Identity and Authentication Policy Template

Introduction

Purpose and Use

Robust identity and authentication controls are critical to ensure that only authorised individuals and systems can access organisational resources. This policy template provides guidance on managing digital identities and enforcing secure authentication methods across the organisation. It is designed to align with Cyber Essentials, ISO/IEC 27001, and UK GDPR requirements by establishing consistent processes for identity provisioning, authentication mechanisms and lifecycle management.

Use this template to develop an Identity & Authentication Policy tailored to your organisation’s technology environment and risk appetite. It should be customised to reflect your specific authentication methods (e.g. passwords, multi-factor authentication, biometrics) and legal obligations.

Who This Template Is For

• IT and information security leaders responsible for identity and access management (IAM).
• System administrators managing authentication technologies and user directories.
• Organisations aiming for Cyber Essentials, ISO/IEC 27001, or compliance with UK GDPR and other regulatory frameworks.

Alternative Names You Might See

• Identity Management Policy
• Authentication and Access Policy
• Identity & Access Management (IAM) Policy

Identity & Authentication Policy Template

1. Document Management

• Organisation Name: [Insert organisation name]
• Document Owner: [Role/title responsible for the policy]
• Version: [e.g. 1.0]
• Classification: [e.g. Internal / Public / Confidential]
• Issue Date: [Date of current issue]
• Next Review Date: [Date for next review]
• Supersedes: [If applicable, previous versions]
• Approval: [Senior management approval]
• Change History: Include a table recording version, date, author and summary of changes.

2. Purpose

The purpose of this policy is to:

1. Define how digital identities are created, managed and decommissioned.
2. Establish standards for authentication mechanisms, including password requirements, multi-factor authentication and single sign-on.
3. Support compliance with UK GDPR, Data Protection Act 2018, ISO/IEC 27001 and Cyber Essentials by reducing the risk of identity compromise.

3. Scope

This policy applies to:

• All users (employees, contractors, partners, third parties) requiring authenticated access to organisational systems and data.
• All authentication methods deployed by the organisation, including passwords, one-time codes, tokens, biometrics and federated identities.
• All systems, applications and cloud services where identity and authentication controls are needed.

4. Roles and Responsibilities

4.1 Senior Management / Board

• Approve the Identity & Authentication Policy and ensure resources for IAM are available.
• Support enforcement of identity and authentication controls.

4.2 Information Security / IT Function

• Design, implement and maintain identity and authentication systems.
• Define baseline authentication requirements (e.g. password complexity, MFA) and enforce them across systems.
• Maintain accurate and up-to-date user directories (e.g. Active Directory, IAM platforms).
• Conduct periodic reviews and audits of identity lifecycle processes.

4.3 HR and Line Managers

• Provide timely notification of personnel changes (new starters, role changes, departures) to the IT function.
• Ensure access rights are aligned with role requirements and revoked promptly upon departure.

4.4 All Users

• Follow identity and authentication requirements (e.g. using MFA, safeguarding credentials).
• Report any suspected compromise of credentials to IT/security immediately.

5. Identity Lifecycle Management

5.1 Identity Creation

• Digital identities must be uniquely identifiable and created only upon authorised request from HR or line management.
• Default permissions and group memberships should be based on role requirements (role-based provisioning).
• Initial authentication credentials (e.g. temporary password) must be delivered securely and require the user to change them upon first login.

5.2 Identity Maintenance

• User identities must be kept current; changes such as role transfers or department moves require review and adjustment of permissions.
• Periodic (at least annual) reviews of identities and associated privileges should be conducted to ensure accuracy.

5.3 Identity Deactivation

• When an individual leaves the organisation, their digital identity must be deactivated and access revoked by the effective date.
• Dormant accounts (e.g. unused for 90 days) should be disabled pending investigation and reactivation if necessary.

6. Authentication Standards

6.1 Passwords

• Password requirements must follow the Password Policy (see separate policy) regarding length, complexity, reuse and storage.

6.2 Multi-Factor Authentication (MFA)

• MFA is required for remote access, privileged accounts, and other high-risk systems.
• MFA factors should be independent (e.g. something you know, something you have, something you are).
• Acceptable MFA methods include time-based one-time passwords (TOTP), hardware tokens, biometrics, smartcards and push notifications.

6.3 Single Sign-On (SSO) and Federation

• SSO solutions should be used to streamline authentication across multiple systems, reducing password fatigue and improving security.
• Identity federation (e.g. SAML, OIDC) should be implemented for externally hosted services where possible, maintaining central control over authentication.
• Federated identities must still comply with organisational identity management standards.

6.4 Service and Application Accounts

• Non-human identities (e.g. service accounts, application identities) must follow similar lifecycle management and authentication standards.
• Hard-coded credentials in code or scripts are prohibited; secrets should be stored securely (e.g. in a secrets manager).

7. Credential Handling and Protection

• Credentials (passwords, tokens, keys) must be stored and transmitted securely using strong encryption.
• Credentials must not be shared or transmitted via unsecured channels (e.g. email, chat).
• Secrets used in automation or systems must be rotated regularly and protected with appropriate controls.

8. Monitoring and Auditing

• Authentication logs must be collected and monitored for suspicious activity (e.g. multiple failed logins, unusual login times or locations).
• Identity and authentication systems must support auditing and produce logs that are tamper-evident.
• Periodic audits should verify that identities and permissions align with business requirements and that authentication controls remain effective.

9. Training and Awareness

• Users must receive training on secure authentication practices, including use of MFA, recognising phishing attempts, and the importance of protecting credentials.
• Regular awareness campaigns should remind staff of their responsibilities and the evolving threat landscape.

10. Exceptions

• Any exceptions or deviations from this policy must be justified, documented, and approved by senior management.
• Exceptions must include compensating controls and be reviewed periodically for continued necessity.

11. Policy Communication

• This policy must be communicated to all users and made available on the organisational intranet or Knowledge Base.
• Updates should be communicated when significant changes occur in authentication technologies or regulatory requirements.

12. Supporting Policies and Standards

• Access Control Policy – defines how access rights are provisioned and managed.
• Password Policy – sets requirements for password creation and management.
• Acceptable Use Policy – guidelines on appropriate use of IT resources.
• Information Security Policy – overarching framework for protecting information assets.

13. Policy Add‑ons

Depending on organisational needs, you may add:

• Biometric Authentication Standards specifying acceptable technologies, privacy considerations and fallback methods.
• Privileged Access Management requirements (see Privileged Access Policy) for controlling elevated accounts.
• Identity Federation Agreements detailing responsibilities when integrating with partner or customer identity providers.

Use this template as a foundation and adapt it to your organisation’s needs. Review and update the policy regularly to reflect changes in authentication technologies, threats and regulatory requirements.