What is ISO 27001 A.5.16?

ISO 27001 A.5.16 (Identity Management) requires: The full life cycle of identities shall be managed. This is a high-severity control.

How does EchelonGraph detect ISO 27001 A.5.16 violations?

EchelonGraph automatically detects ISO 27001 A.5.16 violations using scanner rule ISO27001-A516. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for ISO 27001 A.5.16?

What is the SLA from termination to access revocation? How are service accounts ownership-tracked? Show last quarter's orphan-account audit. Are joiner / mover / leaver workflows automated?

📋ISO 27001 A.5.16Rule: ISO27001-A516high

Identity Management

Description

The full life cycle of identities shall be managed.

⚠️ Risk Impact

Orphaned identities are the most common cloud breach vector. Departed employees, archived service accounts, and forgotten contractor credentials remain valid indefinitely if lifecycle management is weak.

🔍 How EchelonGraph Detects This

ISO27001-A516Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.

🔧 Remediation

Integrate IdP (Okta, Entra, Workspace) with HRIS. Automate join/move/leave: new hire → IdP grant; role change → recalc grants; termination → all cloud + SaaS access revoked within 24 hours. Quarterly orphan-account hunt.

💀 Real-World Attack Scenario

A SaaS company terminated an engineer who retained valid IdP credentials for 45 days post-termination because HRIS-to-IdP sync was manual. The ex-engineer used the credentials to download the customer database from CRM and sold it. The company faced $2.4M in customer-notification cost + competitor lawsuit.

💰 Cost of Non-Compliance

Orphaned-identity breaches: 23% of insider-threat cases (Ponemon Insider Threats 2024). Average cost: $11.45M per insider-threat incident.

📋 Audit Questions

1.What is the SLA from termination to access revocation?
2.How are service accounts ownership-tracked?
3.Show last quarter's orphan-account audit.
4.Are joiner / mover / leaver workflows automated?

🎯 MITRE ATT&CK Mapping

T1078 — Valid AccountsT1530 — Data from Cloud Storage

⚡ Common Pitfalls

⛔Manual HRIS-to-IdP sync (always lags reality)
⛔Service account ownership not tracked (when owner leaves, account orphans silently)
⛔Cloud + SaaS access not federated through IdP (terminations miss those)

📈 Business Value

Automated identity lifecycle eliminates the orphaned-account attack vector entirely. Material for compliance + insider-threat reduction.

⏱️ Effort Estimate

Manual

40-80 hours for IdP-HRIS integration + automation

With EchelonGraph

EchelonGraph integrates with IdP/HRIS; detects stale + orphaned accounts

🔗 Cross-Framework References

SOC2-CC6.2NIST-IA-4

Automate ISO 27001 A.5.16 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →