Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

Authentication of identities and binding to user data

Critical
High
Normal
Low

The organization verifies the identity of users and associates them with user information. These should also be confirmed before any interaction.

Identity verification must be performed according to pre-written and approved rules.

Connected other frameworks and requirements:
PR.AC-6: Proof of identity
NIST CSF
4.1 (MIL1): Establish Identities and Manage Authentication
C2M2

Managing user privileges

Critical
High
Normal
Low

The organisation must manage all of it’s users and their privileges. This includes all third party users, which have access into the organisations data or systems.

The organisation must remove users entirely or remove privileges from them when they are no longer needed e.g when employee role changes.

Connected other frameworks and requirements:
4.1 (MIL1): Establish Identities and Manage Authentication
C2M2

Avoiding and documenting shared user accounts

Critical
High
Normal
Low

Shared accounts should only be allowed if they are necessary for business or operational reasons and should be separately approved and documented.

If shared accounts are used for admin purposes, passwords must be changed as soon as possible after any user with admin rights leaves their job.

Connected other frameworks and requirements:
32. Security of processing
GDPR
9.2.4: Management of secret authentication information of users
ISO 27001
I07: Tietojenkäsittely-ympäristön toimijoiden tunnistaminen
5.16: Identity management
ISO 27001
4.1 (MIL1): Establish Identities and Manage Authentication
C2M2
No items found.