ISO 27001 access reviews expose the governance gap in identity control

At a glance

What this is: A compliance guide that breaks down ISO 27001 clauses 4 to 10 and highlights access review automation as a practical control gap for identity programmes.

Why it matters: It matters because ISO 27001 turns access governance, documentation, and continuous review into audit-visible identity obligations that span human users, NHIs, and privileged processes.

By the numbers:

• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read Zluri's ISO 27001 requirements guide for access review and compliance detail

Context

ISO 27001 is a governance framework for an information security management system, not just a checklist of controls. In identity terms, its core value is that it forces organisations to define scope, ownership, review cadence, and evidence for access decisions across human accounts, service accounts, and other non-human identities.

Zluri’s article focuses on the operational burden of access reviews and certification, which is where many programmes break down in practice. When entitlement changes outpace manual review cycles, compliance becomes a reporting exercise instead of a control outcome, especially for environments with distributed applications and mixed identity types.

Key questions

Q: How should teams make ISO 27001 access reviews defensible for audits?

A: Treat each review as evidence, not a task list. Capture the reviewer, the entitlement, the business justification, the decision, and the remediation outcome in a record that audit can follow end to end. If reviewers cannot explain why access remains necessary, the control is too weak to defend.

Q: Why do access review programmes fail even when they are completed on time?

A: They fail when completion is mistaken for control effectiveness. A timely review that does not identify stale access, inherited privilege, or missing ownership produces compliance theatre, not risk reduction. The question is whether the review changes permissions and proves accountability, not whether it was filed on schedule.

Q: What do organisations get wrong about ISO 27001 and identity governance?

A: They often treat ISO 27001 as a documentation exercise instead of an operational control system. The standard expects the organisation to define scope, assess risk, review access, and correct nonconformities in a repeatable loop. If the loop is weak, the certificate may exist while the control is failing.

Q: Who is accountable when access review gaps affect compliance?

A: Accountability sits with the control owner, the reviewer, and the management function that accepted the risk. ISO 27001 is explicit that leadership must resource and oversee the ISMS, so recurring review gaps are not just analyst errors. They are governance failures that management must correct.

Technical breakdown

ISO 27001 clauses 4 to 6: scope, risk, and treatment planning

Clauses 4 to 6 establish the ISMS boundary, identify what must be protected, and force the organisation to assess risk before selecting controls. In identity programmes, that means mapping who or what can access systems, documenting dependencies, and deciding what level of access risk is acceptable. The standard does not prescribe one tooling model, but it does require a repeatable risk treatment process and accountable ownership for the controls that follow. Practical implication: define access governance scope explicitly before you automate reviews or certifications.

Practical implication: define access governance scope explicitly before you automate reviews or certifications.

Access review and certification as an ISO 27001 control evidence problem

ISO 27001 expects organisations to demonstrate that access permissions are reviewed, corrected, and recorded as part of the ISMS. That makes access review more than an IAM task. It becomes evidence that entitlements are still aligned to role, purpose, and risk. Manual review often fails because reviewers lack context on entitlement sprawl, inherited permissions, and stale accounts. Centralising evidence does not solve governance by itself, but it does make review, sign-off, and audit trails consistently defensible. Practical implication: use access review outputs as control evidence, not just operational housekeeping.

Practical implication: use access review outputs as control evidence, not just operational housekeeping.

Continuous monitoring and improvement under clause 10

Clause 10 closes the loop by requiring nonconformities, corrective actions, and continual improvement. In identity governance, that means access exceptions, overdue reviews, and remediation failures should feed back into policy, not just into tickets. The control is only effective if the organisation can show that findings change future behaviour. This is where ISO 27001 becomes a management system rather than a one-time certification event. Practical implication: connect review failures to corrective actions that update policy, not just permissions.

Practical implication: connect review failures to corrective actions that update policy, not just permissions.

NHI Mgmt Group analysis

ISO 27001 exposes an access governance problem, not a documentation problem. The article frames access review, certification, and corrective action as evidence of a functioning ISMS. That is the right lens: compliance fails when access decisions are not tied to a repeatable control loop, not when paperwork is missing. For identity leaders, the practitioner conclusion is that auditability has to be built into the entitlement lifecycle.

