ISO/IEC 27001 Control 5.16: Identity management


The full life cycle of identities should be managed.

Necessity of MidPoint

MidPoint is necessary to implement this control properly.

MidPoint features and capabilities are essential for efficient implementation of this control. While it is theoretically possible to implement this control without a comprehensive IGA platform in place, the implementation is likely to be inefficient, costly, slow and unreliable in the long run. MidPoint can make implementation of this control efficient and reliable.

Implementation Overview

MidPoint platform with all of its features is designed to support identity management and all its aspects.

Implementation Details

MidPoint can manage complete identity lifecycle, including both human and non-human identities. MidPoint can make sure that "unique identification of individuals and systems", as required by the control, is applied consistently and comprehensively. Features related to identity lifecycle management and synchronization are primary features to implement this control. Inbound synchronization from HR system (or similar data source) is the usual method to make sure access is de-provisioned in a timely manner, as required by the control. MidPoint is a natural choice for aggregation and management of user attributes, organizational and group membership, supporting processes for change of information relating to identities. User clearances can be managed and re-certified in midPoint. Projection links, synchronization and correlation can be used to make sure the identities are not duplicated. Proper identity management mechanisms are applied to avoid use of shared identities. MidPoint is designed to fully address de-provisioning of access, as required by the control. Audit trail is used to record all identity-related events and configuration changes.

Implementation Notes

  • This is the primary control supporting deployment of midPoint in organizations. Almost all midPoint features are more or less related to this control.

  • Requirements of this control reach beyond the scope of IGA, mostly to systems that act as a source of information for midPoint. E.g. the control asks for confirming of business requirements for an identity, verifying it and establishing an identity. When dealing with employee identities, this requirements is satisfied by the usual HR practices and processes. MidPoint is taking processed information from the HR systems, assuming that the requirements are already satisfied.

  • Application inventory provides "unique identification of systems", it can also be used for partial management of non-human identities (service accounts).


The main functionality of midPoint is focusing on the identity management and supporting the whole life cycle of identities with proper documentation of each step and logs. Customers can create procedures for providing and revoking access to information with proper verification and approval.


Version Title Description
Development Information Classification and Clearances Management of user clearances
4.8 Information Classification and Clearances Management of user clearances
Was this page helpful?
Thanks for your feedback