IAM Control Mapping
Status
Complete
Maturity
12 controls mapped to risks and governance themes
Evidence
Full mapping documented below
Next
Add control testing evidence
Introduction
This mapping connects 12 core IAM controls to the risks they address, the governance frameworks that require or recommend them, and the implementation patterns that make them operational. IAM engineering decisions are not made in isolation — they exist within a risk management and compliance context.
Frameworks referenced: NIST SP 800-53, CIS Controls v8, ISO/IEC 27001:2022, SOC 2 (AICPA Trust Services Criteria), and SOX IT General Controls.
Control Mapping
| # | Control | Risk Addressed | Frameworks | Implementation |
|---|---|---|---|---|
| 1 | Privileged Access Management | Privileged account compromise | NIST AC-6, CIS Control 5, SOX | PAM tooling, credential vaulting, session recording, JIT elevation |
| 2 | Multi-Factor Authentication | Credential stuffing, phishing | NIST IA-2, ISO 27001 A.9.4.2, SOC 2 CC6.1 | TOTP, FIDO2/WebAuthn, push notifications; risk-based step-up |
| 3 | Least Privilege Access | Excessive blast radius on compromise | NIST AC-6, CIS Control 6 | Role mining, access reviews, entitlement management tooling |
| 4 | Role-Based Access Control | Inconsistent access model across systems | NIST AC-2, SOC 2 CC6.1, SOX | Role hierarchy design, SCIM group sync, SoD constraints enforced |
| 5 | Identity Lifecycle Management | Orphaned accounts, stale access | NIST AC-2, GDPR Art.17, SOC 2 CC6.2 | Joiner/Mover/Leaver process, SCIM provisioning and deprovisioning |
| 6 | Automated Provisioning (SCIM) | Manual provisioning errors, orphaned accounts | NIST AC-2, SOC 2 CC6.1 | SCIM v2 connector platform, automated sync with IdP on user events |
| 7 | Just-in-Time Access Elevation | Standing privileged access | NIST AC-2(5), CIS Control 5 | Time-boxed elevation requests, approval workflows, auto-expiry |
| 8 | Periodic Access Certification | Access creep, SoD violations | SOX 404, SOC 2 CC6.2, ISO 27001 A.9.2.5 | Quarterly review campaigns, certifier routing, automated revocation on non-response |
| 9 | Separation of Duties | Fraud, unauthorised transactions | SOX, COBIT, SOC 2 CC6.3 | SoD matrix definition, conflict detection at provisioning, compensating controls |
| 10 | Non-Human Identity Governance | Over-privileged service accounts, credential exposure | NIST IA-2, CIS Control 4, SOC 2 CC6.1 | OAuth2 client credentials, scope governance, rotation automation, NHI inventory |
| 11 | SSO and Federated Authentication | Authentication inconsistency, shadow IT | NIST IA-8, SOC 2 CC6.1, ISO 27001 A.9.4.4 | SAML/OIDC federation, IdP-initiated and SP-initiated flows, MFA enforcement at IdP |
| 12 | Audit Logging and Monitoring | Undetected access events, compliance gaps | NIST AU-2, SOC 2 CC7.2, ISO 27001 A.12.4 | Structured JSON audit events, SIEM integration, alert thresholds, retention policy |
Risk Themes
Credential and Authentication Risk
Controls: #1, #2, #10, #11
Controls that reduce the likelihood of credential compromise and authentication bypass
Access Creep and Excessive Privilege
Controls: #3, #4, #7, #8, #9
Controls that prevent and detect accumulation of unneeded access over time
Identity Lifecycle and Orphan Risk
Controls: #5, #6
Controls that ensure access is provisioned and deprovisioned in line with employment and role changes
Audit and Governance
Controls: #12
Controls that ensure access decisions and events are logged, attributable, and reviewable
Governance Framework Coverage
NIST SP 800-53
AC-2, AC-6, AU-2, IA-2, IA-8
Federal information system baseline; widely adopted in commercial enterprise
CIS Controls v8
Controls 4, 5, 6
Prescriptive implementation guidance for access management and account hygiene
ISO/IEC 27001:2022
A.9.2.5, A.9.4.2, A.9.4.4, A.12.4
International ISMS standard; required for ISO certification audits
SOC 2 (TSC)
CC6.1, CC6.2, CC6.3, CC7.2
Trust Services Criteria; required for service organisation reporting
SOX ITGC
Access controls, change management
IT General Controls for financial system integrity; mandatory for public companies
GDPR
Art. 17 (right to erasure)
Identity lifecycle: deprovisioning must include data deletion or anonymisation
Employer Value
Risk reduced
Uncontrolled access, credential exposure, audit blind spots
Operational value
Connects technical controls to governance requirements
IAM domain
Access governance, risk management, control frameworks
Seniority signal
Security thinking applied systematically — not ad hoc
Evidence
Control mapping table
[ Documented above — 12 controls ]
Risk theme analysis
[ Documented above ]
Control testing evidence
[ Pending — next milestone ]
Framework crosswalk
[ Documented above ]