Identity and Access Management (IAM)
Domain 5 — Protection of Information Assets
Definition
Identity and Access Management (IAM) is the framework of policies, processes, and technologies that ensures the right individuals access the right resources at the right time for the right reasons. It covers identity lifecycle management (joiner, mover, leaver), authentication (verifying identity), and authorisation (granting permissions). IS auditors evaluate IAM by reviewing user provisioning processes, authentication mechanisms, access certification procedures, and de-provisioning timeliness.
Real-World Audit Scenario
I audited a professional services firm where the HR system and the IT system were not integrated. When an employee resigned, HR updated their record in the HR system, but the IT system was never notified. The result: 23 terminated employees still had active accounts, including a partner who had left 8 months ago and still had access to client financial data. The IT team was manually checking a weekly HR report to identify leavers, but they were three weeks behind. We recommended automated de-provisioning integration between HR and IT systems.
Common Exam Trap
The exam often asks about the BEST control for ensuring timely access removal when an employee leaves. The answer is "automated de-provisioning triggered by HR system changes" — not "ask the manager to notify IT," which introduces human delay and error.
Test Your Understanding
Try a free practice question on this topic — see our 4-layer explanations and find out where you stand.
Try a Free Question →150 Free Practice Questions →