Identity and access management
Identity and access management (IAM) encompasses the processes and technologies used to manage digital identities, roles and access rights throughout their entire lifecycle.
Identity and access management (IAM) refers to the interplay of organisational processes and technical systems with which an organisation manages the digital identities of people, services and technical accounts and governs their access to information and systems. At its core, IAM answers the question of who (identity) may access which resources, with which rights and under which conditions. It systematically links the two pillars of identity management (creating, maintaining and deactivating identities) and access management (authentication and authorisation) in order to safeguard the confidentiality, integrity and availability of the information being processed.
Effective IAM is built around the lifecycle of an identity: when someone joins, their identity and initial permissions are granted on a role basis; when something changes, such as a transfer to another department or function, rights are adjusted and permissions that are no longer required are revoked; and when someone leaves, access is deactivated in good time. Guiding principles include granting minimal rights (least privilege), the need-to-know principle and segregation of duties. This is reinforced by strong authentication, in particular multi-factor authentication, and by the special protection of privileged accounts (privileged access management).
From a compliance perspective, IAM is a central control area of an information security management system (ISMS). Regular recertifications (access reviews) demonstrate that the rights granted remain necessary and appropriate, while complete logging of access ensures accountability towards auditors and supervisory authorities. The NIS2 Directive and its national implementation explicitly require affected entities to put in place measures for access control, authentication and identity management; ISO/IEC 27001 and the BSI IT-Grundschutz framework likewise anchor IAM as a fundamental security control. A well-documented IAM therefore not only reduces the risk of unauthorised access but is also an essential building block of the risk management measures required by law.
Legal Basis
Art. 21(2) NIS2 Directive (EU) 2022/2555; ISO/IEC 27001:2022 Annex A 5.15-5.18, A 8.2-8.5; BSI IT-Grundschutz module ORP.4 (Identity and Authorisation Management)
Practical Example
During an internal audit, a mid-sized mechanical engineering company classified as an important entity under NIS2 discovers that several former employees still hold active accounts with access to the ERP system. The information security officer responds by introducing role-based IAM: permissions are granted via defined roles rather than individually, the offboarding process is integrated with the HR department so that accounts are deactivated automatically, and privileged administrator accounts are subject to mandatory multi-factor authentication. A semi-annual recertification by line managers and audit-proof logging then provide the evidence that access control meets the requirements of the NIS2 implementation.