ISO 27001 access review governance needs stronger identity controls

At a glance

What this is: A step-by-step ISO 27001 checklist focused on ISMS, risk assessment, documentation, and access reviews.

Why it matters: It matters because ISO 27001 compliance depends on identity governance working across human access, service accounts, and privileged reviews, not just on policy documentation.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.

👉 Read Zluri's 10-step ISO 27001 access management checklist

Context

ISO 27001 is an information security management standard, but in practice it succeeds or fails on whether identity controls are documented, reviewable, and actually enforced. For IAM teams, the checklist is less about paperwork and more about proving that access, risk treatment, and evidence collection are tied together across the organisation.

The article centres on access reviews, policy approval, risk assessment, and recordkeeping, which makes it especially relevant to human IAM and non-human identity governance. Where access is broad, stale, or poorly evidenced, ISO 27001 becomes difficult to sustain because the audit trail and the live control state no longer match.

That gap is familiar in environments where service accounts and privileged entitlements outgrow the governance process around them. The practical question is not whether a checklist exists, but whether it can surface who or what still has access, why that access exists, and whether the organisation can prove it.

Key questions

Q: How should security teams run ISO 27001 access reviews in mixed identity environments?

A: They should review human users, privileged accounts, and non-human identities in one governed workflow so the evidence set is complete. The key is to confirm business need, approved access, and remediation outcome together, then retain the records for audit and follow-up. Separate processes create blind spots that auditors will notice quickly.

Q: Why do ISO 27001 programmes fail when access evidence is incomplete?

A: They fail because the standard depends on proof that controls are operating, not just that policies exist. If approval records, entitlement lists, and revocation actions do not match, the organisation cannot show that access is controlled. That weakens both compliance confidence and real security posture.

Q: What do teams get wrong about the statement of applicability?

A: They treat it as a static compliance document instead of the control map that links risk decisions to ongoing operations. The SoA should explain why a control exists, who owns it, and how its performance is evidenced over time. Without that, the ISO 27001 programme becomes documentation without governance.

Q: Who is accountable when ISO 27001 access reviews miss stale access?

A: The accountable owner is the control owner for the review process, usually supported by IAM, security, and business managers who approve or remediate access. ISO 27001 expects responsibility to be explicit, because a review that finds no issues is only useful if the organisation can prove it covered the right identities and acted on findings.

Technical breakdown

How ISO 27001 turns access control into audit evidence

ISO 27001 is not just a control catalogue. It asks an organisation to define scope, assess risk, document controls in an statement of applicability, and keep evidence that those controls are operating. In identity terms, this means access reviews, role definitions, approval paths, and exception handling must be observable and repeatable. A policy without proof of execution does not hold up well in an audit because ISO 27001 cares about consistency between stated control and actual practice.

Practical implication: tie access governance records to a control owner, a review cadence, and a stored evidence trail that auditors can verify.

Why access reviews are the hinge point for ISO 27001

Access reviews are where policy meets reality. They test whether users, administrators, and service accounts still need the entitlements they have, whether access was approved for the right reason, and whether changes were acted on. In ISO 27001 programmes, weak access review discipline often exposes deeper issues such as stale approvals, undocumented exceptions, and overbroad privileges. The standard does not only care that reviews happen, but that they are timely, complete, and tied to remediation.

Practical implication: review not only human access but also privileged and non-human entitlements, then prove removals happened.

Statement of applicability, lifecycle control, and privileged access governance

The statement of applicability is the bridge between risk assessment and control selection. It explains which controls are in scope and why, so it becomes the anchor for lifecycle governance across joiners, movers, leavers, privileged access, and non-human credentials. In practice, ISO 27001 programmes break down when lifecycle events are handled inconsistently, because offboarding, rotation, and recertification stop matching the documented control set. That creates evidence gaps as well as security gaps.

Practical implication: map identity lifecycle steps to the statement of applicability so offboarding, rotation, and recertification remain auditable.

NHI Mgmt Group analysis

ISO 27001 compliance fails fastest when identity evidence is fragmented. The checklist in this article treats risk assessment, documentation, and access reviews as separate tasks, but auditors experience them as one control story. If access records, policy approvals, and remediation evidence do not line up, the programme looks compliant on paper and weak in operation. Practitioners should read ISO 27001 as an evidence-coherence problem, not a document-generation exercise.

