ISO 27001 maintenance exposes the access governance gap for NHIs

At a glance

What this is: This article explains how organisations keep ISO 27001 certification current through audits, remediation, training, and evidence collection, with access control and logging doing much of the practical work.

Why it matters: For IAM and NHI practitioners, it shows that certification maintenance is really a recurring identity governance exercise, especially where service accounts and privileged access create audit risk.

By the numbers:

• ISO 27001 certifications are valid for three years.
• ISO 27001 audit costs (internal and external auditing) total roughly $15,000 annually.
• Security enhances user trust, and customers are 49% more likely to buy, or buy more, from trusted companies.

👉 Read StrongDM's guide to maintaining ISO 27001 certification in 2026

Context

ISO 27001 maintenance is not a one-time compliance event. It is a repeatable control and evidence discipline that must keep pace with organisational growth, changing systems, and expanding access paths, including the non-human identities that often sit outside routine review cycles. For IAM teams, the challenge is not passing an audit once, but proving that access governance remains live between audits.

The article frames certification as an ongoing management task built around internal reviews, external surveillance, remediation, and training. That is directionally correct, but the access-control burden becomes more complex when service accounts, API keys, tokens, and other NHIs accumulate faster than human identity processes can track them. In that sense, the article describes a common maturity path, but the NHI layer is where many organisations still underbuild control assurance.

Key questions

Q: How should organisations keep ISO 27001 controls effective between audits?

A: They should run ISO 27001 as a continuous control programme, not an annual paperwork exercise. That means keeping inventories current, reviewing access regularly, testing remediation, and preserving evidence for both human and non-human identities. When controls drift between surveillance audits, certification risk rises quickly.

Q: Why do non-human identities create ISO 27001 audit risk?

A: Non-human identities create audit risk because they often outnumber human accounts, change faster, and are less visible to standard review processes. If service accounts and tokens are not inventoried, owned, and rotated, the organisation cannot prove that access is still justified or that revocation works reliably.

Q: What is the difference between passing an ISO 27001 audit and maintaining certification?

A: Passing an audit is a point-in-time outcome, while maintaining certification requires sustained control performance across the entire certification cycle. The difference is operational discipline. Organisations need ongoing access review, logging, remediation, training, and lifecycle management for privileged identities to avoid control decay.

Q: When should security teams treat NHI governance as part of compliance work?

A: They should treat NHI governance as part of compliance work whenever service accounts, API keys, or automation tokens can access controlled systems. If those identities are outside review, the organisation has a blind spot that can undermine evidence, access control, and recertification readiness.

Technical breakdown

Why ISO 27001 maintenance becomes an identity control problem

ISO 27001 maintenance depends on demonstrating that controls still operate as designed after the initial certification event. In practice, that means ongoing risk assessment, evidence collection, internal audit, management review, remediation, and surveillance audits. The control plane is not only policies and documentation. It is also the access layer that produces logs, enforces least privilege, and proves who or what touched critical systems. For NHIs, this matters because service accounts, automation tokens, and machine credentials often bypass the human review rhythms built into compliance programs. When those identities are not inventoried, rotated, and offboarded with the same discipline as user accounts, audit evidence becomes partial rather than reliable.

Practical implication: Treat ISO 27001 upkeep as continuous identity governance, not periodic documentation work.

How audit evidence breaks down when NHIs are outside the review loop

Audit evidence is only as strong as the systems that generate it. If privileged access is spread across cloud services, databases, clusters, and automation pipelines, teams need consistent logging, correlation, and ownership for each non-human identity. Otherwise, an auditor may see a control on paper but not a complete operational trail. The deeper problem is that NHIs can be created quickly and forgotten just as quickly, especially when infrastructure changes are frequent. That creates gaps in access review, approval traceability, and revocation records. In regulated environments, those gaps are often more damaging than a single weak policy because they undermine the repeatability of the entire control environment.

Practical implication: Map every privileged NHI to an owner, lifecycle state, and logging source before the next surveillance audit.

Continuous control validation for privileged access and NHI sprawl

Continuous validation is the practical answer to certification drift. Rather than waiting for annual audit windows, organisations need to verify that access rights, secrets, and exceptions are still justified as systems change. That is especially important where zero trust and privileged access management are expected to support ISO 27001 evidence. The relevant question is not whether controls exist, but whether they still constrain blast radius when a token, key, or service account is compromised. For NHIs, this means inventory, rotation, scoped privileges, and termination workflows must be operational, not aspirational. Certification survives when access changes are matched by control changes.

Practical implication: Automate NHI reviews and revocation checks so control evidence stays current between audits.

Threat narrative

Attacker objective: The attacker aims to exploit weak identity governance to expand access quietly before detection or audit scrutiny intervenes.

1. Entry occurs when overprivileged NHIs or stale access paths remain active after system changes and audit cycles.
2. Escalation follows when those identities can reach infrastructure, data stores, or automation workflows beyond their intended scope.
3. Impact is audit failure, control erosion, and increased exposure to breach conditions that certification was meant to reduce.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Certification maintenance is really an identity governance discipline. ISO 27001 language is about an information security management system, but the operational proof usually comes from access control, logging, review, and revocation. When NHIs are unmanaged, the evidence chain weakens even if policy language looks complete. Practitioners should treat NHI lifecycle control as part of certification survival, not as a separate optimisation project.

