Identity and Access Management (IAM) is an essential part of day-to-day life in all organisations, even more so in larger organisations with greater amounts of sensitive commercial or client information to protect. 

There is a team of specialists with shared responsibility that manage identities and access as part of a broader role in system administration. This ensures there is an effective operation and development of the IAM system within the organisation. 

On a daily basis, the team is conscientious, positive, comfortable working in an IT-focused environment and able to prioritise to meet changing demands. These tasks range from basic user account administration and creating/auditing user access information, to conducting risk assessments on the organisation’s IAM and providing solutions to improve the system. 

If there is a security incident, the response needs to be quick, and an investigation effort untaken to find out what happened and who was involved. There will be continuous improvement on how to manage the IAM, especially looking at ways to reduce the risk of breaches, usually working with other teams in the organisation such as IT and HR. 

Identity and Access Management (IAM) is an essential element of the cyber security protection of an organisation, ensuring that people only access systems and data if they allowed to do so. 

In detail, you might: 

• perform routine administration tasks associated with accessing the Trusted ICT Network and Systems, including: 

• managing users’ access credentials; and 
• withdrawing and maintaining access in line with authorised service requests 

• fulfil service requests for starters, movers and leavers in relation to user account management, by: 

• updating user information 
• creating and modifying email distribution lists; and 
• creating or modifying security groups 

• design, develop, deploy and maintain identity and access management services and applications, including: 

• local and federated authentication and authorisation systems 
• their backend directories; and 
• databases 

• identify opportunities for improving the IAM strategy, policies and processes 
• investigate records of user actions and system processes when a security incident is suspected to have occurred 

• assess and manage risks to the effectiveness and security of the IAM system 

Job Titles 

For Identity and Access Management roles, titles include: 

• Identity & Access Management - Support Assistant 
• Identity & Access Management Analyst 

• Identity & Access Management Engineer 

For more experienced Identity and Access Management roles, titles include: 

• Identity & Access Management Specialist / Consultant / Director 
• Digital Identity Security Consultant 
• Cyber Manager - Identity & Access Management 

Salaries 

An apprentice working in Identity & Access Management might earn between £19,000 and £20,000 a year. 

An Identity and Access Management role could earn between £30,000 and £63,000. The median salary in March 2021 was £33,492. 

A senior Identity & Access Management role could earn between £70,000 and £120,000. The median salary for an Identity & Access Management Consultant in March 2021 was £82,500. 

The salary ranges are based on job vacancy advertisements published online in March 2021. Median salary figures are taken from calculations performed by www.itjobswatch.co.uk. 

Each of the 16 specialisms are based on knowledge areas within CyBOK.  

More information on CyBOK knowledge areas can be found here. 

Here are the knowledge areas associated with Cyber Security Governance & Risk Management 

Core knowledge – you will need a very good understanding of these areas 

Authentication, Authorisation & Accountability 

All aspects of identity management and authentication technologies, and architectures and tools to support authorisation and accountability in both isolated and distributed systems. 

Web & Mobile Security 

Issues related to web applications and services distributed across devices and frameworks, including the diverse programming paradigms and protection models. 

Related knowledge – you will need a solid understanding of these areas 

Risk Management and Governance 

Security management systems and organisational security controls, including standards, best practices, and approaches to risk assessment and mitigation. 

Privacy and Online Rights 

Data confidentiality, control and protection of personal and valuable information to ensure privacy is maintained and recognised as a fundamental human right. 

Operating Systems & Virtualisation Security 

Operating systems protection mechanisms, implementing secure abstraction of hardware, and sharing of resources, including isolation in multi-user systems, secure virtualisation, and security in database systems. 

Cryptography 

Core primitives of cryptography as presently practised and emerging algorithms, techniques for analysis of these, and the protocols that use them. 

Wider knowledge – these areas will help to provide context for your work 

Security Operations and Incident Management 

The configuration, operation and maintenance of secure systems including the erection of and response to security incidents and the collection and use of threat intelligence.  

Law and Regulations 

The legal and regulatory topics that merit consideration when conducting various activities in the field of cybersecurity. 

Adversarial Behaviours 

Understanding an attacker’s motivations and capabilities, and the technological and human elements that adversaries require to run a successful operation.

Skills 

Personal attributes 

• ability to work on your own as well as within a small team 
• interpersonal skills, including customer service 
• communicating technical and non-technical information to a wide range of audiences 

• attention to detail, with a logical and methodical working practice 
• a positive, organised, and motivated approach to work, with the ability to meet deadlines 
• strong IT skills, able to analyse data for reporting purposes and follow work instruction 
• experience of developing new processes and ways of working 
• evaluating the probable social, commercial, cultural, ethical and environmental consequences of an action 

For a more experienced professional: 

• working and influencing cross-functionally and managing external agencies 
• providing expert advice and accurate analysis, complying with all relevant regulations, to senior stakeholders 

Specialist skills  

• application of Authentication & Authorization principles and processes 

• application of industry standard IAM protocols, such as Kerberos, OAuth, FIDO, SCIM, LDAP, SAML 
• application of Identity and Authentication solutions, such as Okta, Auth0, Active Directory & Azure AD 
• application of LDAP\Active Directory services, MFA, risk-based authentication and privileged access management 
• application of cyber security principles such as Least Privilege and Separation of Duties 
• auditing user and process access, including interpreting system logs 

CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs). 

A6 – Legal and Regulatory Environment and Compliance 

Principles: 

• understands the legal and regulatory environment within which the business operates 
• ensures that Information Security Governance arrangements are appropriate 

• ensures that the organisation complies with legal and regulatory requirements 

E2 – Secure Operations & Service Delivery 

Principles: 

• securely configures and maintains information, control and communications equipment in accordance with relevant security policies, standards and guidelines. This includes the configuration of Information Security devices (e.g., firewalls) and protective monitoring tools (e.g., SIEM) 
• implements security policy (e.g., patching policies) and Security Operating Procedures in respect of system and/or network management 

• undertakes routine technical vulnerability assessments 
• maintains security records and documentation in accordance with Security Operating Procedures 
• administers logical and physical user access rights 
• monitors processes for violations of relevant security policies (e.g., acceptable use, security, etc.) 

G3 – Identity and Access Management (IAM/IdM) 

Principles: 

• directs, oversees, designs, implements, contributes to, or operates within identity and access management policies, procedures, processes and controls to ensure that access by individuals to IT and information resources is controlled effectively, operating within legal and regulatory constraints and meeting business requirements 

*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec. 

Experience 

Any roles to that many have acquired skills that can be applied to an Identity & Access Management role that involves detailed, methodical work and the application of security rules. 

With the addition of specialist training, roles that may provide a good foundation for a position in this specialism include: 

• police services: communication security, data management or information security 
• Armed Forces: communication security, data management or information security 

• business information management 
• finance, especially in compliance or KYC roles 
• legal services 
• security, especially personnel and technical 

Linked Specialisms 

• Secure Operations 
• Cryptography and Communications Security 
• Data Protection and Privacy 

Moving On 

From a role in Identity & Access Management, you might move to a position in one of these other cyber security specialisms: 

• Data Protection & Privacy  
• Secure Operations 

• Cyber Security Governance & Risk Management 

With experience, you might progress within the Identity and Access Management specialism to become a Chief Data Protection Officer. 

Our certification framework can be accessed here. This framework allows you to see which certifications may be useful to you, within the different specialisms and at which point of your career.

Entry route information can be found here.

You can also visit the National Cyber Security Centre website at the links below:

NCSC Certified Degrees 

NCSC Certified Training