ISO 27001 controls expose the identity governance gap

At a glance

What this is: This is an overview of ISO 27001 Annex A controls and how they support an ISMS, with emphasis on access, audit, incident response, and compliance processes.

Why it matters: It matters because ISO 27001 implementation overlaps directly with IAM, NHI governance, lifecycle controls, and assurance processes that security teams must operationalize.

By the numbers:

• ISO 27001:2022 Annex A includes 93 controls grouped into four main categories: Organizational, People, Physical and Technological.
• The standard includes 14 distinct domains across information security policy, access control, cryptography, operations, and compliance.

👉 Read Zluri's guide to ISO 27001 controls and Annex A

Context

ISO 27001 controls are the policy, process, and technical measures used to build and prove an information security management system. For identity teams, the point is not certification theatre. It is whether access, logging, review, and offboarding actually map to the way users, service accounts, and privileged workflows operate day to day.

The article frames ISO 27001 as a governance system that spans access control, incident response, asset management, and compliance. That makes it relevant to IAM, PAM, and NHI programmes because each of those disciplines has to evidence control design, operating effectiveness, and reviewability under audit pressure.

Key questions

Q: How should organisations map ISO 27001 controls to IAM and NHI governance?

A: Start by treating identity controls as evidence-bearing controls, not just policy statements. Map access provisioning, review, logging, and deprovisioning to the ISO 27001 statement of applicability, then define the records each control must generate. That gives auditors a trace from risk treatment to operational proof and prevents controls from existing only on paper.

Q: Why do ISO 27001 programmes often fail on access governance?

A: They often fail when access reviews are treated as administrative checkpoints instead of lifecycle controls. If review outcomes do not trigger revocation, privilege reduction, or ownership correction, the certification artefact exists but the control does not. The same problem appears with service accounts and tokens, where ownership and expiry are poorly enforced.

Q: How do organisations know whether ISO 27001 identity controls are actually working?

A: Look for operating evidence, not policy language. Effective controls produce current inventories, review records, exception handling, monitoring alerts, and remediation tickets that can be traced across the audit period. If a control cannot show what changed because of it, it is not delivering measurable governance.

Q: Which frameworks align best with ISO 27001 identity governance work?

A: The closest practical alignments are the NIST Cybersecurity Framework 2.0 for governance and control outcome mapping, and NIST SP 800-207 for zero-trust access design. For non-human identity teams, this combination helps translate ISO 27001 intent into enforceable access, monitoring, and lifecycle practices.

Technical breakdown

Annex A controls and the statement of applicability

ISO 27001 does not require every control to be implemented in the same way everywhere. Organisations build a statement of applicability, select controls based on risk treatment, and then justify exclusions. That makes Annex A less like a static checklist and more like a governance map tying risk assessment to specific operational controls. For identity teams, this matters because access control, logging, and lifecycle processes must be described in a way auditors can trace from policy to evidence. Practical implication: align identity controls to the SoA so each entitlement, review, and deprovisioning rule has an audit trail.

Practical implication: align identity controls to the SoA so each entitlement, review, and deprovisioning rule has an audit trail.

Access control, monitoring, and lifecycle governance

The article groups access control, monitoring, and deprovisioning into the core of ISO 27001 practice. That is the right mental model for identity security because the standard is not only about who can log in, but also about how access is provisioned, reviewed, logged, and removed. In NHI environments, the same logic applies to service accounts, tokens, and API keys, where standing access often outlives the business need that justified it. Practical implication: treat lifecycle governance as part of access control, not as a separate administrative task.

Practical implication: treat lifecycle governance as part of access control, not as a separate administrative task.

Audit evidence and certification readiness

ISO 27001 certification is won or lost on evidence. The article emphasises internal audits, corrective actions, and external certification audits, all of which require controls to be demonstrably operating. For IAM and NHI teams, that means policies alone are insufficient unless they produce logs, review records, exception handling, and remediation outputs that can survive scrutiny. A control that works but cannot be evidenced will still fail audit. Practical implication: design identity processes so every important control leaves a durable evidence trail.

Practical implication: design identity processes so every important control leaves a durable evidence trail.

NHI Mgmt Group analysis

ISO 27001 becomes an identity governance test the moment access controls are treated as evidence-producing processes. The article correctly presents access control, monitoring, and incident response as part of a broader ISMS, but the discipline behind certification is stronger than a policy checklist. In practice, this means IAM and NHI programmes are being judged on whether they can show decision history, review history, and removal history. The practitioner conclusion is straightforward: if a control cannot produce evidence, it is not governable.

