IAM-003 User Account Lifecycle Management
Description
Formal processes exist for provisioning, modifying, and deprovisioning user accounts. Access is granted only on documented approval. Accounts are disabled or removed promptly when a user changes role or leaves the organisation. Access changes are logged.
Rationale
Orphaned and over-provisioned accounts are a leading source of unauthorised access. A controlled lifecycle ensures access tracks employment and role changes in near-real time.
Framework Mappings (5)
| IAM-06 | Access Provisioning | full |
| IAM-07 | Access Changes and Revocation | full |
| 5.18 | Access rights | full |
| AC-2 | Account Management | full |
| CC6.2 | Prior to Issuing System Credentials and Granting System Access | full |
Evidence (2)
Access provisioning and deprovisioning request records showing approval workflows for account creation, modification, and removal.
Example: ServiceNow, Jira, or IT ticketing system export of access request tickets for the past 90 days, each showing the requester, approver, approval timestamp, and action taken.
Test: Request a sample of 10–15 recent access provisioning and deprovisioning tickets (include at least 3 offboarding cases). Verify for each: (1) an approval was recorded before access was granted or removed, (2) the approver is a named individual distinct from the requester, (3) for offboarding cases, the account was disabled or removed within the SLA defined in the policy.
Identity provider or directory audit logs showing account creation, modification, and deletion events tied to approved request records.
Example: Okta System Log, Azure AD Audit Log, or AWS CloudTrail export filtered for user lifecycle events (CreateUser, DeleteUser, UpdateUser) for the past 90 days, including actor, timestamp, and target account.
Test: Query the IdP audit log API for lifecycle events over the past 90 days. Cross-reference a sample of 10 events against the corresponding access request tickets. Verify: (1) no account was created or deleted without a matching approved ticket, (2) log entries include actor, target, and timestamp, (3) deprovisioning events occur within the policy-defined SLA after the trigger event (e.g. HR termination record).
Questions (2)
Are formal, documented processes in place for provisioning and deprovisioning user accounts, including required approvals before access is granted?
Provisioning should require at minimum one named approver distinct from the requester. Approvals must be recorded in a ticketing or workflow system.
When an employee leaves or changes role, within what timeframe are their accounts disabled or access updated?
Same-day or next-business-day deprovisioning is best practice. Delays beyond 3 days create significant orphaned-access risk. The timeframe should be defined in policy and verifiable from logs.