The system must allow superusers or system administrators to disable user accounts.
CIS Controls. 16.7 Establish Process for Revoking Access: Establish and follow an automated process for revoking system access by disabling accounts immediately upon termination or change of responsibilities of an employee or contractor.
HIPAA Security Rules 164.308(a)(3)(ii)(A): Authorization and/or supervision (Addressable): Implement procedures for the authorization or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.
ISO 27001:2013. Annex A - 9.2.1: Implement a formal process for user registration and deletion in order to enable access rights assignation.
ISO 27001:2013. Annex A - 9.2.2: Implement a formal access granting process to assign or revoke access rights to all types of users to systems and services.
NERC CIP-004-6. B. Requirements and measures. R5: Each Responsible Entity shall implement one or more documented access revocation program(s).
PCI DSS v3.2.1 - Requirement 8.1.2: Control addition, deletion and modification of user IDs, credentials and other identifier objects.