ISO 27001 requirements in 2026: the access governance gap

At a glance

What this is: This is a guide to the 11 ISO 27001 clauses and how Annex A supports ISMS design, with emphasis on access control, logging, and audit evidence.

Why it matters: It matters because IAM, PAM, and NHI programmes often become the evidence layer for ISO 27001, and weak provisioning, review, or logging quickly turns compliance into a paper exercise.

By the numbers:

• The most recent edition, ISO 27001:2022, uses the same two-part framework established in the ISO 27001:2013 requirements.
• Part two includes 93 recommended controls organizations can implement to meet the ISMS requirements.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

👉 Read StrongDM's guide to ISO 27001 requirements in 2026

Context

ISO 27001 is a governance standard for building and maintaining an information security management system, or ISMS. In practice, it turns security into documented scope, leadership accountability, measurable objectives, operating procedures, audit activity, and corrective action, which is why access governance becomes central to the certification story.

For identity teams, the standard matters less as a checklist than as an evidence model. Human access reviews, PAM controls, service account governance, and NHI logging often become the artefacts auditors inspect when they want proof that the ISMS is real, not just written down.

Key questions

Q: How should security teams turn ISO 27001 into useful identity governance evidence?

A: They should connect scope, approvals, lifecycle handling, and logging to the ISMS so that each access decision can be traced back to a control and an owner. That means human access, privileged access, and NHI access all need defensible records. The goal is not more documentation, but evidence that the control actually operates.

Q: Why do access reviews often fall short in ISO 27001 programmes?

A: Access reviews fail when they are treated as a periodic admin task instead of proof that entitlement decisions are current, owned, and reversible. If the organisation cannot show who approved access, when it was last reviewed, and how removal is enforced, the review has little audit value. That is especially true for privileged and non-human identities.

Q: What breaks when service account lifecycle controls are missing in an ISO 27001 environment?

A: The ISMS can still exist on paper, but the organisation loses the ability to prove that access is limited, reviewable, and removed when no longer needed. Missing lifecycle controls create stale credentials, unclear ownership, and weak evidence for auditors. In practice, that turns identity into an unmanaged exception path.

Q: Who is accountable when access evidence does not support ISO 27001 claims?

A: Accountability sits with the ISMS owner, the identity control owners, and the leadership sign-off chain that accepted the scope and control decisions. If logs, approvals, or exceptions cannot be produced, the issue is not just technical. It is a governance failure that the organisation must be able to explain in audit terms.

Technical breakdown

ISO 27001 clauses 4 to 7 and ISMS governance evidence

Clauses 4 to 7 define the management system around the security programme, not a control set. They require a scoped ISMS, leadership commitment, measurable objectives, and the resources to operate and improve the system. In identity terms, that means the organisation must be able to show who owns access policy, how it maps to risk, and how teams prove competence and accountability. Auditors usually look for consistency between policy, process, and evidence, not just the existence of documents.

Practical implication: map IAM and PAM ownership, approvals, and review cadences directly into ISMS scope and evidence packs.

Annex A controls and access provisioning evidence

Annex A contains the recommended control set that organisations can adopt or justify out of scope. For IAM practitioners, the key point is that access provisioning, deprovisioning, segregation of duties, and event logging are not isolated tasks. They are control families that must be documented, tested, and tied to risk treatment. ISO 27001 certification often depends on whether the organisation can show repeatable control operation across people, systems, and privileged access paths.

Practical implication: document provisioning, deprovisioning, and logging as repeatable control processes, not one-off admin tasks.

Statement of Applicability and audit-ready access control

The Statement of Applicability is the bridge between Annex A and the implemented ISMS. Teams must explain which controls are applied and why any control is excluded, which makes it a governance artefact, not just a compliance form. This is where identity security teams need to prove that access controls are risk-based, current, and traceable. If privileged access, secrets handling, or account lifecycle controls cannot be evidenced, the SoA becomes a weak point rather than a record.

Practical implication: maintain a current Statement of Applicability that reflects real access decisions, exceptions, and evidence.

Breaches seen in the wild

• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

ISO 27001 is an evidence framework for identity control, not just a certification exercise. The standard rewards organisations that can show repeatable decisions, traceable ownership, and ongoing review. That makes IAM, PAM, and NHI processes part of the compliance backbone rather than supporting detail. The practical conclusion is that identity evidence has to be built into the ISMS from the start.

