ISO 27001 certification process: the access governance gap teams miss

At a glance

What this is: This is a guide to the ISO 27001 certification process, with a strong emphasis on scoping, documentation, risk treatment, audit readiness, and ongoing maintenance.

Why it matters: It matters because ISO 27001 forces IAM, NHI, and access governance teams to prove that controls are repeatable, reviewable, and auditable across people, systems, suppliers, and credentials.

By the numbers:

• For most organisations, certification can take anywhere from 6-12 months minimum, not including subsequent audits for continual verification and improvement.
• ISO 27001 includes 114 security controls organized into 14 categories.

👉 Read StrongDM's ISO 27001 certification guide for access control teams

Context

ISO 27001 certification is a governance exercise, not just a documentation project. It forces an organisation to define scope, prove risk treatment, and show that access controls, supplier oversight, HR security, and monitoring all operate as a coherent information security management system.

For IAM teams, the practical question is whether identity and access controls can survive audit scrutiny across humans, service accounts, and operational systems. That makes ISO 27001 relevant to NHI governance as much as to traditional security policy, because the standard depends on evidence, lifecycle discipline, and recurring review.

The certification process also exposes a common failure pattern: organisations treat access control as a static policy outcome when auditors are looking for operating proof. That is why structured evidence, recertification, and control ownership matter as much as the control design itself.

Key questions

Q: How should security teams prepare for ISO 27001 certification without creating audit churn?

A: Start with a realistic scope, then map controls, risks, and evidence to the same operating model. The teams that struggle most are the ones that treat certification as a document project instead of a governance programme. Build ownership, audit trails, and control testing into normal operations so the ISMS can withstand change.

Q: Why does ISO 27001 matter for access governance and identity teams?

A: Because the standard tests whether access decisions are controlled, justified, and provable over time. That makes it directly relevant to human IAM, NHI governance, supplier access, and privileged access management. If a team cannot demonstrate who has access, why they have it, and how it is reviewed, certification becomes fragile.

Q: What breaks when ISO 27001 scope is too narrow?

A: A narrow scope can leave critical systems, suppliers, or access paths outside the ISMS, which weakens both security coverage and audit credibility. It may look efficient in the short term, but the organisation then has to explain why material risk was excluded. That mismatch often becomes the audit finding.

Q: Who is accountable when ISO 27001 evidence is incomplete or inconsistent?

A: Accountability sits with the organisation that owns the ISMS, not with the auditor. In practice, that means leadership, control owners, and governance teams must be able to explain why evidence exists, where it is stored, and how it maps to the stated controls. ISO 27001 is about demonstrable responsibility, not just compliance language.

Technical breakdown

Statement of applicability and audit scope

The Statement of Applicability, or SoA, is the control map that links ISO 27001 scope to the Annex A controls an organisation has chosen to include or exclude. It is not a generic checklist. It is the documented rationale for why a control exists in the ISMS, why it does not, and how that decision aligns with the organisation’s risk profile and business obligations. In practice, the SoA becomes the bridge between policy intent and audit evidence, especially where access control, supplier oversight, and operational monitoring cross team boundaries.

Practical implication: define SoA ownership early so access-control decisions are traceable before the audit begins.

Risk assessment, treatment, and control selection

ISO 27001 expects a repeatable risk assessment process, but it does not prescribe a single methodology. Organisations must identify risks, assess likelihood and impact, and then select a treatment path such as mitigate, avoid, transfer, or accept. The key point is that control choice follows risk analysis rather than the other way around. That matters for identity governance because access policies, rotation practices, and monitoring rules should be justified as responses to identified risk, not as assumptions carried over from another programme.

Practical implication: tie each access or identity control to a documented risk so the auditor can follow the logic.

Evidence, surveillance audits, and continuous improvement

ISO 27001 certification is sustained by evidence, not by intent. Stage 1 tests documentation, while Stage 2 tests whether the documented processes actually operate in practice. After certification, surveillance audits and recertification keep pressure on the organisation to maintain control effectiveness over time. This is where many programmes weaken, because access governance often drifts after the initial project ends. Continuous improvement only works when monitoring, corrective action, and management review are treated as part of the control system rather than as afterthoughts.

Practical implication: build evidence capture into daily operations so surveillance audits do not become a scramble.

Breaches seen in the wild

• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
• ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

ISO 27001 turns identity governance into an evidence problem, not a policy problem. The standard only works when access decisions, scope boundaries, and risk treatments can be demonstrated in a repeatable way. That is why IAM and NHI teams should read it as an operating model requirement, not a certification exercise. The practitioner lesson is that unmanaged access is not just a security issue, it is an audit failure waiting to happen.

