Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-2-3 – The cybersecurity requirements for identity and access management must include at least the following:
Understanding the Requirement
This control requires a clear, enforceable identity and access management (IAM) approach that covers the lifecycle of user identities, authentication strength, authorization controls, provisioning and deprovisioning, and regular verification of access. The listed objectives (2-2-3-1 through 2-2-3-4) together with the explicit objective to perform a "Periodic review of users’ identities and access rights" mean you must assign unique identities, apply least-privilege and role-based access, protect accounts with strong or multi-factor authentication, automate and document onboarding/offboarding, and run scheduled reviews to detect and correct inappropriate access.
Technical Implementation
- Inventory and unique IDs: Maintain a canonical user inventory (HR feed or IdP directory) where every human and service account has a unique identifier. Tie all access decisions and audit logs to that identifier so you can trace activity back to an individual or system.
- Centralize authentication with an IdP and enforce MFA: Use a single identity provider (e.g., cloud directory service or SSO) for primary authentication and require multi-factor authentication for all administrative and remote access. Enforce MFA via hardware tokens or authenticator apps for privileged roles.
- Role-based access and least privilege: Define a small set of roles or groups (job functions) mapped to the minimum permissions required. Implement group-based access controls so managers assign roles instead of granting individual permissions ad hoc.
- Automate provisioning and timely deprovisioning: Integrate HR systems with your IdP using SCIM or API scripts so onboarding creates required accounts and offboarding disables access within a defined SLA (e.g., same day for terminated employees). Log all provisioning/deprovisioning events.
- Periodic access reviews and attestation: Schedule quarterly (or more frequent) reviews where managers confirm that direct reports and contractors still need assigned roles. Implement a tracked attestation workflow and automatically flag accounts with no recent activity for investigation.
- Monitoring, logging, and emergency controls: Enable logs for authentication, privilege elevation, and provisioning actions. Configure alerts for suspicious events (multiple failed MFA attempts, new admin role grants). Keep logs for a retention period that meets your regulatory needs and use them in access reviews and incident response.
Example in a Small or Medium Business
A 40-person design agency adopts a cloud identity provider to centralize accounts and enable single sign-on to SaaS tools. HR provides a daily feed that automatically creates or updates user profiles; when a new designer joins, the HR record triggers account creation in the IdP, assignment to the "Designer" role, and access to the shared design repo. The agency enforces MFA for all accounts and requires hardware-based tokens for the three senior engineers who can deploy code. When a contractor’s contract ends, the HR change triggers automated deprovisioning and the contractor’s access is revoked within hours. Every quarter the agency runs an access review: each team lead receives a report of people and groups with access to their systems and must attest or request changes; this review recently uncovered a contractor who still had access to client billing, which was removed immediately. Authentication and provisioning logs are retained for audit and are used when troubleshooting suspicious logins. Over time the agency tightened role definitions and reduced the number of users in admin groups, lowering risk without blocking day-to-day work.
Summary
Implementing Control 2-2-3 means combining policy (defined roles, documented onboarding/offboarding SLAs, scheduled access reviews) with technical controls (central IdP, MFA, group-based permissions, automation, logging). For SMBs, focus on unique identities, least-privilege roles, automated provisioning/deprovisioning, and a routine attestation process for "Periodic review of users’ identities and access rights" — together these measures deliver accountable, traceable, and enforceable access management that meets the requirement while staying practical and affordable.
