Notifications

Clear all

ISO 27001 controls and the governance gap identity teams miss

Last Post

RSS

NHI Mgmt Group

(@nhi-mgmt-group)

Member Moderator

Joined: 1 year ago

Posts: 5324

Topic starter 12/06/2026 1:03 am

TL;DR: ISO 27001 Annex A translates information-security intent into 93 controls across governance, people, physical and technology domains, but the article shows implementation still depends on risk assessment, access control, monitoring and audit discipline according to Zluri. For IAM teams, the real test is whether certification work becomes living identity governance rather than a document-led compliance exercise.

NHIMG editorial — based on content published by Zluri: Security & Compliance ISO 27001 Controls Annex-A: All You Need To Know

By the numbers:

ISO 27001:2022 Annex A includes 93 controls grouped into four main categories: Organizational, People, Physical and Technological.
The standard includes 14 distinct domains across information security policy, access control, cryptography, operations, and compliance.

Questions worth separating out

Q: How should organisations map ISO 27001 controls to IAM and NHI governance?

A: Start by treating identity controls as evidence-bearing controls, not just policy statements.

Q: Why do ISO 27001 programmes often fail on access governance?

A: They often fail when access reviews are treated as administrative checkpoints instead of lifecycle controls.

Q: How do organisations know whether ISO 27001 identity controls are actually working?

A: Look for operating evidence, not policy language.

Practitioner guidance

Map identity controls to the statement of applicability Document which IAM, PAM, and NHI controls are in scope, why they are in scope, and what evidence each control must produce during audit.
Tie access reviews to removal outcomes Require each certification cycle to end with an explicit action for retained access, reduced access, or revocation, so reviews produce operational change.
Inventory non-human identities as auditable assets Maintain a current inventory of service accounts, API keys, certificates, and workload identities, including ownership, purpose, and expiry or rotation rules.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

A full breakdown of the 14 ISO 27001 control domains and how they are grouped in Annex A
Step-by-step guidance for building the statement of applicability and moving through certification
Detailed responsibility mapping across IT, management, employees, and cross-functional teams
A control-by-control explanation of how access control, incident response, and compliance fit into the ISMS

👉 Read Zluri's guide to ISO 27001 controls and Annex A →

ISO 27001 controls and the governance gap identity teams miss?

Explore further

View Full Forum → | NHI Foundation Course →

Quote

Topic Tags

Forum Statistics

9 Forums

6,557 Topics

9,543 Posts

9 Online

135 Members

Latest Post: PingCastle and AD security governance: what should teams re-evaluate? Our newest member: Alex Recent Posts Unread Posts Tags

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

FAQ

NHI 101 Articles

Legal & Policies