Access review fatigue is a control-quality issue, not an operational inconvenience. The guide repeatedly stresses routine evaluation, but manual certification at scale is where governance degrades. When reviewers cannot distinguish active need from inherited privilege, the review becomes ceremonial. That is especially true where service accounts and shared application access are involved. For practitioners, the lesson is that review quality matters more than review volume.

Continuous improvement is the real test of ISO 27001 maturity. Clause 10 matters because it forces organisations to turn nonconformities into changes in process, ownership, and evidence retention. If recurring access exceptions are not changing governance behaviour, the ISMS is only proving that the same weak pattern can be re-documented. The practitioner takeaway is to treat repeated review failures as systemic control drift.

Lifecycle governance is where ISO 27001 and NHI management meet. The article’s emphasis on assigning roles, reviewing access, and correcting over-privilege maps directly to NHI lifecycle discipline for service accounts, API keys, and other machine identities. The control question is not whether access exists, but whether it is still justified, reviewed, and revoked on time. For identity programmes, that makes lifecycle evidence a first-class compliance asset.

Accessibility of evidence is becoming as important as the control itself. The article’s focus on reporting and audit documentation reflects a broader reality in identity security: if you cannot prove who had access, why they had it, and when it changed, the control is weak even if the permission model is sound. Practitioners should therefore design governance around verifiable records, not memory or spreadsheet reconciliation.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
• From our research: Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
• As identity governance matures, the next step is to pair lifecycle controls with Lifecycle Processes for Managing NHIs so reviews lead to revocation, rotation, and evidence that stands up in audit.

What this signals

Access review evidence will matter more than access review volume. ISO 27001 programmes are moving toward proof of control operation, which means the quality of reviewer decisions, remediation records, and exception handling will define maturity. Organisations that cannot show this will struggle to defend compliance during audit or incident review.

Lifecycle discipline is the missing link between ISO 27001 and machine identity governance. When service accounts, API keys, and certificates are not folded into the same review and offboarding logic as human access, governance becomes inconsistent. That gap is what turns a well-written ISMS into a partial control model.

Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs. That number explains why access certification alone is not enough. Practitioners need entitlement review, revocation, and lifecycle closure to operate as one control chain.

For practitioners

• Define ISMS scope around identity ownership Map which human accounts, service accounts, API keys, and shared platform identities sit inside the ISMS boundary, then document where ownership changes across teams and vendors. Use that scope to decide which entitlements must be reviewed and who signs off on exceptions.
• Turn access review into audit evidence Require every certification cycle to produce a defensible record of reviewer, entitlement, business justification, decision, and remediation status. Store those records so internal audit can trace the control outcome without reconstructing the decision from email or spreadsheets.
• Link review failures to corrective action Escalate repeated over-privilege, stale access, and incomplete reviews into a formal corrective-action workflow that updates policy, ownership, or review cadence. The goal is to stop recurring exceptions from being treated as isolated admin issues.
• Extend lifecycle discipline to non-human identities Apply the same joiner, mover, leaver logic used for human access to service accounts, API keys, and certificates, including revocation, rotation, and re-certification. That keeps machine access aligned to current purpose instead of historical convenience.

Key takeaways

• ISO 27001 is only effective when access review, risk treatment, and corrective action operate as one governance loop.
• Identity programmes fail when certification is treated as evidence collection instead of a control that changes entitlements.
• Machine identities must be included in lifecycle governance, or ISO 27001 compliance will remain incomplete in practice.

Key terms

• Information Security Management System: An Information Security Management System is the organised set of policies, controls, roles, and records used to manage information security risk. In ISO 27001, it is the operating model that ties scope, review, corrective action, and continual improvement into one auditable system.
• Access Certification: Access certification is the formal process of reviewing whether an identity still needs the permissions it has. In an ISO 27001 programme, it is not just a checkbox activity. It is evidence that access is being validated against purpose, risk, and ownership on a repeatable basis.
• Nonconformity: A nonconformity is a failure to meet a stated requirement, control expectation, or internal policy. In identity governance, repeated stale access, missing approvals, or incomplete remediation records become nonconformities that must be tracked, corrected, and fed back into the management system.
• Lifecycle Governance: Lifecycle governance is the discipline of managing identity from creation through change, review, and removal. For human and non-human identities alike, it ensures access is granted for a reason, periodically validated, and revoked when the need ends or the relationship changes.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: Security & Compliance ISO 27001 Requirements. Read the original.