ISO 27001 vs 27002: what IAM teams should know about access reviews

At a glance

What this is: This is a comparison of ISO 27001 and ISO 27002 that explains how the standards divide governance requirements from control guidance, with access reviews presented as a key implementation example.

Why it matters: It matters because IAM, IGA, and compliance teams need to separate policy design from operational proof when they evidence control effectiveness across human, NHI, and workload access.

👉 Read Zluri's explanation of ISO 27001 versus ISO 27002 for identity governance teams

Context

ISO 27001 and ISO 27002 solve different parts of the same security problem. One defines the information security management system, while the other explains how to implement specific controls, which matters for identity governance because access control and review evidence often sit at the centre of audit discussions.

For IAM and IGA teams, the useful question is not which standard is better, but which one governs the management system and which one supports the control execution. That distinction becomes especially important when organisations need to show that access reviews, least privilege, and revocation decisions are operating as intended across human users, service accounts, and other non-human identities. See the Ultimate Guide to NHIs for the lifecycle view of those controls.

Key questions

Q: How should IAM teams use ISO 27001 and ISO 27002 together?

A: Use ISO 27001 to define the management system, risk scope, and accountability model, then use ISO 27002 to implement the controls that support those decisions. IAM teams should treat the first as governance architecture and the second as the operating guide for access control, review, and evidence collection.

Q: Why do access reviews matter in ISO-aligned identity programmes?

A: Access reviews matter because they prove access is being checked against business need, not just granted once and forgotten. They create the evidence that supports least privilege, certification, and revocation decisions, which is essential when organisations need to demonstrate that identity controls are active rather than theoretical.

Q: What do organisations get wrong about ISO 27002 implementation?

A: Many teams treat ISO 27002 as a substitute for governance when it is really implementation guidance. The mistake is assuming documented controls are enough. In practice, the organisation still needs ownership, review cadence, remediation tracking, and an ISMS structure that makes those controls repeatable.

Q: How can teams show that identity controls are working for auditors?

A: Show the full trail from policy to review to remediation. Auditors need to see who approved access, when access was reviewed, what was removed or changed, and how exceptions were handled. Evidence is strongest when the same process covers human users and non-human identities with named owners.

Technical breakdown

ISO 27001 as the management standard

ISO 27001 sets the requirements for building and running an information security management system, often called an ISMS. In practice, that means scoping the system, assessing risk, defining controls, assigning ownership, and proving the process is managed rather than ad hoc. It is the standard that asks whether the organisation has a repeatable security governance structure. For identity teams, the key point is that access governance is not just a control catalogue item, but part of the system that must be designed, operated, and reviewed.

Practical implication: map identity governance ownership and review cadence into the ISMS so audit evidence reflects real operating practice.

ISO 27002 as control implementation guidance

ISO 27002 does not replace the management standard. Instead, it explains how to apply the controls that ISO 27001 requires at a higher level, giving practical guidance on areas such as access control, segregation of duties, and secure operation. Its role is instructional, not certifying. That distinction matters because many identity programmes can describe controls in policy but still struggle to show how those controls are executed consistently across systems. The standard is therefore most useful when teams need to translate policy intent into operational procedures.

Practical implication: use ISO 27002 to turn control intent into operational steps, especially for access approval, review, and revocation workflows.

Access reviews, least privilege, and certification evidence

The article uses access review as the practical bridge between standards and execution. Periodic review proves that access is being checked, challenged, and removed when it is no longer required, which supports least privilege and certification evidence. This is where identity governance becomes operational rather than theoretical: if the organisation cannot show who had access, why they had it, and when that access was removed, the control exists only on paper. For IAM teams, the evidence trail is part of the control, not a separate administrative task.

Practical implication: retain review logs, approval trails, and remediation records as evidence that access governance is actually functioning.

NHI Mgmt Group analysis

ISO 27001 and ISO 27002 split governance from execution, and that split is exactly what identity teams must preserve. ISO 27001 is about proving that the organisation has an information security management system with ownership, scope, and risk decisions. ISO 27002 is the implementation companion that helps teams turn those decisions into controls. The practitioner lesson is that policy maturity and control maturity are not the same thing.