Persistent machine access is the hidden compliance debt in most audit programmes. Human users are reviewed, trained, and offboarded through familiar processes, while service accounts and tokens often live in application logic, CI/CD tooling, and cloud permissions. That mismatch creates trust debt that accumulates between surveillance audits. The practical conclusion is clear: if an organisation cannot account for its NHIs, it cannot claim strong control assurance.

Identity blast radius is the right concept for evaluating ISO 27001 readiness. The issue is not only whether a credential exists, but how far it can move if misused. A small access flaw in a privileged service account can become a broad compliance failure when evidence, ownership, and revocation are missing. Teams should measure the blast radius of every high-value NHI before the auditor does.

Security programmes that separate compliance from IAM are already behind. ISO maintenance, privileged access management, and NHI governance are converging into the same operational workstream. Organisations that keep these functions isolated will struggle to show consistent control performance. The better model is a shared operating rhythm for inventory, review, rotation, and exception handling.

ISO 27001 renewal should be used as a forcing function for NHI remediation. Renewal windows create deadlines, but the real value comes from fixing identity sprawl before the next assessment. That means assigning ownership, reducing standing privilege, and closing the systems where secrets persist without review. Practitioners should use certification work to shrink identity risk, not just satisfy evidence requests.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which helps explain why audit evidence and real control state often diverge.
• For a broader remediation lens, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs and compare inventory, rotation, and offboarding practices against your own programme.

What this signals

ISO 27001 programmes that do not explicitly include NHIs will keep generating partial assurance. The compliance model is still useful, but it only works when ownership, rotation, and revocation extend to the machine layer that now carries a large share of privileged access. The practical shift is to treat NHI governance as a standing control objective, not an audit-season task.

Identity blast radius: teams should start measuring how much damage a single service account or token can do before the next audit. If a credential can reach multiple cloud services or automation paths, the organisation has a governance problem even when the paperwork looks complete. That is where NIST Cybersecurity Framework 2.0 and Zero Trust thinking align most closely with ISO maintenance.

With 97% of NHIs carrying excessive privileges, the exposure is structural rather than isolated, and the audit programme should reflect that reality. The immediate implication is to tighten access scope, accelerate revocation, and move high-risk credentials into a monitored lifecycle process before renewal pressure exposes the gap.

For practitioners

• Audit all non-human identities in the ISMS scope Build a complete inventory of service accounts, API keys, tokens, certificates, and automation identities that can touch controlled systems. Tie each one to an owner, purpose, and review date so the evidence trail is auditable.
• Align access reviews with surveillance audit cadence Schedule recurring reviews for privileged NHIs before each internal and external audit cycle. Confirm that access remains necessary, logged, and revocable, especially for identities embedded in CI/CD pipelines and cloud automation.
• Automate rotation and revocation for high-risk secrets Use automated rotation where credentials are long-lived or broadly scoped, and require immediate revocation when ownership changes or systems are retired. The goal is to prevent stale access from surviving the audit window.
• Document evidence for every exception and override Track temporary access, break-glass use, and policy exceptions in a single place so reviewers can trace why access existed, who approved it, and when it expired. Missing exception records are a common audit weakness.

Key takeaways

• ISO 27001 maintenance becomes fragile when service accounts and other NHIs are outside the same control rhythms used for human identities.
• The main evidence gap is not policy language but lifecycle management, especially inventory, ownership, rotation, and revocation for privileged machine credentials.
• Teams that want certification to hold should treat NHI governance as part of access control, not as a separate technical backlog.

Key terms

• Non-Human Identity: A non-human identity is a digital identity used by software, services, workloads, or automation instead of a person. It can include service accounts, API keys, tokens, certificates, and AI agents. These identities often carry privileged access and require lifecycle controls just like human accounts.
• Information Security Management System: An information security management system is the operating structure an organisation uses to manage security policies, controls, responsibilities, and evidence. Under ISO 27001, it is the framework auditors assess, but its real strength depends on whether access, logging, and remediation work consistently in practice.
• Surveillance Audit: A surveillance audit is a recurring review used to confirm that certification controls remain effective between renewal cycles. It is not a one-time checklist. Organisations must show continued control operation, corrective action, and evidence quality, or they risk non-conformance and loss of certification.
• Identity Blast Radius: Identity blast radius is the amount of damage a single credential or account can cause if it is misused or compromised. It reflects scope, privilege, and system reach. Lowering blast radius means reducing standing access, narrowing permissions, and ensuring revocation works quickly when risk appears.

Deepen your knowledge

ISO 27001 maintenance, privileged access review, and NHI lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a compliance programme from a similar starting point, it is worth exploring.

This post draws on content published by StrongDM: How to Maintain ISO 27001 Certification in 2026 and Beyond. Read the original.