Statement of Applicability is the hidden control plane of ISO 27001. It defines which Annex A controls are in scope, which are excluded, and why those choices were made. In identity programmes, that means the SoA becomes the record that ties access control, supplier relationships, and operational security to a defensible governance decision. The practitioner conclusion is simple: if the SoA is vague, the programme is not ready for audit.

Continuous improvement only has value when access governance is measurable. ISO 27001 surveillance audits expose whether control evidence survives day-to-day change, not whether a policy exists on paper. This is where many IAM teams overestimate maturity, because they document reviews without proving that recertification, logging, and corrective action actually happen. The practitioner conclusion is that control durability matters more than control design.

Identity scope creep is the real certification risk. ISO 27001 touches suppliers, HR security, assets, and operations, so access governance cannot stay confined to one team or one system. The discipline forces organisations to see human access, service access, and third-party access as parts of the same assurance story. The practitioner conclusion is that certification readiness depends on cross-domain ownership, not isolated IAM tooling.

ISO 27001 validates a broader security architecture when identity is treated as an operational control, not an admin function. That is especially relevant where privileged access, supplier access, and audit trails intersect. The practitioner conclusion is that identity teams should treat certification as a test of governance coherence across the whole organisation, not just of compliance documentation.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which shows why certification evidence often lags real identity exposure.
• That visibility gap is why the Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs is the natural next reference for lifecycle control design.

What this signals

Identity programmes that are already weak on service-account visibility will feel ISO 27001 pressure first. Only 5.7% of organisations have full visibility into their service accounts, so the certification burden often exposes a much older governance problem rather than creating a new one. Teams should expect scope, evidence, and ownership questions to land hardest where access is least observable.

Certification will increasingly push IAM, GRC, and security operations into a shared operating model. ISO 27001 does not reward isolated control ownership, and that makes identity evidence, supplier oversight, and corrective action workflows harder to keep separate. Practitioners should prepare for more formal control tracing across systems and teams, especially where NHI access is part of the environment.

The most durable programmes will treat audit readiness as a continuous identity assurance loop, not as a pre-certification sprint. That means evidence capture, recertification, and exception handling need to be operationally normal, because the standard rewards organisations that can prove control effectiveness under change.

For practitioners

• Define audit-ready scope boundaries Map the people, systems, suppliers, and data that are truly in scope before drafting the ISMS. Keep the boundary narrow enough to govern and broad enough to satisfy customer and regulatory expectations.
• Build a statement of applicability with named owners Document why each Annex A control is included or excluded, and assign an owner who can defend the choice during the audit. Revisit the SoA whenever the organisation, supplier set, or access model changes.
• Tie each access decision to a documented risk treatment Link identity, privilege, and supplier access controls to a formal risk assessment outcome. The control should be traceable back to a specific threat, impact statement, and treatment choice.
• Treat evidence collection as an operating process Capture training records, audit logs, review outcomes, and corrective actions as routine work, not as a pre-audit project. Centralise the evidence so Stage 1 and Stage 2 reviews can be answered quickly.
• Schedule recurring control reviews after certification Use surveillance and recertification cycles to test whether access governance still matches the documented ISMS. Review scope drift, supplier changes, and unresolved corrective actions before they become audit findings.

Key takeaways

• ISO 27001 certification tests whether identity and access controls are provable, not just well designed.
• The practical scale of the work is substantial, with most organisations needing 6 to 12 months before certification is realistic.
• Teams that want stable certification outcomes need scope discipline, evidence discipline, and recurring control review discipline.

Key terms

• Statement Of Applicability: The Statement of Applicability is the document that explains which ISO 27001 controls are in scope and why. It connects risk assessment to control selection and exclusion, creating the audit trail that shows how the information security management system was designed and governed.
• Information Security Management System: An Information Security Management System is the governance structure used to plan, operate, review, and improve security controls. ISO 27001 treats it as an ongoing operating model, not a one-time project, so policy, evidence, risk treatment, and review all have to work together.
• Surveillance Audit: A surveillance audit is a periodic review used to confirm that certified controls still operate as documented. It checks whether the organisation continues to meet the standard over time, which makes operational evidence, control ownership, and corrective action tracking essential.
• Risk Treatment Plan: A Risk Treatment Plan records how identified risks will be handled through mitigation, avoidance, transfer, or acceptance. In ISO 27001, it is a governance artifact that shows why a control exists and how the organisation expects it to reduce exposure.

Deepen your knowledge

ISO 27001 scoping, evidence collection, and access control governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are aligning identity controls to an ISMS, it is worth exploring.

This post draws on content published by StrongDM: ISO 27001 Certification Process: A Definitive Guide. Read the original.