ISO 27001 audits expose the evidence gap in privileged access

At a glance

What this is: This is a guide to ISO 27001 audit stages, timelines, and auditor expectations, with the key finding that certification depends on proving controls through documented evidence and ongoing review.

Why it matters: It matters because IAM, PAM, and NHI programmes increasingly need audit-ready logs, ownership, and lifecycle evidence to satisfy certification, contract, and continuous compliance demands.

By the numbers:

• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

👉 Read StrongDM's guide to ISO 27001 audit stages and evidence requirements

Context

ISO 27001 audits are not just paperwork exercises. They are a test of whether security controls, access governance, and evidence collection hold up under independent review, especially where privileged access, session logs, and documented procedures must match what actually happens in production.

For IAM practitioners, the core issue is evidence quality. If access decisions, approvals, and privilege changes cannot be traced cleanly, the organisation may have a control on paper but fail the audit in practice. That same gap appears in NHI governance, where service accounts and secrets often lack the lifecycle records auditors expect.

The operational reality is that audit readiness and identity governance are now closely linked. Organisations that centralise access evidence, define ownership, and keep review cycles current are better positioned to satisfy ISO 27001 and to avoid treating audit time as a fire drill.

Key questions

Q: How should security teams prepare privileged access evidence for ISO 27001 audits?

A: Security teams should ensure privileged access decisions, session logs, approvals, and remediation records are centralized and tied to named control owners. Auditors want a clean chain from policy to execution, so fragmented evidence creates avoidable friction. The best preparation is to test the audit trail before external review and fix ownership gaps early.

Q: Why do access logs matter so much in ISO 27001 certification?

A: Access logs matter because ISO 27001 audits verify that controls work in practice, not just on paper. Logs show who accessed what, when, and under which approval path. Without consistent logs, an organisation may have a documented control framework but still fail to prove operational compliance during stage 2 or surveillance sampling.

Q: What breaks when audit evidence is fragmented across IAM and PAM tools?

A: Fragmented evidence breaks the auditor’s ability to verify that access controls were followed consistently. If approvals, sessions, and remediation records sit in different systems without shared ownership, the organisation cannot easily demonstrate control effectiveness. That gap often turns a manageable control issue into a certification problem.

Q: Who is accountable when ISO 27001 controls do not match actual access behaviour?

A: Accountability sits with the control owner and the organisation’s governance function, because ISO 27001 expects documented controls to reflect real operations. If access behaviour differs from policy, the issue is not only technical. It is a governance failure that auditors will surface through sampling, interviews, and recertification evidence.

Technical breakdown

ISO 27001 stage 1 audit and the design review evidence model

Stage 1 is the design review, where an auditor checks whether the ISMS is defined clearly enough to be assessed. The focus is documentation, scope, risk treatment, statement of applicability, and whether policies map to the control set the organisation claims to operate. This is not a production walkthrough yet. It is a test of whether the management system has enough structure to support later evidence. In identity programmes, that means access policy, ownership, and control intent must be written in a way that can be tested rather than merely described.

Practical implication: align access policies, scope statements, and control ownership before audit entry so the design review can be passed on evidence, not explanation.

Stage 2 field review, privileged access logs, and operational proof

Stage 2 is where auditors verify that documented controls match real behaviour. They sample records, interview stakeholders, and compare evidence from live operations against the approved ISMS design. In privileged access environments, this is where centralized session logs, command records, and change evidence matter most, because they show whether access was controlled as claimed. If logs are fragmented across tools or tied to individuals without clear ownership, the audit trail becomes weak even when the control technically exists.

Practical implication: centralize privileged access evidence so sampling, interviews, and remediation tracking all point to the same operational record.

Surveillance and recertification as continuous control validation

ISO 27001 does not end at certification. Surveillance audits sample controls over time, while recertification rechecks the full system every three years. That creates a continuous validation model, not a one-time event. For identity governance, this is where lifecycle discipline matters: access reviews, offboarding, and control maintenance must remain current, or the organisation accumulates drift between the documented state and the live state. The audit problem is often not a missing policy but a stale operating model.

Practical implication: treat ongoing access review, offboarding, and evidence retention as part of the control system, not as audit-season cleanup.