Access provisioning and deprovisioning are the points where ISO 27001 usually becomes operationally real. Clauses and Annex A controls only matter if access changes are documented, approved, and reversible. Where service accounts or human privileges exist without consistent lifecycle handling, the ISMS may be formally correct but operationally hollow. The practitioner takeaway is that lifecycle gaps undermine the control story auditors are asked to trust.

Audit readiness depends on whether logging proves control operation, not just system activity. ISO 27001 expects organisations to measure, review, and improve security controls over time. That means logs, reports, and review records must show who changed access, when, why, and under what authority. The practical conclusion is that visibility is only valuable when it can be turned into defensible evidence.

ISO 27001 pushes organisations toward a governance model that spans human identity and non-human identity equally. The standard does not separate people from service accounts in the way many operational teams do. It asks whether security controls are scoped, applied, measured, and improved across the full environment. The practitioner conclusion is that identity programmes that stop at human IAM will leave a compliance blind spot in machine access.

Statement of Applicability discipline is the named control gap many teams underestimate. A Statement of Applicability was designed for a stable mapping between risk decisions and implemented controls. That assumption fails when access governance is fragmented across teams, tools, and identity types because exclusions, exceptions, and ownership drift faster than the document is updated. The implication is that compliance teams must rethink the decision trail, not just add more controls.

From our research:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
• From our research: 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
• From our research: For teams building an audit-ready identity programme, the governance gap is often lifecycle evidence, not policy intent. The Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs is the next resource to pressure-test.

What this signals

Control evidence will matter more than control claims. ISO 27001 programmes are increasingly judged by whether access decisions, review outcomes, and exception handling can be reconstructed from records. For identity teams, that means the operational quality of logs and approvals becomes a compliance signal, not just a security one.

Lifecycle discipline is the hidden hinge in many certification efforts. If access removal, role changes, and privileged exception handling are inconsistent, the ISMS can satisfy policy language while failing the evidence test. Teams should treat the Lifecycle Processes for Managing NHIs as a model for making identity controls audit-verifiable.

The organisations that will move fastest on ISO 27001 are the ones that treat human IAM, PAM, and NHI governance as one control system. That alignment reduces duplicate evidence requests, closes ownership gaps, and makes the Statement of Applicability easier to defend during review.

For practitioners

• Tie ISO scope to identity ownership Define which human, privileged, and non-human access paths sit inside the ISMS scope document, and name the control owners who can evidence approval, review, and exception handling.
• Make access lifecycle evidence auditable Record provisioning, deprovisioning, and exception handling in a way that lets auditors trace each access decision back to policy and risk treatment.
• Map logging to control outcomes Use event logs and management reviews to show that access controls are operating as designed, rather than only showing that systems generated activity.
• Refresh the Statement of Applicability on control drift Review Annex A applicability whenever identity architecture, third-party access, or privileged workflows change, and document the rationale for every exclusion.

Key takeaways

• ISO 27001 is about proving an operating security system, not just naming security policies.
• Identity provisioning, review, and deprovisioning often determine whether access controls can be evidenced during audit.
• Teams that align human IAM, PAM, and NHI lifecycle records to the ISMS will find certification and maintenance far easier to defend.

Key terms

• Information Security Management System: An information security management system is the governance structure an organisation uses to define, operate, measure, and improve security. In ISO 27001, it is the documented system of scope, policy, controls, review, and corrective action that turns security into a managed business process.
• Statement Of Applicability: A Statement of Applicability is the document that records which Annex A controls are in scope and why. It is not just a form. It is the proof trail that links risk decisions, exclusions, and implemented controls back to the organisation's security management system.
• Annex A: Annex A is the control catalogue associated with ISO 27001. It provides the recommended control set organisations can use to support their ISMS, along with the requirement to justify whether each control is applied, excluded, or out of scope.
• Access Lifecycle Governance: Access lifecycle governance is the discipline of provisioning, reviewing, changing, and removing access in a controlled way. For IAM and NHI programmes, it is the difference between access that can be evidenced and access that exists only because no one has yet challenged it.

Deepen your knowledge

ISO 27001 requirements and identity lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building an audit-ready access model from the same starting point, it is worth exploring.

This post draws on content published by StrongDM: What Are the ISO 27001 Requirements in 2026? Read the original.