AccountMade

Traceable-Answer Reference  /  Identity & Access Management

IAM-01Identity and Access Management Policy and Procedures

Maintain policies and procedures for identity and access management.

Every framework that asks this

Answer IAM-01 once and it typically satisfies the equivalent control elsewhere. Altitude and confidence vary — a domain-level anchor is a starting point to verify, not an audited equivalence.

FrameworkEquivalent control(s)Confidence
SOC 2CC6.1, CC6.6high
ISO 27001A.5.15high
NIST CSF 2.0PR.AA-01, PR.AA-02, PR.AA-03, PR.AA-05 (domain-level)high
NIST 800-53AC-2, AC-3, AC-6, IA-2, IA-5 (domain-level)high
SIGAccess Control (domain-level)high

Full provenance and NIST 800-53 mappings: the framework crosswalk.

What the reviewer is really checking

The reviewer is establishing that the right people — and only the right people — can reach systems and data, and that this is enforced and periodically re-verified rather than set once and forgotten. They dissect MFA (is it on for all users or just admins, which factors, are there bypasses or exempted service accounts), least-privilege and RBAC (are roles scoped to need, is standing privileged access minimized), the provisioning and de-provisioning lifecycle (how access is granted, changed, and removed), and access reviews (how often entitlements are recertified and by whom). The underlying concern is precise: over-broad or orphaned access is the mechanism by which a single compromised credential becomes a company-wide breach, so a vendor that cannot describe its access model cannot bound the blast radius of an incident involving the buyer's data. Reviewers care especially about privileged and administrative access, and about how you separate your own staff's access from the buyer's data. They cross-check IAM against HRS off-boarding and against your logging answers. The real question is: 'If one of your accounts is compromised, how much can it reach — and would you even notice the access was excessive before we did?'

What a truthful, defensible answer contains

A defensible IAM answer specifies the controls per surface rather than in the abstract. For MFA, it states which user populations it covers (all users, privileged only, customers), the accepted factors, and how exceptions or service accounts are handled — not just 'MFA is enforced.' For authorization, it describes the least-privilege model: RBAC or equivalent, how roles map to need, and how standing privileged access is minimized (for example, just-in-time or approval-gated elevation) if that is what you actually do. It describes the access lifecycle end to end: how access is requested and approved, how changes on role change are handled, and how revocation is triggered and completed. It states the access-review cadence — how often entitlements, especially privileged ones, are recertified, who performs the review, and what happens to flagged access. It should distinguish workforce access from customer/tenant access, and describe how administrative access to buyer data is constrained and logged. A strong answer names the systems these controls apply to and is honest about exceptions, because reviewers trust a scoped, exception-aware answer over a universal claim. Every element should map to configuration or a review record a reviewer could sample.

Make it traceable

Tie each IAM claim to enforceable evidence. An MFA claim points to the identity-provider policy configuration showing enforcement scope and factors, plus a coverage report. A least-privilege claim points to the role definitions and, if used, the JIT/elevation approval records. A provisioning/revocation claim points to sample access-request and de-provisioning tickets with timestamps that reconcile with HRS off-boarding. An access-review claim points to a completed recertification with reviewer, date, and the disposition of flagged entitlements. This is Promise–Proof for access: 'we review access quarterly' resolves to a signed recertification a reviewer can read, and 'MFA is enforced for all users' resolves to a policy screenshot plus an exceptions list. When roles change or a review completes, the answer should update from those live records so enforcement and cadence claims never outrun the evidence.

Answer patterns that hold up

  • State MFA by population, factors, and exception handling (all users vs. privileged vs. customers; which methods; how service accounts/bypasses are governed) — not a bare 'MFA is enforced.'
  • Describe authorization as a least-privilege/RBAC model tied to need, and how standing privileged access is minimized (e.g., JIT or approval-gated) if you actually do so.
  • Describe the access lifecycle: request/approval, change-on-role-change, and triggered revocation — reconciled with off-boarding.
  • State access-review cadence with reviewer and disposition (how often entitlements, especially privileged, are recertified and what happens to flagged access).
  • Distinguish workforce access from customer/tenant access and describe how admin access to buyer data is constrained and logged.

Evidence that backs the answer

Identity-provider MFA policy configuration and coverage/exception reportRole/permission definitions (RBAC) and privileged-access approval or JIT recordsAccess-request and de-provisioning tickets with timestampsCompleted periodic access-review / recertification with reviewer and datePrivileged-access management logs or session recordsAccess-control policy defining provisioning, review cadence, and least privilege

Red flags reviewers catch

  • 'We enforce MFA' with no scope, factors, or exceptions stated.
  • 'Access follows least privilege' with no roles, review cadence, or handling of standing admin access.
  • Access reviews claimed but no cadence, reviewer, or example recertification.
  • No distinction between staff access and customer-data access in a multi-tenant product.
  • IAM revocation answer that does not match the HRS off-boarding timeframe elsewhere in the questionnaire.

FAQ

What is a buyer really asking with IAM-01?

The reviewer is establishing that the right people — and only the right people — can reach systems and data, and that this is enforced and periodically re-verified rather than set once and forgotten. They dissect MFA (is it on for all users or just admins, which factors, are there bypasses or exempted service accounts), least-privilege and RBAC (are roles scoped to need, is standing privileged access minimized), the provisioning and de-provisioning lifecycle (how access is granted, changed, and removed), and access reviews (how often entitlements are recertified and by whom). The underlying concern is precise: over-broad or orphaned access is the mechanism by which a single compromised credential becomes a company-wide breach, so a vendor that cannot describe its access model cannot bound the blast radius of an incident involving the buyer's data. Reviewers care especially about privileged and administrative access, and about how you separate your own staff's access from the buyer's data. They cross-check IAM against HRS off-boarding and against your logging answers. The real question is: 'If one of your accounts is compromised, how much can it reach — and would you even notice the access was excessive before we did?'

What does a defensible answer to IAM-01 need?

A defensible IAM answer specifies the controls per surface rather than in the abstract. For MFA, it states which user populations it covers (all users, privileged only, customers), the accepted factors, and how exceptions or service accounts are handled — not just 'MFA is enforced.' For authorization, it describes the least-privilege model: RBAC or equivalent, how roles map to need, and how standing privileged access is minimized (for example, just-in-time or approval-gated elevation) if that is what you actually do. It describes the access lifecycle end to end: how access is requested and approved, how changes on role change are handled, and how revocation is triggered and completed. It states the access-review cadence — how often entitlements, especially privileged ones, are recertified, who performs the review, and what happens to flagged access. It should distinguish workforce access from customer/tenant access, and describe how administrative access to buyer data is constrained and logged. A strong answer names the systems these controls apply to and is honest about exceptions, because reviewers trust a scoped, exception-aware answer over a universal claim. Every element should map to configuration or a review record a reviewer could sample.

Which other frameworks does IAM-01 cover?

Answering IAM-01 typically covers SOC 2 (CC6.1, CC6.6); ISO 27001 (A.5.15); NIST CSF 2.0 (PR.AA-01, PR.AA-02, PR.AA-03, PR.AA-05); NIST 800-53 (AC-2, AC-3, AC-6, IA-2, IA-5); SIG (Access Control). Confidence and altitude vary per mapping — see the equivalents table.

Answer every buyer from one governed source.