2026-03-08
By Emre SalmanogluIdentity and Access Management (IAM): The Complete Guide for Security and Compliance Teams
Learn how to implement identity and access management that satisfies ISO 27001, SOC 2, NIS2, and DORA. Covers SSO, MFA, RBAC, ABAC, privileged access, identity governance, and audit evidence.
IAM
identity management
access control
MFA
compliance
What Is Identity and Access Management?
Identity and Access Management (IAM) is the discipline that ensures the right people have the right access to the right resources for the right reasons. It encompasses the policies, processes, and technologies that manage digital identities and control access to organisational systems and data throughout the entire identity lifecycle.
A mature IAM programme moves beyond simple user accounts and passwords to implement centralised identity governance, risk-based authentication, fine-grained authorisation, and continuous access monitoring.
IAM Core Components
| Component | What It Does | Compliance Value |
|---|---|---|
| Identity lifecycle management | Provisioning, modification, and deprovisioning of accounts | Joiners/movers/leavers evidence |
| Authentication | Verify user identity (passwords, MFA, biometrics, certificates) | Strong authentication evidence |
| Single sign-on (SSO) | One authentication grants access to multiple applications | Centralised access control |
| Authorisation | Define and enforce what authenticated users can access | Least privilege evidence |
| Access reviews | Periodic verification that access remains appropriate | Recertification evidence |
| Privileged access management | Control and monitor administrative and elevated access | Privileged access evidence |
| Directory services | Central identity store (Active Directory, Entra ID, Okta) | Identity source of truth |
| Audit logging | Record all authentication and access events | Audit trail evidence |
Authentication Methods
| Method | Security Level | User Experience | Best For |
|---|---|---|---|
| Password only | Low | Moderate friction | Legacy systems (not recommended) |
| Password + SMS OTP | Medium | Moderate friction | Basic MFA compliance |
| Password + authenticator app | High | Moderate friction | Standard MFA |
| Password + hardware token (FIDO2) | Very high | Low friction after setup | High-security environments |
| Passwordless (FIDO2/passkeys) | Very high | Low friction | Modern applications |
| Certificate-based | Very high | Transparent after setup | Machine identities, VPN |
| Biometric + device binding | Very high | Low friction | Mobile and privileged access |
Authorisation Models
| Model | How It Works | Pros | Cons |
|---|---|---|---|
| RBAC | Access based on assigned roles | Simple, auditable, well-understood | Role explosion in complex orgs |
| ABAC | Access based on attributes (user, resource, context) | Fine-grained, context-aware | Complex to implement and audit |
| PBAC | Access based on policies combining roles and attributes | Flexible, centrally managed | Policy management overhead |
| ReBAC | Access based on relationships between entities | Natural for hierarchical data | Newer, less tooling support |
| Just-in-time (JIT) | Temporary elevated access on request | Minimises standing privileges | Requires approval workflows |
Identity Lifecycle Management
| Phase | Activities | Key Controls |
|---|---|---|
| Joiner | Create identity, assign role-based access, provision accounts | Automated provisioning from HR system |
| Mover | Update access when role or department changes | Access review triggers on role change |
| Leaver | Disable accounts, revoke all access, recover assets | Automated deprovisioning within 24 hours |
| Contractor | Time-bounded access with expiry dates | Auto-expire access, no permanent accounts |
| Service account | Non-human identities for system-to-system communication | Ownership assignment, rotation, monitoring |
Access Review Best Practices
| Review Type | Scope | Frequency | Reviewer |
|---|---|---|---|
| User access review | All user permissions across systems | Quarterly | Line managers |
| Privileged access review | Admin and elevated accounts | Monthly | Security team + system owners |
| Service account review | Non-human accounts and API keys | Quarterly | System owners |
| Application entitlement review | Fine-grained permissions within applications | Semi-annually | Application owners |
| Terminated user audit | Verify all access removed for departed users | Monthly | HR + IT |
Compliance Requirements
Framework Mapping
| Requirement | ISO 27001 | SOC 2 | NIS2 | DORA |
|---|---|---|---|---|
| Access control policy | A.5.15 | CC6.1 | Art. 21(2)(d) | Art. 9(4)(a) |
| User registration/deregistration | A.5.16 | CC6.2 | Art. 21(2)(d) | Art. 9(4)(a) |
| Provisioning of access rights | A.5.18 | CC6.2 | Art. 21(2)(d) | Art. 9(4)(a) |
| Review of access rights | A.5.18 | CC6.2 | Art. 21(2)(d) | Art. 9(4)(b) |
| Multi-factor authentication | A.8.5 | CC6.1 | Art. 21(2)(d) | Art. 9(4)(d) |
| Privileged access management | A.8.2 | CC6.1 | Art. 21(2)(d) | Art. 9(4)(c) |
| Least privilege | A.8.2 | CC6.1 | Art. 21(2)(d) | Art. 9(4)(a) |
| Authentication management | A.8.5 | CC6.1 | Art. 21(2)(d) | Art. 9(4)(d) |
Audit Evidence
| Evidence Type | Description | Framework |
|---|---|---|
| Access control policy | Documented policy with roles, responsibilities, and procedures | All frameworks |
| User provisioning records | Tickets/workflow showing approval and provisioning | ISO 27001, SOC 2 |
| Access review reports | Completed quarterly review with decisions and actions | All frameworks |
| MFA deployment report | Coverage across all users and systems | All frameworks |
| Deprovisioning evidence | Timely access revocation for terminated employees | All frameworks |
| Privileged account inventory | List of all admin accounts with justification | ISO 27001, SOC 2, DORA |
| SSO configuration | Centralised authentication for all applications | SOC 2 |
| Password policy | Documented policy meeting framework requirements | All frameworks |
Common Mistakes
| Mistake | Risk | Fix |
|---|---|---|
| No automated deprovisioning | Former employees retain access | Integrate IAM with HR system for automated offboarding |
| Shared accounts | No individual accountability | Eliminate shared accounts, use individual identities |
| No MFA on critical systems | Account compromise via credential theft | Enforce MFA everywhere, prioritise privileged access |
| Stale access accumulates | Users collect unnecessary permissions over time | Implement quarterly access reviews with remediation |
| No service account governance | Orphaned service accounts with broad access | Assign owners, implement rotation, monitor usage |
| Manual provisioning | Slow, error-prone, no audit trail | Automate provisioning via IAM platform |
| Password-only authentication | Easily compromised through phishing | Deploy passwordless or strong MFA |
How Orbiq Supports IAM Compliance
Orbiq helps you demonstrate identity and access management controls:
- Evidence collection — Centralise access review reports, MFA deployment evidence, and deprovisioning records
- Continuous monitoring — Track IAM control effectiveness and compliance rates
- Trust Center — Share your IAM posture via your Trust Center
- Compliance mapping — Map IAM controls to ISO 27001, SOC 2, NIS2, and DORA
- Audit readiness — Pre-built evidence packages for auditor review
Further Reading
- Access Control — Detailed access control models and implementation
- Zero Trust Architecture — Identity-centric security model
- SIEM — Monitoring authentication and access events
- Security Awareness Training — User behaviour and credential hygiene
- Encryption — Protecting credentials and tokens
- ISMS — IAM within the information security management system