Skip to main content

Identity and Access Management

Also known as: IAM

The discipline of authenticating who someone is, deciding what they are allowed to do, and recording the decisions so they can be reviewed, revoked, or attested to over time.

Written by Askara Solutions editorial team · Updated

Identity and Access Management is the part of the security programme where most real-world breaches are won or lost. A standing administrator account on a forgotten laptop, a contractor who kept their access after the project ended, a shared service account whose password is in a spreadsheet: each of these is an IAM failure long before it becomes an incident.

The discipline covers three things in sequence. Identification establishes who someone is, usually via a directory and a credential. Authentication proves they are who they claim to be, increasingly through multi-factor methods. Authorisation decides what that authenticated identity is allowed to do, by reference to a role or a policy. The last step is where ISO 27001 spends most of its Annex A access-control objectives, because that is where the principle of least privilege either holds or breaks.

Mature IAM has two operational properties that the documentation alone cannot evidence. Access reviews happen on a published cadence, with named approvers, and the result is recorded. Joiner, mover, and leaver events trigger changes in days rather than quarters. The Askara Solutions agent surfaces the access landscape as data, so audits can ask "show me every account that has not signed in for 90 days" and get a defensible answer rather than a spreadsheet rebuilt from memory.

Related terms

Where this connects.

  • Access Control

    Policies and mechanisms that restrict who can do what within information systems, by reference to identity, role, or attribute, recorded in a form that can be reviewed.

  • Least Privilege

    Principle that every identity should hold only the permissions required for its legitimate function, with privileges granted, time-bound, and revoked rather than accumulated.

  • Annex A

    The catalogue of 93 information security controls in ISO/IEC 27001:2022, organised into four themes (organisational, people, physical, technological), referenced from the Statement of Applicability.

  • Information Security Management System

    The documented set of policies, procedures, and accountability that an organisation uses to manage information-security risk over time.

Authoritative sources

Where to read more.

Back to Security ControlsBack to glossary