Domain 5: Identity and Access Management

Last updated: December 1, 2025 in CISSP Domains

Controlling Who Gets In

Domain 5 represents 13% of the CISSP exam. Identity and access management controls who can access what resources under which conditions. Every security incident eventually traces back to access—either someone had access they shouldn’t have, or access controls failed to prevent unauthorized actions.

The IAM process follows a sequence: identification claims an identity, authentication proves it, authorization determines allowed actions, and accountability tracks what happened.

IAM Process Flow IDENTIFY Claim identity AUTHENTICATE Prove identity AUTHORIZE Grant access ACCOUNT Track actions Authentication Factors Something you KNOW Passwords, PINs Something you HAVE Tokens, Smart Cards Something you ARE Biometrics MFA = Two or more factors from different categories

Authentication Methods

Authentication factors fall into categories: something you know (passwords, PINs), something you have (tokens, smart cards), something you are (biometrics). Multi-factor authentication requires factors from different categories—a password plus a fingerprint, not two passwords.

Biometrics measure physical or behavioral characteristics. False Accept Rate (FAR) measures how often imposters gain access. False Reject Rate (FRR) measures how often legitimate users are denied. The Crossover Error Rate (CER) where these equal indicates overall accuracy.

  • Passwords remain common despite weaknesses. Strong passwords resist guessing and cracking. Password managers enable unique passwords per service. Passwordless authentication eliminates passwords entirely using biometrics or hardware tokens.
  • Tokens generate one-time passwords or cryptographic challenges. Hardware tokens like YubiKeys resist phishing because they verify the site before responding. Software tokens on phones are more convenient but less secure if the phone is compromised.
  • Biometrics can’t be forgotten or shared but also can’t be changed if compromised. Fingerprints work for consumer applications. Retina scans provide higher accuracy for high-security environments. Behavioral biometrics analyze typing patterns or gait.
  • Certificates enable mutual authentication where both parties verify identity. Client certificates authenticate users to servers. mTLS ensures both endpoints are legitimate before exchanging data.

Access Control Models

DAC (Discretionary Access Control) lets resource owners control access. Simple but doesn’t scale—each owner makes independent decisions. MAC (Mandatory Access Control) enforces system-wide policies based on classifications. Users can’t override. Used in military and high-security environments.

RBAC (Role-Based Access Control) assigns permissions to roles, then users to roles. A “Finance Analyst” role includes all permissions that role needs. When someone joins or leaves, change their roles rather than individual permissions. Most enterprise systems use RBAC.

Role-Based Access Control (RBAC) USERS ROLES Admin Analyst Viewer PERMISSIONS Create Read Update Delete Admin Users assigned to roles. Roles contain permissions. Simplifies management.

Identity Lifecycle

Provisioning creates accounts when users join. Maintenance handles changes—role changes, transfers, leaves of absence. Deprovisioning removes access when users leave. Each stage needs defined processes and timely execution. Orphaned accounts from incomplete deprovisioning create security gaps.

Access reviews verify that granted access remains appropriate. Quarterly reviews catch accumulated privileges from job changes. Certification requires managers to confirm their team’s access is correct and necessary.

Privileged Access Management

Administrative accounts require additional controls. PAM solutions vault credentials, record sessions, and enforce approval workflows. Just-in-time access grants privileges for specific tasks rather than standing access. Separation of duties prevents administrators from both making and approving changes.

Connecting to Other Domains

Domain 3 security models define access control requirements that Domain 5 implements. Domain 7 monitors for access control violations and responds to incidents. Domain 2 classification determines what access controls assets require.

The practice questions test understanding of when to apply DAC versus MAC versus RBAC, and how authentication factors combine for appropriate assurance levels.

Identity and access management controls who can do what to which resources. Get IAM right, and you’ve addressed one of the most common attack vectors. Get it wrong, and technical controls elsewhere won’t matter.

author avatar
Elias Ward
Elias is a deep coding specialist who has spent most of his career working in places most people never hear about. Starting with a background in secure systems and backend development, he eventually moved into roles that required quiet precision and the ability to build or fix technology in environments where reliability mattered more than recognition.
See Full Bio

Leave a Reply

Your email address will not be published. Required fields are marked *