ISO 27001 access reviews: are your identity controls keeping up?

TL;DR: ISO 27001 requires organisations to define ISMS scope, assess risk, assign leadership accountability, monitor controls, and evidence continual improvement, according to Zluri’s compliance guide. The real governance test is whether access review, certification, and remediation processes can keep pace with changing entitlements across human, machine, and workload identities.

NHIMG editorial — based on content published by Zluri: Security & Compliance ISO 27001 Requirements

By the numbers:

• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: How should teams make ISO 27001 access reviews defensible for audits?

A: Treat each review as evidence, not a task list.

Q: Why do access review programmes fail even when they are completed on time?

A: They fail when completion is mistaken for control effectiveness.

Q: What do organisations get wrong about ISO 27001 and identity governance?

A: They often treat ISO 27001 as a documentation exercise instead of an operational control system.

Practitioner guidance

• Define ISMS scope around identity ownership Map which human accounts, service accounts, API keys, and shared platform identities sit inside the ISMS boundary, then document where ownership changes across teams and vendors.
• Turn access review into audit evidence Require every certification cycle to produce a defensible record of reviewer, entitlement, business justification, decision, and remediation status.
• Link review failures to corrective action Escalate repeated over-privilege, stale access, and incomplete reviews into a formal corrective-action workflow that updates policy, ownership, or review cadence.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• A clause-by-clause breakdown of ISO 27001 requirements from context setting through continual improvement
• Practical examples of access review automation, centralized access governance, and auto-remediation
• Audit-reporting details that show how access changes and certifications are documented for compliance
• Vendor-oriented implementation framing for organisations building or maturing their review process

👉 Read Zluri's ISO 27001 requirements guide for access review and compliance detail →

ISO 27001 access reviews: are your identity controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →