Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

Authentication of identities and binding to user data

Critical
High
Normal
Low

The organization verifies the identity of users and associates them with user information. These should also be confirmed before any interaction.

Identity verification must be performed according to pre-written and approved rules.

Connected other frameworks and requirements:
PR.AC-6: Proof of identity
NIST CSF
4.1 (MIL1): Establish Identities and Manage Authentication
C2M2

Features and instructions for user registration and de-registration in offered cloud services

Critical
High
Normal
Low

When offering cloud services, the organisation should provide the technical implementation to enable the customer to manage the user registration and deregistration to the service. 

The organisation should also provide instructions and specifications for the creation / deletion of users (e.g. help articles, FAQs), e.g. related to different user levels, user invitation process and different admin actions.

Connected other frameworks and requirements:
PR.AC-1: Identity and credential management
NIST CSF
PR.AC-6: Proof of identity
NIST CSF
9.2.1: User registration and de-registration
ISO 27017
9.2: User access management
ISO 27018
9.2.1: User registration and de-registration
ISO 27018

Using unique user names

Critical
High
Normal
Low

The organization must use unique usernames in order to associate users and assign responsibility for them.

Shared usernames are not allowed and users are not allowed to access information systems until a unique username is provided.

Connected other frameworks and requirements:
PR.AC-6: Proof of identity
NIST CSF
A.11.8: Unique use of user IDs
ISO 27018

Screenings and background checks before recruitment

Critical
High
Normal
Low

Applicants applying for cyber security should have their background checked, taking into account relevant laws and regulations.

The check may include:

  • review of recommendations
  • verification of CV accuracy
  • verification of educational qualifications
  • verification of identity from an independent source
  • other more detailed checks (e.g. credit information, review of previous claims or criminal record)

The background check may also be extended to, for example, teleworkers, contractors or other third parties. The depth of the background check can be related to the category of the accessed data.

Connected other frameworks and requirements:
T09: Henkilöstön luotettavuuden arviointi
7.1.1: Screening
ISO 27001
PR.AC-6: Proof of identity
NIST CSF
PR.IP-11: Cybersecurity in human resources
NIST CSF
6.1: Screening
ISO 27001
No items found.