Access review governance is the most exposed control in most ISO 27001 programmes. The article repeatedly returns to access control and reporting, which reflects a deeper reality: review processes are often the only place where stale entitlements are forced back into visibility. When reviews are manual or incomplete, the organisation loses its best chance to prove least privilege across human and non-human identities. The practitioner conclusion is that review quality matters more than review volume.

Statement of applicability discipline is the named concept most teams underuse. The SoA is not a static annex, it is the control logic that should explain why each identity-related safeguard exists and how it is governed over time. That matters because ISO 27001 often fails in the gap between risk identification and ongoing control operation. Practitioners should treat the SoA as the living map that links governance intent to access reality.

Lifecycle governance is the missing link between certification and actual security posture. The article discusses policy publication, documentation, training, and continual improvement, but those controls only hold if joiner, mover, leaver, and privileged access processes are consistently executed. Where service accounts, API keys, and user entitlements move faster than the governance process, certification becomes an annual snapshot rather than an operating model. Practitioners should align lifecycle control with the ISMS rather than leaving it adjacent to compliance work.

ISO 27001 should be used to expose identity sprawl, not just satisfy auditors. The strongest programmes use the standard to uncover who has access, why that access exists, and whether the organisation can prove current need. That is especially important where access is shared across human users and non-human identities, because sprawl tends to hide in plain sight until review time. Practitioners should use certification work to shrink the gap between entitlement, approval, and evidence.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
• For a broader lifecycle lens, NHI Lifecycle Management Guide shows how provisioning, rotation, and offboarding controls shape auditability.

What this signals

Statement of applicability discipline is becoming an identity governance requirement, not just an audit artefact. When certification work exposes gaps between policy and actual access, the next maturity step is to connect review evidence to lifecycle workflows and exception handling. The organisations that do this well will be able to prove control operation across human accounts, privileged access, and non-human identities without relying on manual reconciliation.

ISO 27001 programmes should now be evaluated on whether they can surface service-account visibility, entitlement ownership, and remediation completion in the same control plane. In environments where access is distributed across teams and systems, the governance burden shifts from periodic documentation to continuous evidence generation.

The most practical signal is simple: if you cannot explain why an identity still has access, you probably cannot defend it in an audit. That is why identity lifecycle and access review alignment should be treated as core ISO 27001 work, not a side project.

For practitioners

• Map identity controls to the statement of applicability Document which access controls, review steps, and offboarding tasks are in scope for ISO 27001 and assign a named owner for each one.
• Expand access reviews beyond human accounts Include service accounts, API keys, privileged entitlements, and third-party access in the same review cycle so the evidence set reflects real access paths.
• Link every approval to stored remediation evidence Keep the review record, the approver, the decision, and the revocation or exception follow-up together so auditors can trace the full control path.
• Reconcile lifecycle events with ISO control ownership Check that joiner, mover, leaver, rotation, and recertification workflows still match the controls described in policy after every major system or organisational change.

Key takeaways

• ISO 27001 compliance is only as strong as the organisation’s access evidence, review discipline, and lifecycle governance.
• The biggest control weakness is usually not policy design, but the gap between documented controls and the identities that still hold access.
• Teams that align the statement of applicability with real access reviews and offboarding workflows will produce cleaner audits and a stronger security posture.

Key terms

• Information Security Management System: An Information Security Management System is the set of policies, processes, controls, and evidence an organisation uses to govern information security. In ISO 27001 terms, it must be scoped, documented, reviewed, and operated consistently so the organisation can prove control effectiveness, not just describe it.
• Statement Of Applicability: The statement of applicability is the control map that explains which ISO 27001 controls are in scope and why. It connects risk assessment outcomes to selected safeguards, and it should be maintained as a living record that reflects real operational change, ownership, and evidence.
• Access Review: An access review is a formal check that confirms whether an identity still needs its assigned permissions. In a mature programme, it covers users, administrators, and non-human identities, and it should lead to documented approval, removal, or exception handling that can be audited later.
• Non-Human Identity: A non-human identity is any machine or workload credential used to authenticate and access systems, including service accounts, API keys, tokens, and certificates. In governance terms, these identities need lifecycle control, visibility, and periodic review because they often persist longer and at broader privilege than human access.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: Access Management 10-Step ISO 27001 Checklist. Read the original.