TL;DR: ISO 27001 Control A.9.2.5 requires access reviews at intervals appropriate to risk, and Zluri argues that annual, spreadsheet-driven cycles often fail because they lack documented rationale, continuous improvement evidence, and complete coverage. Convenience-based cadences do not satisfy auditors when high-risk access is involved.
At a glance
What this is: This article argues that ISO 27001 access review frequency must be justified by risk, not by an annual calendar habit.
Why it matters: For IAM, IGA, and PAM teams, the lesson is that review cadence, scope, and evidence quality must vary by privilege and asset risk across human accounts, service accounts, and delegated access.
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
👉 Read Zluri's guidance on ISO 27001 access review frequency and risk
Context
ISO 27001 access review frequency is a governance problem, not a scheduling problem. Control A.9.2.5 expects regular reviews at intervals appropriate to risk, which means the organisation must justify why a given cadence fits the criticality of the system, the privilege level of the account, and the exposure created by access.
That creates a direct link between identity governance and certification readiness. When review cycles are driven by convenience, the result is usually the same pattern: broad access inventories, weak rationale for timing, incomplete coverage, and little evidence that the programme improves from one cycle to the next.
Key questions
Q: What breaks when ISO 27001 access reviews are scheduled on a fixed annual cycle?
A: Fixed annual cycles break the risk-based logic ISO 27001 expects for access review controls. High-risk systems, privileged access, and third-party entitlements need a cadence that matches exposure, not convenience. If the organisation cannot show why annual review is appropriate, auditors can treat the control as poorly designed even if reviews were completed on time.
Q: When should organisations review access more frequently under ISO 27001?
A: Organisations should increase review frequency when the asset is sensitive, the privilege level is high, the user is external or short term, or the system could create regulatory, financial, or customer harm. The right cadence follows risk assessment, so a change in exposure should trigger a change in interval, not a fixed yearly habit.
Q: How do you know if access reviews are actually working?
A: They are working when the programme shows complete scope, clear reviewer accountability, timely remediation, and measurable improvement from one cycle to the next. Falling exception rates, faster correction, and better discovery of hidden access are stronger signals than simply saying reviews were performed.
Q: Who is accountable when access review findings are not remediated?
A: Accountability should sit with the control owner, the business owner for the system, and the governance function that validates closure evidence. ISO 27001 expects the management system to prove action, not just detection, so unresolved findings become a governance issue as soon as they remain open across the next review cycle.
Technical breakdown
Risk-based access review frequency in ISO 27001
ISO 27001 does not prescribe one access review interval for every system. Instead, the organisation must translate risk assessment into a defensible cadence. High-impact assets, elevated privileges, third-party access, and regulated data justify more frequent review than low-risk collaboration tools. Auditors are not just checking that reviews happened. They are checking whether the timing, scope, and evidence trail follow the documented risk model.
Practical implication: Use risk tiering to assign review frequency, then keep the rationale with the control evidence.
Why spreadsheet-based access reviews break down
Spreadsheets can record a review, but they do not prove completeness, timeliness, or control maturity. Manual exports miss hidden applications, service accounts, and access changes made between review cycles. They also make it hard to show remediation, track reviewer accountability, or demonstrate continuous improvement through the PDCA cycle. In practice, the tool becomes a container for evidence rather than a governance system.
Practical implication: Treat spreadsheet reviews as a temporary bridge, not a certification-grade operating model.
Continuous improvement is part of the control
ISO 27001 expects the access review programme to improve, not merely repeat. If year one, year two, and year three all look identical, auditors can reasonably question the management system’s maturity. The strongest programmes show better coverage, faster remediation, fewer recurring exceptions, and clearer linkage between risk changes and updated cadence. That is what turns access review from a compliance ritual into a governed control.
Practical implication: Track review cycle time, exceptions found, and remediation speed so each cycle produces evidence of maturity.
NHI Mgmt Group analysis
Convenience-based review frequency is a control design failure, not an administrative shortcut. ISO 27001 Control A.9.2.5 requires intervals that match risk, so annual reviews for high-risk access are not merely slow, they are unjustified. The governance problem is the assumption that one calendar can safely govern all access classes. Practitioners should treat cadence as a control decision tied to asset criticality and privilege level.
Visibility is the precondition for risk-based access governance. If the organisation cannot see all applications, accounts, and service identities, it cannot defend any review frequency with confidence. That is especially true for hidden or shadow systems, where access may exist outside the formal review boundary. The implication is simple: incomplete discovery makes certification evidence fragile.