Access review is not a checkbox control, it is the evidence layer for identity governance. The article correctly places periodic review at the centre of compliance, because access decisions only matter when they are inspected, challenged, and corrected. For IAM and IGA teams, the real question is whether access can be traced back to a business need and a review event. The practitioner conclusion is that auditability is part of the control design.

Least privilege becomes credible only when certification and revocation are operationally repeatable. The article links access review to role-based access control, least privilege, and just-in-time access, which is the right direction for governance. But the deeper point is that these controls fail when they are treated as policy statements rather than managed processes. The practitioner conclusion is that identity governance must be measurable, not merely documented.

ISO discussions often stay at the management-system layer, but identity risk is realised in the access layer. That is why these standards matter to NHI governance as much as to human IAM. Service accounts, tokens, and workload identities also need reviewable ownership, clear scope, and documented removal paths. The practitioner conclusion is that standards language should translate into lifecycle controls across every identity type.

Identity lifecycle control is the hidden control plane behind certification success. Access reviews cannot compensate for unclear ownership, missing offboarding, or stale permissions that persist between review cycles. The article points toward that operational reality even though it frames the issue through ISO compliance. The practitioner conclusion is to treat lifecycle discipline as the precondition for any certification programme.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to the same research.
• For a broader lifecycle lens, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for how ownership, review, and offboarding fit together.

What this signals

Access review will keep expanding from compliance activity into identity operating discipline. Teams that still treat certification as an annual audit event will struggle to explain control effectiveness across SaaS, cloud, and service-account estates. The practical shift is toward continuous evidence collection, where review decisions, exception handling, and revocation outcomes are all measurable.

The governance gap is no longer limited to human access. As workloads, service accounts, and tokens become more numerous, organisations need one review model that can track ownership, scope, and removal across all identity types without relying on manual spreadsheets or disconnected approvals.

With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, per The State of Non-Human Identity Security, identity programmes cannot assume delegated access is inherently observable. That visibility problem is exactly where standards work becomes operational risk management.

For practitioners

• Separate governance evidence from control execution Document ISO 27001 scope, risk decisions, and ownership separately from ISO 27002 control procedures so auditors can see both the management system and the operating evidence.
• Tie access reviews to remediation outcomes Record who reviewed access, what changed, and when revocation or restriction was completed so review activity produces measurable control results.
• Cover human and non-human identities in the same review model Extend periodic certification to service accounts, API keys, and workload identities, with owners named and renewal or removal actions tracked.
• Use ISO 27002 to operationalise least privilege Translate policy into role definitions, approval paths, and exception handling so access remains bounded by business need rather than inherited entitlement.

Key takeaways

• ISO 27001 governs the management system, while ISO 27002 explains how to implement the controls that support it.
• Access reviews are the proof point that turns identity policy into auditable control evidence.
• The organisations most likely to succeed are the ones that connect certification, remediation, and lifecycle ownership across human and non-human identities.

Key terms

• Information Security Management System: An Information Security Management System is the structured set of policies, processes, controls, and ownership used to manage security risk across an organisation. It is less about any single technical control and more about proving that security decisions are repeatable, governed, and continually improved.
• Access Review: An access review is a periodic check of who has access to what, why they have it, and whether that access is still justified. In mature identity programmes, it is both a governance activity and an evidence source for certification, least privilege, and revocation.
• Least Privilege: Least privilege is the principle that each identity should hold only the access required to complete its current task. For human and non-human identities alike, it depends on ownership, scope control, and timely removal of excess permissions, otherwise it becomes a policy statement rather than an operating rule.
• Non-Human Identity: A non-human identity is a machine-usable credential or account used by software, services, workloads, or automation. It includes service accounts, API keys, tokens, and certificates, and it needs lifecycle governance because it can persist, proliferate, and accumulate privilege outside normal human access patterns.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: Security & Compliance ISO 27001 vs 27002: 5 Key Differences. Read the original.