Account Management (CIS Control 5)

CIS Control 5 addresses the secure management of user and administrator accounts, ensuring that only authorised individuals have access and that unnecessary privileges are removed. Compromised accounts -- particularly administrator accounts -- are involved in the majority of serious security incidents.

Back to Dictionary

What is account management?

Account management covers the entire lifecycle of user accounts: creation, maintenance, periodic review and deactivation. Poor account management is one of the most common causes of security breaches -- from forgotten service accounts with excessive privileges to accounts of former employees that were never closed.

CIS Control 5 provides a structured set of safeguards to ensure that organisations maintain a clear, up-to-date inventory of all accounts and that each account has only the access it genuinely needs.

Privileged access

CIS Control 5 places particular emphasis on privileged accounts (administrator accounts). The recommendations include:

Separate accounts: Use dedicated accounts for administrative tasks -- one for daily work, one for administration.
Minimise administrative users: Restrict the number of users with administrative rights to an absolute minimum.
Log and monitor: Log and monitor all privileged activity to detect misuse or compromise.
Just-In-Time access: Avoid permanent administrative rights -- use Just-In-Time (JIT) access to grant elevated privileges only when needed and for a limited duration.

Inactive and abandoned accounts

Inactive accounts -- accounts that have not been used for a defined period -- are a classic attack vector. An attacker who takes over an inactive account is rarely detected quickly, as there is no normal activity to compare against. CIS recommends deactivating inactive accounts after a defined period (typically 45-90 days).

Offboarding process: Removing access for departing employees is critical and must happen on the day the employee leaves the organisation -- not afterwards. A formal offboarding checklist that includes account deactivation is an IG1 practice.

IG1 safeguards

Implementation Group 1 (IG1) requires the following for Control 5: establishing and maintaining an account inventory, using unique passwords, deactivating inactive accounts, and restricting administrative privileges. These are the minimum safeguards that every organisation should implement regardless of size or maturity.

Frequently Asked Questions about Account Management (CIS Control 5)

What is CIS Control 5?

CIS Control 5 covers account management -- the processes for creating, administering, reviewing and deactivating user and administrator accounts to minimise the risk of unauthorised access.

Why is privileged access management important?

Privileged accounts such as administrator accounts have elevated access to critical systems. If compromised, an attacker gains broad access. CIS Control 5 recommends separate admin accounts, limiting the number of privileged users, and using Just-In-Time access.

How often should inactive accounts be reviewed?

CIS recommends deactivating accounts that have been inactive for 45-90 days. Regular reviews -- at least quarterly -- help identify accounts that should be disabled or removed.

What is an IG1 safeguard in CIS?

IG1 (Implementation Group 1) represents the minimum set of safeguards that every organisation should implement. For Control 5, IG1 includes maintaining an account inventory, using unique passwords, deactivating inactive accounts, and restricting admin privileges.

How does CIS Control 5 relate to ISO 27001 access control?

CIS Control 5 and ISO 27001 Annex A access control requirements are complementary. CIS provides specific, actionable safeguards, whilst ISO 27001 sets broader policy-level requirements. Implementing CIS Control 5 helps satisfy several ISO 27001 access control objectives.