TL;DR: ISO 27001 certification depends on scoping controls, documenting them in a statement of application, and proving they work through audit and recertification, according to Zluri’s breakdown of the process. The real governance test is whether identity and access reviews can produce reliable evidence fast enough to withstand scrutiny.
At a glance
What this is: This is a phase-by-phase breakdown of the ISO 27001 certification process, with a strong emphasis on scoping, control selection, audit evidence, and access reviews.
Why it matters: It matters because ISO 27001 readiness depends on identity governance discipline as much as policy documentation, especially where access review, control evidence, and recertification intersect.
👉 Read Zluri's breakdown of the ISO 27001 certification process
Context
ISO 27001 certification is a governance exercise as much as a security one. The article frames the process around planning, audit, and maintenance, with particular attention to how organisations document controls, prove effectiveness, and keep the system current as the environment changes.
For IAM, IGA, PAM, and NHI programmes, the key issue is evidence quality. If access reviews, control mappings, and remediation records are fragmented or manual, the certification process becomes slower and harder to defend during audit.
Key questions
Q: How should organisations prepare for ISO 27001 certification without creating audit chaos?
A: Start by fixing scope, ownership, and evidence collection before the external audit begins. The process becomes manageable when control selection, internal reviews, corrective actions, and access review records are all tied to named owners and stored in a consistent format that auditors can trace quickly.
Q: Why do access reviews matter so much in ISO 27001 certification?
A: Access reviews prove that entitlements are being checked and corrected, not merely documented. In ISO 27001, that evidence helps show that the ISMS is active, that access decisions are being validated, and that remediation is recorded in a way auditors can verify.
Q: What breaks when ISO 27001 evidence is assembled manually at the end of the process?
A: Manual assembly creates inconsistent records, slows down corrective action, and makes it harder to prove that controls were operating continuously. Auditors tend to challenge evidence that looks reconstructed after the fact rather than captured as part of the normal operating process.
Q: Who is accountable when ISO 27001 controls fail during recertification?
A: Accountability sits with the teams that own the ISMS scope, the control set, and the evidence trail, not with the auditor. Recertification exposes whether governance is still aligned to current operations, so organisations need clear ownership for updating policies, access reviews, and corrective actions before renewal.
Technical breakdown
Why the ISO 27001 statement of application matters
The statement of application, or SoA, is the formal record that shows which Annex A controls an organisation has selected and why. It is not a static checklist. Auditors use it to test whether control selection matches the stated scope of the information security management system and whether the organisation can justify exclusions or alternatives. In practice, the SoA links governance intent to operational proof, which is why weak control mapping often becomes an audit problem rather than a policy problem.
Practical implication: keep the SoA tied to real operational ownership, not a one-time compliance exercise.
How stage 1 and stage 2 audits differ
Stage 1 testing checks whether the organisation has the required structure, documents, and corrective action records in place. Stage 2 examines whether the controls actually work in operation. That distinction matters because a process can look complete on paper while still failing under real usage. ISO 27001 certification depends on both administrative readiness and evidence that the controls hold up when assessed against live conditions, including internal reviews and remediation records.
Practical implication: prepare for auditors to challenge both documentation quality and control effectiveness.
Why access reviews become a certification bottleneck
Access review is a recurring proof point in ISO 27001 because it demonstrates that entitlements are being checked, corrected, and retained as evidence. Manual review workflows create delay, inconsistency, and weak audit trails, especially when multiple applications and user populations are involved. Automated review can help centralise review data and remediation records, but the underlying governance question remains whether the organisation can prove access decisions were made consistently and with sufficient oversight.
Practical implication: treat access review evidence as audit artefact, not just an internal hygiene task.
NHI Mgmt Group analysis
ISO 27001 succeeds or fails on evidence discipline, not just control intent. The article shows that certification hinges on whether organisations can translate policy into auditable records, corrective actions, and repeatable review cycles. That is a governance problem first and a tooling problem second. The practitioner takeaway is that evidence generation has to be built into the operating model, not assembled after the fact.