Access review discipline is the hidden control plane in ISO 27001 implementation. The standard’s audit logic rewards organisations that can prove who had access, why they had it, and when it was withdrawn. That applies equally to human accounts and non-human identities, where standing entitlements and opaque ownership are common failure points. The practitioner conclusion is to treat access certification as a control with operational teeth, not a periodic administrative task.

Identity lifecycle governance is where ISO 27001 and real security maturity intersect. The article’s lifecycle-like steps, from gap analysis through corrective action, show that controls only matter when they change behaviour over time. For NHIs, this means provisioning, rotation, and offboarding must be tied to the same governance discipline used for employees and contractors. The practitioner conclusion is to align lifecycle ownership across IAM, PAM, and NHI teams before certification work begins.

Runtime identity visibility is what separates auditable controls from decorative controls. ISO 27001 expects organisations to detect, investigate, and correct non-conformities, which requires observability across both human and machine access. The moment service accounts, API keys, and third-party integrations are hidden from inventory or reviews, the ISMS loses integrity. The practitioner conclusion is to make identity inventory and entitlement monitoring a formal control objective, not an afterthought.

From our research:

• 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
• Another finding from the same research shows that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which leaves delegated access outside routine governance.
• For a broader control lens, see the NHI Lifecycle Management Guide for how provisioning, rotation, and offboarding should be governed together.

What this signals

Identity controls are only as strong as the evidence they generate. ISO 27001 thinking pushes security teams toward auditability, but the next maturity step is to make that auditability continuous across humans, service accounts, and workload identities. The control objective is no longer documentation alone, it is proof that access changes are being enforced in real time.

The governance gap is becoming more visible as organisations move from general security controls to explicit identity assurance. A practical next step is to tie ISO 27001 work to the NIST Cybersecurity Framework 2.0 so control intent, detection, and remediation line up in one operating model.

Evidence debt: when access decisions cannot be traced to an inventory item, an approval, and a removal action, the control exists only in policy form. That is the point at which IAM, PAM, and NHI teams should expect audit friction, because the programme cannot prove what it cannot observe.

For practitioners

• Map identity controls to the statement of applicability Document which IAM, PAM, and NHI controls are in scope, why they are in scope, and what evidence each control must produce during audit.
• Tie access reviews to removal outcomes Require each certification cycle to end with an explicit action for retained access, reduced access, or revocation, so reviews produce operational change.
• Inventory non-human identities as auditable assets Maintain a current inventory of service accounts, API keys, certificates, and workload identities, including ownership, purpose, and expiry or rotation rules.
• Build evidence-first control workflows Ensure logging, approvals, exceptions, and remediation steps are captured in a durable record that internal and external auditors can trace end to end.

Key takeaways

• ISO 27001 is as much an identity governance framework as it is a security standard, because control effectiveness depends on traceable access decisions and lifecycle evidence.
• The article’s strongest signal is that certification readiness lives in operational proof, not policy language, especially for access reviews, monitoring, and corrective actions.
• For IAM and NHI teams, the practical priority is to connect inventories, approvals, revocations, and audit trails so every important control leaves durable evidence.

Key terms

• Statement of Applicability: A statement of applicability is the document that lists which ISO 27001 controls are selected, which are excluded, and why. It turns risk assessment into an auditable control set and gives assessors a clear line from business context to implemented security measures.
• Information Security Management System: An information security management system is the operating framework used to manage security risk through policies, processes, roles, and evidence. In ISO 27001 terms, it is the structure that makes controls testable, repeatable, and reviewable rather than ad hoc.
• Access Certification: Access certification is the periodic review and confirmation of who should retain access to systems or data. It is only effective when review outcomes trigger removal, reduction, or formal exception handling, and when those actions are recorded as audit evidence.
• Non-Human Identity: A non-human identity is a machine credential or software identity such as a service account, API key, token, certificate, or workload identity. These identities must be governed with the same rigor as human accounts because they often carry standing access and automate privileged action.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance maturity in your organisation, it is worth exploring.

This post draws on content published by Zluri: Security & Compliance ISO 27001 Controls Annex-A: All You Need To Know. Read the original.