Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

ISO 27001 access reviews: are your frequencies risk-based yet?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9223
Topic starter  

TL;DR: ISO 27001 Control A.9.2.5 requires access reviews at intervals appropriate to risk, and Zluri argues that annual, spreadsheet-driven cycles often fail because they lack documented rationale, continuous improvement evidence, and complete coverage. Convenience-based cadences do not satisfy auditors when high-risk access is involved.

NHIMG editorial — based on content published by Zluri: Security & Compliance ISO 27001 User Access Review and risk-based frequency guidance

By the numbers:

Questions worth separating out

Q: What breaks when ISO 27001 access reviews are scheduled on a fixed annual cycle?

A: Fixed annual cycles break the risk-based logic ISO 27001 expects for access review controls.

Q: When should organisations review access more frequently under ISO 27001?

A: Organisations should increase review frequency when the asset is sensitive, the privilege level is high, the user is external or short term, or the system could create regulatory, financial, or customer harm.

Q: How do you know if access reviews are actually working?

A: They are working when the programme shows complete scope, clear reviewer accountability, timely remediation, and measurable improvement from one cycle to the next.

Practitioner guidance

  • Map review cadence to risk tiering Classify systems by data sensitivity, privilege level, and third-party exposure, then assign a review frequency that is explicitly justified in the ISMS.
  • Add service accounts to the review population Include integration accounts, batch accounts, and automation identities in the same review process as human users, because auditors will treat excluded access as incomplete scope.
  • Document the rationale for every interval choice Record why a system is monthly, quarterly, semi-annual, or annual, and keep that rationale aligned to the latest risk assessment and management review minutes.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

  • A risk-to-frequency matrix that maps asset criticality and privilege level to review cadence.
  • Examples of audit-ready documentation that justify annual, quarterly, or monthly reviews.
  • The access review workflow details needed to move from Excel tracking to a governed operating model.
  • Guidance on continuous-improvement evidence for ISO 27001 certification audits.

👉 Read Zluri's guidance on ISO 27001 access review frequency and risk →

ISO 27001 access reviews: are your frequencies risk-based yet?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8662
 

Convenience-based review frequency is a control design failure, not an administrative shortcut. ISO 27001 Control A.9.2.5 requires intervals that match risk, so annual reviews for high-risk access are not merely slow, they are unjustified. The governance problem is the assumption that one calendar can safely govern all access classes. Practitioners should treat cadence as a control decision tied to asset criticality and privilege level.

A few things that frame the scale:

  • Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

A question worth separating out:

Q: Who is accountable when access review findings are not remediated?

A: Accountability should sit with the control owner, the business owner for the system, and the governance function that validates closure evidence. ISO 27001 expects the management system to prove action, not just detection, so unresolved findings become a governance issue as soon as they remain open across the next review cycle.

👉 Read our full editorial: ISO 27001 access review frequency must track risk, not convenience



   
ReplyQuote
Share: