ISO 27001 audit readiness depends on access review discipline

At a glance

What this is: This is a guide to ISO 27001 audits, with a strong emphasis on evidence, documentation, internal and external review stages, and access review readiness.

Why it matters: It matters because ISO 27001 audit outcomes often expose identity governance gaps that affect human access, machine access, and lifecycle controls across the programme.

By the numbers:

• Cyberattacks occur once every 39 seconds, and 95% are due to human error.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

👉 Read Zluri's guide to ISO 27001 audit readiness and access review controls

Context

ISO 27001 audit readiness is fundamentally about proving that information security controls are documented, implemented, and continuously evidenced. In practice, that means organisations need a defensible chain from policy to review to corrective action, especially where identity and access decisions affect the audit trail.

For IAM teams, the audit problem is rarely the certificate itself. It is the gap between stated access policy and actual access state, which becomes visible when reviewers cannot show who had access, why they had it, and how quickly exceptions were removed.

Key questions

Q: How should teams prepare access evidence for an ISO 27001 audit?

A: Teams should prepare access evidence by tying every entitlement to an owner, a review date, and a remediation record. The audit trail must show not only who had access, but why it was granted and what changed after review. A clean review history is more persuasive than a stack of exported reports.

Q: Why do over-privileged accounts matter in ISO 27001 assessments?

A: Over-privileged accounts matter because they show that access is broader than business need and that the organisation may not be enforcing least privilege consistently. In an ISO 27001 assessment, that weakens confidence in control effectiveness and often leads auditors to question whether access reviews are meaningful or merely procedural.

Q: How can organisations tell whether audit controls are actually working?

A: Organisations can tell audit controls are working when reviews produce verified permission changes, exceptions are time-bound, and evidence is available without last-minute reconstruction. If the same access gaps reappear each cycle, the control is not working as intended, even if the paperwork looks complete.

Q: Who is accountable when an ISO 27001 audit finds access weaknesses?

A: Accountability should sit with the process owner for the affected control, supported by management review and a defined remediation owner. ISO 27001 audits expose governance failures when no one is responsible for closing the loop, so accountability must be explicit before the next audit cycle begins.

Technical breakdown

ISO 27001 audit evidence and control testing

An ISO 27001 audit is not a document collection exercise. It is a control test that checks whether the ISMS scope, risk treatment, and supporting controls align in practice. Auditors look for consistency between policy, procedure, records, and operational evidence such as access reviews, log reviews, and corrective actions. If any of those layers diverge, the ISMS may be compliant on paper but not demonstrably effective. This is why audit preparation usually fails first at evidence quality, not at policy wording.

Practical implication: treat audit evidence as an operational asset and maintain it continuously, not only during certification cycles.

Internal audits, external audits, and certification stages

ISO 27001 divides assurance into internal audits, certification audits, surveillance audits, and recertification. Internal audits are meant to surface nonconformities early, while external audits validate whether the organisation can sustain control effectiveness over time. Stage 1 focuses on documentation readiness, and Stage 2 tests whether documented controls actually work. Surveillance audits then check whether control drift has occurred since certification. This lifecycle means audit success depends on governance discipline across the year, not just a last-minute readiness sprint.

Practical implication: align owners, evidence, and remediation timelines to the full audit cycle, including surveillance and recertification.

Access reviews and over-privileged access in ISO 27001

Access review is one of the most visible identity governance signals in an ISO 27001 assessment because it shows whether access rights are still justified. Over-privileged accounts, stale entitlements, and incomplete review records create immediate questions about control effectiveness. In identity terms, the audit is checking whether access decisions are current, explainable, and revocable. When those records are weak, the organisation struggles to prove least privilege, even if the underlying systems are technically secure.

Practical implication: build a repeatable review workflow for permissions, exceptions, and revocations so the audit trail shows active governance.

Threat narrative

Attacker objective: The objective is to exploit governance blind spots that allow weak access control and poor evidence to persist inside a supposedly compliant ISMS.

1. entry: The audit exposure begins when organisations cannot produce complete evidence for who had access, what changed, and when reviews occurred.
2. escalation: Weak documentation, stale permissions, and incomplete review records expand the gap between policy and actual control operation.
3. impact: The result is nonconformity, compliance delay, and a higher chance that identity weaknesses remain uncorrected after the audit.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

ISO 27001 audit readiness is really an access governance problem. The article frames audits as documentation and process discipline, but the deeper issue is whether identity state matches declared policy at the moment of review. When access reviews are incomplete or stale, the organisation cannot prove that least privilege is operating as intended. Practitioners should treat audit readiness as a live governance condition, not a filing exercise.

Over-privileged access becomes an audit finding long before it becomes a breach. ISO 27001 testing exposes whether permissions are justified, reviewed, and revoked on time. That makes privilege creep a compliance issue as much as a security issue, especially where third-party and shared access are involved. The practitioner takeaway is that entitlement hygiene and audit evidence are the same control outcome, viewed from different angles.

Control drift is the named concept here: documentation can stay current while actual access governance falls behind. The article’s own emphasis on access review automation shows that organisations often rely on tools to compress the gap, but the field-level lesson is broader. If review outcomes do not change permissions, the control exists only as theatre. Audit programmes should measure whether review activity produces verified entitlement change, not just completed tasks.

ISO 27001 maturity depends on lifecycle governance, not one-off certification effort. Internal audits, surveillance audits, and recertification only work when access provisioning, change, and offboarding are governed continuously. That applies to human access, service accounts, and other non-human identities that may appear outside the audit spotlight. Practitioners should align ISMS governance with identity lifecycle controls across all actor types.

The strongest ISO 27001 programmes connect access evidence to operational accountability. Auditors are looking for a reliable line from policy to review to remediation, and that line fails when ownership is split or ambiguous. The article’s focus on management review underscores a practical truth: if no one owns the aftermath of a failed access review, the control never fully existed. Teams should map each audit obligation to a named operational owner.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to NHI Mgmt Group research.
• That same governance gap is explored in Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs, which is useful when audit findings point to lifecycle and offboarding weaknesses.

What this signals

Control drift is what ISO 27001 teams should watch first. When access review completion does not reliably produce entitlement change, the audit becomes a reporting exercise rather than a governance control. Teams should track whether exceptions are closed, not just whether review tasks are finished, because that is where compliance and identity operations either align or diverge.

The audit problem extends beyond people to machine access. Service accounts, API keys, and other NHIs often sit outside the human-centric processes that audit teams are best at checking. If those identities are not covered by the same evidence discipline, the ISMS can pass review while still leaving a large part of the identity surface unmanaged.

With 96% of organisations storing secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, per the Ultimate Guide to NHIs, audit readiness now depends on proving where secrets live and how they are governed. That makes lifecycle evidence as important as policy evidence.

For practitioners

• Reconcile every access review to a permission change Track whether each completed review resulted in a revoke, approval, or documented exception. If a review produces no change, treat that as a signal that the workflow is not enforcing least privilege.
• Maintain audit evidence continuously Store policies, risk treatment records, management review outputs, and access review logs in a single evidence chain so certification prep does not depend on manual reconstruction.
• Test entitlement hygiene before surveillance audits Sample over-privileged accounts, dormant access, and unresolved exceptions before auditors do, then confirm the remediation is reflected in live systems rather than only in spreadsheets.
• Assign clear ownership for remediation follow-through Make sure every nonconformity, exception, and corrective action has a named owner, a due date, and a verification step so audit findings do not linger into the next cycle.

Key takeaways

• ISO 27001 audits expose whether access governance is real, current, and provable, not just documented.
• Over-privileged access and weak review records turn identity issues into compliance findings before they become incidents.
• Teams should make review outcomes, remediation ownership, and evidence retention part of everyday operations, not audit season work.

Key terms

• Information Security Management System: An Information Security Management System is the governance structure used to manage security policies, controls, responsibilities, and evidence across an organisation. In ISO 27001, the ISMS is the object being audited, so its scope, risk treatment, and operational proof all need to stay aligned.
• Access review: Access review is the recurring check that confirms whether a user, service account, or other identity still needs the permissions it has. In audit contexts, the value of a review is measured by whether it leads to a verified change, not by whether the review task was completed.
• Nonconformity: A nonconformity is a gap between a requirement and what the organisation actually does or can prove it does. In ISO 27001, nonconformities often arise when policies exist but supporting evidence, implementation, or remediation discipline is incomplete or inconsistent.
• Corrective action: Corrective action is the follow-up work taken to remove the cause of a detected problem and stop it recurring. In an ISO 27001 programme, it matters as much as the finding itself because auditors want to see that control failures are resolved, owned, and verified.

Deepen your knowledge

NHI governance, IAM, identity lifecycle, and secrets management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.

This post draws on content published by Zluri: a complete guide to ISO 27001 audit readiness. Read the original.