Breaches seen in the wild

• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
• BeyondTrust API key breach — compromised BeyondTrust API key led to unauthorized SaaS access.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

ISO 27001 audits expose the evidence gap, not just the control gap. The article is really about proving that security controls operate consistently enough to satisfy an external reviewer. That matters across human IAM, PAM, and NHI governance because the same failure mode appears when ownership, logs, or lifecycle records are too weak to verify. Practitioners should read this as an evidence-design problem, not an audit-calendar problem.

Privileged access is where auditability most often breaks down. The guide’s emphasis on session review, centralized logs, and stakeholder interviews reflects a broader truth: auditors need a clear chain from access decision to recorded action. When PAM evidence is scattered, the organisation cannot easily show that control intent matched actual use. That makes privileged activity the fastest way to expose weak governance.

Audit readiness is a lifecycle discipline, not a one-time certification project. Stage 1, stage 2, surveillance, and recertification all depend on the organisation keeping its control story intact over time. That is especially relevant for NHIs, where offboarding and rotation gaps create stale access that survives long after policy says it should not. The practitioner conclusion is simple: continuous evidence hygiene is part of the control.

Identity programmes that cannot produce repeatable evidence will struggle as compliance expectations tighten. ISO 27001 is a useful forcing function because it turns access governance into something testable. The same pattern applies to third-party access, service accounts, and audit trails across cloud estates. Teams that centralize records and ownership reduce the gap between claimed control and demonstrated control.

From our research:

• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which is why audit-grade identity evidence remains hard to assemble.
• For the lifecycle side of this problem, review NHI Lifecycle Management Guide for the provisioning, rotation, and offboarding controls that make evidence sustainable.

What this signals

Control evidence is becoming the new compliance boundary. As ISO 27001 expectations intersect with cloud operations, teams need records that survive sampling, not just controls that look good in policy. The practical shift is toward evidence-aware identity governance, where access events, approvals, and remediation all remain reconstructable.

With only 5.7% of organisations reporting full visibility into service accounts, the identity blind spot is already large enough to undermine audit confidence. That visibility gap will matter more as auditors continue to test whether the live environment matches the documented ISMS. Teams that cannot produce reliable ownership and access lineage will keep paying a compliance tax.

Evidence hygiene will increasingly separate mature IAM programmes from reactive ones. Organisations that treat logs, reviews, and lifecycle records as operational assets will find ISO 27001 easier to sustain across recertification cycles. Those that leave evidence fragmented will keep rediscovering the same control weaknesses under audit pressure.

For practitioners

• Map audit evidence to control owners Assign a named owner for each ISMS control, then link access approvals, session logs, and remediation records to that owner so auditors can trace evidence without manual reconstruction.
• Centralize privileged access records Keep sessions, queries, and commands in one reviewable record set so stage 2 sampling does not depend on piecing together data from separate tools and teams.
• Align lifecycle controls with surveillance audits Schedule access reviews, offboarding checks, and evidence retention so they happen on a cadence that supports surveillance sampling instead of ad hoc cleanup.
• Test the audit trail before certification review Run a mock evidence collection exercise against the exact documents and logs that will be sampled, then fix missing timestamps, gaps in ownership, and inconsistent naming before external review.

Key takeaways

• ISO 27001 audits test whether identity controls can be proven, not just described.
• Evidence gaps in privileged access and lifecycle records are the fastest way for compliant-looking programmes to fail under review.
• Teams that centralize logs, ownership, and review cadence will find certification and recertification far more sustainable.

Key terms

• Isms: An information security management system is the set of policies, processes, owners, and controls used to manage security in a structured way. In ISO 27001, the ISMS is what auditors evaluate, so it must be documented clearly and reflected in real operations.
• Stage 2 Audit: Stage 2 is the evidential audit where the organisation must prove its documented controls are actually operating. Auditors sample records, interview stakeholders, and compare live evidence with the approved design, making this the decisive test of operational compliance.
• Surveillance Audit: A surveillance audit is a periodic review performed after certification to confirm controls still operate as intended. It is narrower than recertification, but it is still a live test of whether the organisation has maintained its control environment and evidence over time.
• Privileged Access Evidence: Privileged access evidence is the record of approvals, sessions, commands, and reviews that shows elevated access was granted and used appropriately. In audit contexts, this evidence must be centralized, traceable, and consistent enough to prove control effectiveness under sampling.

Deepen your knowledge

ISO 27001 audit evidence, privileged access logging, and control ownership are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme needs stronger lifecycle evidence for certification and surveillance audits, it is worth exploring.

This post draws on content published by StrongDM: ISO 27001 Audit: Everything You Need to Know. Read the original.