Access review is the hidden identity control in ISO 27001 programmes. The article repeatedly returns to review, remediation, and recertification because those are the mechanisms that prove controls still reflect reality. In IAM terms, certification exposes whether entitlements are governed continuously or only described on paper. The implication is that identity evidence maturity becomes part of the certification posture.
Manual certification workflows create a governance lag that weakens audit readiness. When control implementation, review outcomes, and corrective evidence all depend on human assembly, the certification cycle slows and the record becomes easier to challenge. This is especially visible where teams handle many applications or roles. Practitioners should treat process latency as a risk signal, not an administrative inconvenience.
Certification maintenance is really lifecycle governance under audit pressure. The three-year validity window and recurring internal reviews show that ISO 27001 is not a one-time event. It is a lifecycle discipline that demands ongoing control validation, not just initial certification. The field implication is clear: organisations that cannot sustain review cadence will struggle to sustain assurance.
Automated review does not replace accountability, but it does expose where accountability has been informal. When a workflow can produce a review record quickly, it reveals how much of the prior process was dependent on tribal knowledge or manual coordination. That matters for IAM, NHI, and human access alike. The practitioner conclusion is that certification readiness improves when accountability is explicit and repeatable.
From our research:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
- Only 13% of organisations feel extremely prepared for the reality of agentic AI, even as the majority continue to expand autonomous adoption.
- For the adjacent governance problem, see NHI Lifecycle Management Guide for the review, rotation, and offboarding discipline that certification programmes depend on.
What this signals
Access review evidence is becoming a governance differentiator. As certification and recertification cycles tighten, teams that can show consistent review outcomes, corrective actions, and SoA updates will have far less audit friction than teams still relying on spreadsheets and email trails.
The broader lesson is that ISO 27001 readiness now overlaps with IAM operating maturity. Where identity records are incomplete or slow to reconcile, audit confidence falls even if policies look strong on paper.
With 70% of organisations granting AI systems more access than human employees in equivalent roles, according to the 2026 Infrastructure Identity Survey, certification programmes that ignore identity scope discipline will increasingly miss the real control problem.
For practitioners
- Map certification evidence to named owners Assign ownership for scope, SoA updates, internal review evidence, and corrective action records before the audit cycle begins so each artefact can be traced to a responsible team.
- Standardise access review outputs Use a consistent format for user, application, decision, and remediation records so internal reviews can be reused as pre-assessment evidence without manual reconstruction.
- Separate stage 1 readiness from stage 2 effectiveness Check that documentation completeness, control design, and actual control performance are assessed independently so gaps are not hidden by well-written policy.
- Treat recertification as a living control cycle Revisit scope, control selection, and review cadence before the three-year recertification point so the ISMS does not drift away from actual business and identity conditions.
Key takeaways
- ISO 27001 certification is driven by control evidence as much as by written policy, so weak records create audit risk even when the security intent is sound.
- Access reviews, SoA mapping, and corrective action trails are the practical proof points that determine whether the ISMS is considered credible.
- Organisations should treat certification maintenance as an ongoing identity governance cycle, not a one-off compliance project.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | ISO 27001 access review and entitlement control align with access management discipline. |
| NIST SP 800-63 | The article touches access governance and assurance for identity records. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | Review cadence and evidence discipline are core to non-human identity governance. |
Review NHI privilege scope regularly and retain evidence that recertification can verify.
Key terms
- Statement of Application: The statement of application is the formal record of which security controls an organisation has chosen to implement and why. In ISO 27001 work, it becomes the bridge between risk decisions, control scope, and audit evidence, which is why weak entries often expose governance gaps.
- Nonconformity: A nonconformity is a gap between the organisation's ISMS and the requirements or expectations being audited. It can be minor or major, and it matters because certification depends on proving that the gap was identified, corrected, and documented in a way the auditor can verify.
- Recertification Audit: A recertification audit is the periodic reassessment that renews ISO 27001 certification after the certificate expires. It tests whether the management system still reflects current operations, which means organisations must keep controls, evidence, and ownership aligned over time.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.
This post draws on content published by Zluri: ISO 27001 Certification Process: Detailed Breakdown Of Phases. Read the original.
Published by the NHIMG editorial team on 2025-06-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
