๐Ÿ  Back to Exam Syllabus ๐Ÿ“บ RooCloud on YouTube ๐ŸŒ RooCloud Practice Exams

CISSP 13.4 - Managing the Identity & Access Provisioning Life Cycle

This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series follows an account from birth to retirement within identity and access management in Domain 5. It shows why the provisioning life cycle is unglamorous yet exactly where real-world access control quietly lives or dies over time.

What this episode covers

Watch the full episode above for the worked examples and detailed explanations of each concept.

Frequently Asked Questions

What is the identity and access provisioning life cycle?

It is the full arc of an account: its creation, its management, its review, and its deletion. These steps feel routine, but they are the backbone of access control, because without accurate accounts a system cannot establish identity, authenticate, authorize, or hold anyone accountable. It also covers more than people, since computers and services carry accounts too.

How do you provision and onboard a new hire?

Provisioning creates the account and grants exactly the privileges the new role needs, following a defined procedure. It is critical to prove the personโ€™s identity first, through documents, background checks, or reference checks, and many organizations automate the build by consistent rules, placing the user into the right groups. It also means issuing hardware with careful records, followed by onboarding that covers the acceptable use policy and security basics.

How do you deprovision and offboard someone who leaves?

You reverse the process, and the same steps apply to transfers. The simplest deprovisioning is deleting the account, but that can destroy access to the personโ€™s own data, so many organizations disable the account instead, letting a supervisor recover anything needed before deleting it, often within thirty days. Speed matters because a terminated worker who keeps access is a real sabotage risk, and offboarding also means collecting hardware and stopping benefits.

Why do account access reviews catch problems nothing else does?

Because they periodically check every account against what it should have. Administrators review user, privileged, system, and service accounts to confirm none carry excessive privileges and all comply with policy, watching the local system account especially since it often has broad power. Automation helps, with scripts finding accounts idle past thirty days and disabling them, or scanning privileged groups for accounts that do not belong.

What two access problems do these reviews hunt for?

They target excessive privilege and privilege creep. Excessive privilege is when an account simply holds more than the job requires, and the fix is to revoke what is not needed. Privilege creep is subtler, where permissions pile up over time as someone changes roles, like a worker moving from accounting to sales who gains new rights but keeps the old ones. Both break the principle of least privilege, and regular reviews reliably surface them.

๐Ÿ“š Master the ISC2 CISSP Exam!

Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.


Reference: This article is based on concepts discussed in CISSP 13.4 - Managing the Identity & Access Provisioning Life Cycle.