Access reviews are only meaningful when remediation and re-assessment are part of the same loop. The control is not the spreadsheet, the meeting, or the attestation form. The control is the full cycle from identification through correction, then back into a revised risk posture. Where that loop is absent, auditors see activity, not governance.
Service account review is the overlooked test of identity maturity. Human users are usually visible in review workflows, but machine identities often sit outside manager-owned processes and therefore outside recertification discipline. That gap matters because long-lived non-human access can carry higher blast radius than a normal user account. The practitioner conclusion is that NHI governance must be built into ISO 27001 review scope, not appended later.
Risk-based frequency is strongest when it becomes a named control concept, not a vague policy statement. We call this the review cadence rationale gap: the distance between a documented risk assessment and the actual timing of access reviews. When that gap exists, certification findings are predictable. Closing it requires more than better wording; it requires a defensible governance model that ties risk to interval and evidence.
From our research:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- For lifecycle control detail, see NHI Lifecycle Management Guide for the provisioning, rotation, and offboarding steps that keep review evidence current.
What this signals
The practical signal for identity teams is that ISO 27001 access review programmes will be judged less on calendar consistency and more on whether the organisation can prove that cadence, scope, and remediation reflect actual risk. Where service accounts and other non-human identities sit outside the review boundary, the certification story weakens quickly. Review cadence rationale gap: when the risk assessment says one thing and the review schedule says another, auditors will follow the evidence rather than the policy language.
The hidden planning issue is discovery. If teams cannot reliably inventory all entitlements, review frequency becomes a debate about incomplete data rather than control design. That is why linkage to the NIST Cybersecurity Framework 2.0 matters: identify and protect functions depend on accurate asset and access visibility before any meaningful review cycle can be defended.
For programmes that already run recertification, the next step is to separate administrative completion from governance quality. The organisation should expect pressure to shorten cycles for high-risk systems and to demonstrate that actions taken after each review actually reduce future exposure, not just close tickets. That is where the control stops being a document and starts becoming an operating discipline.
For practitioners
- Map review cadence to risk tiering Classify systems by data sensitivity, privilege level, and third-party exposure, then assign a review frequency that is explicitly justified in the ISMS.
- Add service accounts to the review population Include integration accounts, batch accounts, and automation identities in the same review process as human users, because auditors will treat excluded access as incomplete scope.
- Document the rationale for every interval choice Record why a system is monthly, quarterly, semi-annual, or annual, and keep that rationale aligned to the latest risk assessment and management review minutes.
- Measure whether the programme improves each cycle Track person-hours, exception counts, remediation time, and access coverage so each review round produces evidence of PDCA rather than a repeated administrative task.
- Replace manual compilation with discoverable evidence Use a control process that can prove all applications, identities, and entitlements were in scope, rather than relying on exports from system owners alone.
Key takeaways
- ISO 27001 access review frequency must be justified by risk, not by the convenience of a yearly calendar.
- Manual spreadsheet processes can record review activity, but they rarely prove completeness, remediation, or continuous improvement.
- Service accounts and other non-human identities must sit inside the review scope if the certification evidence is to hold up.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-01 | Access governance depends on accurate identity and entitlement inventory. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege review aligns directly with access review frequency decisions. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Service accounts and long-lived credentials must be discovered and governed in review scope. |
Inventory identities and entitlements before setting review cadence, then validate scope continuously.
Key terms
- Risk-based access review: An access review model where the timing and scope of recertification are determined by assessed risk rather than a fixed calendar. In practice, sensitive systems, elevated privileges, and external access demand tighter review intervals and stronger evidence than low-risk applications.
- Control A.9.2.5: ISO 27001 control that requires regular reviews of user access rights at intervals appropriate to risk. The control is judged by whether the organisation can justify its cadence, show complete coverage, and prove that findings are remediated within the governance process.
- PDCA cycle: Plan, Do, Check, Act is the continuous improvement loop used by ISO 27001. For access reviews, it means designing the control, operating it, measuring outcomes, and then changing the process when risks, findings, or operating conditions shift.
- Review cadence rationale gap: A mismatch between the documented risk assessment and the actual timing of access reviews. This gap appears when organisations can say when reviews happen, but cannot prove why that frequency is appropriate for the risk profile of the system or identity type.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- A risk-to-frequency matrix that maps asset criticality and privilege level to review cadence.
- Examples of audit-ready documentation that justify annual, quarterly, or monthly reviews.
- The access review workflow details needed to move from Excel tracking to a governed operating model.
- Guidance on continuous-improvement evidence for ISO 27001 certification audits.
Deepen your knowledge
NHI governance, identity lifecycle, and workload identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance maturity, it is worth exploring.
Published by the NHIMG editorial team on 2025-12-01.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org