Identification, Authentication, Authorization, and Accountability

Key Concepts

The identity and authorization lifecycle is easier to understand when you separate four ideas: identification, authentication, authorization, and accountability. They often happen close together, but they are not the same control. The ISC2 CC exam commonly tests whether you can tell them apart in a scenario.

Identification is the act of claiming an identity. A user types a username, scans an employee badge number, enters an email address, or selects a smart card certificate. At this point, the system has heard a claim, but it has not proven the claim is true. Anyone can type a username, so identification alone is not enough for access.

Authentication verifies the claim. The system asks for evidence that the subject is who they claim to be. That evidence may be something the subject knows, such as a password or PIN; something the subject has, such as a hardware token, mobile authenticator, smart card, or certificate; or something the subject is, such as a fingerprint or face biometric. Authentication can also include contextual signals such as device posture, location, or risk scoring, but those are usually supporting signals rather than standalone proof.

Authorization comes after authentication. It decides what the authenticated subject may do. A payroll clerk and a payroll supervisor may both authenticate successfully, but they should not receive identical access. The clerk may enter timecard corrections, while the supervisor may approve a payroll batch. If authentication answers "Who are you?", authorization answers "What are you allowed to do?"

Accountability means actions can be traced to the responsible subject. It depends on unique user IDs, accurate time stamps, logs, monitoring, and controls that prevent users from hiding their activity. Shared accounts damage accountability. If five administrators all sign in as "root" or "admin" with the same password, a log entry may show that the account changed a firewall rule, but it may not show which person performed the change. A better design gives each administrator a unique account and uses privileged access tooling to elevate, record, and review sensitive activity.

Here is a simple flow:

Exam Application

This distinction matters during incident response. Suppose a terminated employee's account was used to download files after their last day. Identification tells you which account was used. Authentication logs may show whether a valid password, token, or session was accepted. Authorization shows what access that account still had. Accountability logs help determine what was accessed, from where, and when. The real control failure may be delayed deprovisioning, excessive permissions, missing MFA, or weak monitoring.

Identity controls also apply to nonhuman subjects. A service account used by an application must be identifiable, authenticated, authorized, and accountable. It should have a clear owner, a documented purpose, limited permissions, protected credentials, and logs that show its activity. An AI bot that queries an internal knowledge base should not run as an unnamed superuser. It should use a controlled identity so its access and actions can be reviewed.

The current CC exam outline is effective Oct 1 2025, with a new outline effective Sep 1 2026. The current exam uses CAT, allows 2 hours, includes 100-125 items, and uses a 700 out of 1000 passing grade. Across the five current domains, the weights are 26, 10, 22, 24, and 18 percent. Do not rely on public pass-rate claims; focus on the official objectives and on recognizing scenarios clearly.