time.

Learn more about History And Evolution Of ISO 27001
ISO 27001:2022 Requirements

Actions To Address Risks And Opportunities | Clause 6.1

Clause 6.1 of ISO 27001 defines how organisations must identify, assess, and treat information security risks — and how they must uncover opportunities to strengthen their Information Security Management System (ISMS). This clause acts as the engine of the ISO framework: it drives risk-based thinking, aligns controls to real-world threats, and ensures continual improvement. In this guide, we break down Clause 6.1 line by line, explain its relationship with Annex A, show you what documentation is required, and provide examples and best practices to help you implement it correctly and confidently.

Learn more about Actions To Address Risks And Opportunities | Clause 6.1

ISO27001 Awareness | Clause 7.3

In this article, we explore everything you need to know about ISO 27001 Clause 7.3—its purpose, what the standard requires, how awareness strengthens your ISMS, and how to build a practical, auditor-ready awareness program that supports continuous security improvement.

Learn more about ISO27001 Awareness | Clause 7.3

ISO 27001 Communication | Clause 7.4

In this guide, we break down exactly what ISO 27001 Clause 7.4 requires, why structured communication is essential to an effective ISMS, and how organisations can build a clear, compliant communication process supported by practical, real-world examples.

Learn more about ISO 27001 Communication | Clause 7.4
Information Security Management System (ISMS)

ISO 27001 ISMS Audit And Review Process

The audit and review process is one of the most important pillars of ISO 27001. It ensures your Information Security Management System (ISMS) is working as intended, risks are managed effectively, controls are operating correctly, and continual improvement is actively taking place. This guide explains every component of the ISO 27001 audit lifecycle — internal audits, external audits, certification audits, surveillance audits, and management reviews — and shows you how to prepare, what evidence auditors expect, and how to maintain long-term compliance.

Learn more about ISO 27001 ISMS Audit And Review Process

ISO 27001 ISMS Continuous Improvement Cycle

In this end-to-end guide, you’ll learn how continual improvement works in ISO 27001, why it’s essential for long-term security maturity, how the PDCA cycle operates inside an ISMS, and what processes, documentation, and actions are required to maintain compliance year after year.

Learn more about ISO 27001 ISMS Continuous Improvement Cycle
Annex A Controls — Organizational

Acceptable Use Of Assets | Annex A 5.10

Information security policies serve as the foundation of any robust cybersecurity program. Without clearly defined rules for acceptable use of information assets, organizations face increased vulnerability to data breaches, compliance violations, and operational disruptions. Control 5.10 of ISO 27001:2022 specifically addresses this critical aspect of information security management, requiring organizations to establish formal guidelines for how information and associated assets should be handled.

Learn more about Acceptable Use Of Assets | Annex A 5.10

Access Control Policies | Annex A 5.14

Information rarely stays still. Every organisation transfers data daily—between teams, systems, partners, customers, cloud platforms, and suppliers. Emails are sent, files are shared, storage media is moved, meetings are held, and conversations take place across calls and video conferences. Each transfer represents a moment of heightened risk.

Learn more about Access Control Policies | Annex A 5.14

Access Rights Management | Annex A 5.16

ISO 27001 Annex A 5.16 focuses on how organisations manage access rights by governing the full lifecycle of identities. This control ensures that only authorised users, systems, and services can access information assets, and that access is removed when no longer required.

Learn more about Access Rights Management | Annex A 5.16
Annex A Controls — People

Confidentiality And NDA Management | Annex A 6.6

Confidentiality obligations sit at the very core of information security. Without enforceable confidentiality controls, even the strongest technical safeguards can be rendered ineffective by human behaviour, contractual gaps, or unclear responsibilities. ISO 27001:2022 Annex A 6.6 formalises this reality by requiring organisations to define, implement, communicate, and enforce confidentiality and non-disclosure obligations across employees, contractors, suppliers, and other relevant parties.

Learn more about Confidentiality And NDA Management | Annex A 6.6

Disciplinary Process And Enforcement | Annex A 6.4

Establishing a fair disciplinary process is essential for organizations that want to effectively manage security violations while maintaining employee trust. When security breaches occur, organizations often struggle to respond consistently, which can lead to resentment, legal complications, or ineffective deterrence. Consequently, ISO 27001 includes specific requirements under Annex A 6.4 to ensure disciplinary processes are both fair and effective.

Learn more about Disciplinary Process And Enforcement | Annex A 6.4

Employee Screening And Background Checks | Annex A 6.1

In this guide, we explain everything organisations need to know about ISO 27001:2022 Annex A 6.1 — Employee Screening and Background Checks. You’ll learn what the control requires, why it exists, how auditors assess compliance, what evidence is expected, and how to design a screening process that is legally compliant, proportionate, and effective across different roles and risk levels.

Learn more about Employee Screening And Background Checks | Annex A 6.1
Annex A Controls — Physical

Access Control To Premises | Annex A 7.2

Physical security remains one of the most underestimated components of information security. While organisations invest heavily in cybersecurity tools, a single uncontrolled door, shared workspace, or unlogged visitor can undermine even the most mature digital controls. ISO 27001 Annex A 7.2 exists to address this exact risk by requiring organisations to establish and maintain effective access control to premises where information and information-processing facilities are located.

Learn more about Access Control To Premises | Annex A 7.2

Cabling And Electrical Security | Annex A 7.12

Modern technologies rely heavily on fiber, network, and power cables to function correctly. When we focus on ISO cyber security, we often overlook these critical components' physical vulnerabilities. Power and information cables face risks of damage and interception. Cyber criminals who gain access to fiber cables can disrupt all network traffic with simple techniques like 'bending the fiber.' This makes data and information unavailable.

Learn more about Cabling And Electrical Security | Annex A 7.12
Annex A Controls — Technological
No items found.
ISO 27001 Certification Process
No items found.
ISO 27001 Audit Preparation
No items found.
Automating ISO 27001 Compliance
No items found.
ISO 27001 Resources And Tools
No items found.

Your ISO 27001 Compliance Newsletter

Stay ahead with the latest expert insights, news, and updates on compliance.
Decorative