ISO 27001:2022 compliance in 2025 is an identity problem

At a glance

What this is: This is a compliance guide to ISO 27001:2022 that focuses on clause requirements, Annex A controls, and the 2025 migration deadline.

Why it matters: It matters because ISO 27001 evidence increasingly depends on identity governance, access traceability, and auditable control operation across NHI, autonomous, and human programmes.

By the numbers:

• Organizations certified to ISO 27001:2013 must complete their transition to ISO 27001:2022 by 31 October 2025 to maintain certification.

👉 Read Teleport's guide to ISO 27001:2022 requirements for 2025

Context

ISO 27001:2022 is a risk-based information security management standard, but the compliance burden is really about proving that identity, access, and operational controls work in practice. For IAM teams, the challenge is not just passing an audit once, but showing that access governance is documented, reviewed, and measurable across systems, people, and processes.

The 2025 migration deadline matters because the standard’s evidence model now intersects directly with cloud access, short-lived credentials, and auditability. That makes the topic relevant to human IAM, NHI governance, and broader access lifecycle controls, especially where organisations rely on standing access or fragmented control ownership.

Key questions

Q: How should organisations prepare for ISO 27001:2022 certification if they rely on cloud access and admin credentials?

A: They should start by mapping scope, access ownership, and audit evidence to the controls that actually operate in production. Cloud access, certificate handling, and administrative sessions need documented ownership and traceable logs. The goal is not only compliance documentation, but a repeatable control story that an auditor can verify from records and system behaviour.

Q: What breaks when ISO 27001 access controls exist on paper but not in daily operations?

A: The ISMS becomes difficult to defend because auditors test effectiveness, not intent. If certificate revocation, access reviews, or role ownership are inconsistent, the organisation cannot prove that selected controls are operating as planned. That gap usually appears first in Clause 8 and Clause 9 evidence, then spreads into corrective action and certification risk.

Q: How do security teams know whether their ISO 27001 controls are actually working?

A: They should look for evidence that controls produce measurable outcomes, such as timely revocation, complete audit trails, and consistent ownership records. If the same access exceptions recur or reviews do not change entitlement state, the control is procedural rather than effective. Verification comes from repeated operational evidence, not from policy approval alone.

Q: Who is accountable when ISO 27001 certification is at risk because migration is delayed?

A: Leadership remains accountable because ISO 27001 requires governance, resourcing, and performance oversight, not just technical implementation. The ISMS owner, CISO, and business leaders all need to ensure scope, controls, and evidence are aligned before certification expiry. Delayed migration is therefore a governance failure as much as a technical one.

Technical breakdown

ISO 27001 clause 4 scope and Statement of Applicability

Clause 4 defines the scope of the ISMS and forces organisations to name what is inside and outside that scope. The Statement of Applicability then records which Annex A controls are selected, excluded, and why. This is where many programmes become weak: scope is either too broad to govern or too narrow to reflect real attack surface. In practice, the ISMS must connect business context, regulatory obligations, and infrastructure boundaries into one defensible control narrative.

Practical implication: define scope around real identity and access boundaries, then keep the Statement of Applicability aligned to actual systems and risk.

Annex A controls and audit evidence for access governance

Annex A is not a checklist of mandatory controls. It is a reference set used to justify risk treatment choices and prove that selected controls operate effectively. In identity-heavy environments, auditors look for evidence such as access logs, ownership records, certificate lifecycles, and control reviews. That is why identity and access management often becomes the evidence layer for the whole ISMS, not just one operational domain.

Practical implication: tie each selected access control to a risk, an owner, and an evidence source that can be produced during audit.

Why short-lived access and monitored sessions matter in ISO 27001

The 2022 control set reflects cloud, remote work, and automation realities. Controls around cloud use, monitoring, configuration management, and authentication information all depend on being able to see who accessed what, when, and under which authority. Short-lived credentials and session-level monitoring are valuable because they make control operation observable. Without that visibility, the organisation may have policy statements but not audit proof.

Practical implication: replace static access patterns with time-bound, monitored access paths that can produce verifiable audit evidence.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Azure Key Vault privilege escalation exposure — Azure Key Vault Contributor role misconfiguration enabled privilege escalation.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

ISO 27001 compliance now depends on whether identity evidence is operational, not decorative. The standard still asks for scope, leadership, planning, monitoring, and improvement, but auditors care about whether those clauses are backed by living identity controls. That makes access governance and certificate traceability central to certification outcomes, especially in cloud-heavy environments. Practitioners should treat ISMS evidence as an identity data problem as much as a documentation problem.

