Identara Try Axis ↗
← Back to Papers

Practitioner Reference · Identity & Access

The IAM Framework Citation Gap

What standards say versus what practitioners think they say. The four ways an ISO or NIST citation parts ways with its source, and how to defend each one to an auditor.

Author
Vidyaa Ganesh
Publisher
Identara
Published
Format
PDF · 11 pages
Suggested Citation
Ganesh, V. (2026). “The IAM Framework Citation Gap: What Standards Say vs. What Practitioners Think They Say.” Identara. Retrieved from https://identara.ca/papers/iam-framework-citation-gap/
Style Identara house Format PDF, 11 pages Version 1.0

Enter your email and the PDF downloads right away. No spam, and you can unsubscribe anytime.

Abstract

What the standard says, and what the field believes it says.

IAM practitioners rely on a small set of frameworks to defend their work, and the citations do not always match what the documents say. The mismatches are not confined to obscure corners. They appear on the controls teams are most confident about, where a reference to ISO or NIST diverges from the source. This paper maps how those citations fail, through four patterns observed in practice: the wrong concept, the wrong document, the stale edition, and the invented requirement. Each is worked against the primary source at a named edition, so the distance between what a standard says and what the field believes it says is visible.

The paper then turns to application. It sets out how to defend each citation to an auditor, and it addresses the question every practitioner reaches, whether the frameworks can be relied on alone. They cannot, and the closing sections describe what carries the remaining weight once the citation is correct: the risk and architecture decisions the standards leave to the organization, and the evidence that a control is working. A reference table pairs the most-cited IAM concepts with the controls that ground them.

Keywords IAM Frameworks Citation Accuracy ISO 27002 NIST 800-53 NIST 800-63 Identity Proofing Access Recertification Audit

The Framework

Four ways a citation fails.

Each pattern is worked against the primary ISO or NIST source at a named edition, then shown how to defend.

01
Wrong concept
A requirement for one thing is used to justify another. An authoritative source of identity argued from identity proofing, which only verifies a person at enrolment.
02
Wrong document
The right concept cited to the wrong document in a family. Access-rights guidance attributed to ISO 27001 when it actually lives in 27002.
03
Stale edition
A rule from a superseded edition outlives the text that retired it. Scheduled password rotation, read as an ISO-versus-NIST conflict both standards already ended.
04
Invented requirement
A specific rule attributed to a standard that never stated it. Quarterly access recertification, a convergent convention no IAM framework mandates.

Contents

What’s inside the paper.

  1. 01Introduction: citations travel faster than anyone reopens the source
  2. 02Why the frameworks matter
  3. 03Scope and method: each claim checked against the primary text
  4. 04The wrong concept: identity proofing answers a different question
  5. 05The wrong document: 27001 gets the credit, 27002 does the work
  6. 06The stale edition: the password fight both standards already ended
  7. 07The invented requirement: the quarterly rule no standard wrote
  8. 08Why these gaps persist
  9. 09Validating a citation before you rely on it
  10. 10Using a citation in practice, and defending it to an auditor
  11. 11Can you rely on the frameworks alone?
  12. 12Reference: IAM concepts and their citations
  13. REFReferences (5 sources)

If you cite this paper or reference it in your work, please use the citation block above.

Get the PDF ↓ Read the companion paper →