Identity control drift is the real failure mode behind many ISO 27001 gaps. When access review records, certificate logs, and ownership assignments do not line up, Clause 8 and Clause 9 become hard to defend. The issue is not whether a policy exists, but whether the organisation can prove that its controls operated continuously enough to matter. Practitioners should check for mismatches between policy, entitlement state, and operational logs.

Short-lived access and session visibility are becoming the practical bridge between compliance and security. ISO 27001:2022 does not require one specific technology pattern, but it does require evidence that control outcomes are real. In practice, the organisations that can show time-bounded access, traceable revocation, and monitored administrative activity are in a better position to satisfy both auditors and security teams. Practitioners should align identity architecture to evidence production, not just access delivery.

Lifecycle governance is where ISO 27001 moves from document control to control durability. Joiner, mover, and leaver processes, certificate renewal, and access review cycles all determine whether the ISMS remains accurate between audits. When those lifecycle processes are weak, the standard’s improvement loop becomes reactive rather than preventive. Practitioners should evaluate whether lifecycle events are reliably reflected in identity records, not just in policy documents.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
• That fragmentation is exactly why the NHI Lifecycle Management Guide matters when ISO evidence depends on revocation, rotation, and offboarding discipline.

What this signals

Secrets-exposure timelines are a compliance signal, not just a threat metric. When remediation takes 27 days on average, control effectiveness cannot be inferred from policy statements or annual reviews alone. ISO-oriented programmes should watch for whether access changes, revocation actions, and certificate renewals are fast enough to leave a defensible audit trail. The practical test is whether identity events are visible before they become exceptions.

The migration to ISO 27001:2022 will expose control fragmentation in organisations that still treat access, audit, and lifecycle as separate workstreams. A standards-aligned programme should connect identity operations to evidence retention, because the audit question is increasingly about whether control state can be reconstructed. Teams that can trace access from issuance to revocation will have a cleaner path through surveillance audits and recertification cycles.

For practitioners

• Map the ISMS scope to identity control boundaries Define the systems, cloud platforms, and administrative domains that actually generate access risk, then ensure the scope statement matches those boundaries and not just organisational charts.
• Build audit evidence from live identity operations Collect access logs, certificate issuance and revocation records, ownership assignments, and review outcomes in a form that can be reproduced during certification and surveillance audits.
• Tie each Annex A control to a named risk owner For every selected control, document who owns the control, which risk it addresses, and what operational evidence proves it is working in day-to-day use.
• Reduce standing access before the migration deadline Prioritise access paths that still rely on persistent credentials, then move them toward time-bound or session-bound patterns that are easier to evidence and review.

Key takeaways

• ISO 27001:2022 is as much an identity evidence problem as it is a documentation problem.
• The 31 October 2025 migration deadline forces organisations to prove that access controls work continuously, not just at audit time.
• Lifecycle discipline, session visibility, and traceable revocation are the controls most likely to determine certification readiness.

Key terms

• Statement Of Applicability: A Statement of Applicability is the document that records which ISO 27001 Annex A controls are included or excluded and why. It turns risk treatment into auditable evidence, making the organisation explain both selection and omission decisions in a way that supports certification and ongoing surveillance.
• Information Security Management System: An Information Security Management System is the operating model used to plan, implement, monitor, and improve security controls. In ISO 27001, it is not a tool or product set. It is the management structure that ties scope, leadership, risk treatment, evidence, and corrective action together.
• Annex A Controls: Annex A controls are the reference control set used to support ISO 27001 risk treatment decisions. They are not all mandatory, but they provide the catalogue organisations use to justify which protections apply, how they are implemented, and what evidence proves they work.
• Access Control Evidence: Access control evidence is the operational proof that permissions, certificates, and administrative sessions are governed as intended. It usually includes logs, ownership records, review outcomes, and revocation history. For ISO 27001, this evidence matters because the audit test is effectiveness, not policy intent.

What's in the full article

Teleport's full blog covers the operational detail this post intentionally leaves for the source:

• Clause-by-clause examples of what auditors expect in each part of the ISMS, including documentation and effectiveness evidence.
• The article's control mapping for Annex A changes in 2022, including where access, monitoring, and configuration controls fit.
• Teleport's examples of how short-lived certificates and centralised access can support ISO 27001 evidence collection.
• The source's own implementation framing for compliance teams that need to move from policy to operational proof.

👉 Teleport's full post covers clause breakdowns, Annex A changes, and compliance mapping examples.

Deepen your knowledge

ISO 27001 evidence for access, lifecycle, and auditability is covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your certification work depends on identity controls that auditors can verify, this is a relevant place to start.