ISO 27001 IAM governance gap: are access reviews keeping up?

TL;DR: ISO 27001 IAM implementation depends on provisioning, authorization, access reviews, and offboarding working as one control system, yet many organisations still struggle with visibility, role hygiene, and timely deprovisioning according to Zluri. The compliance problem is less about policy wording and more about whether access governance can prove who has access, why, and for how long.

NHIMG editorial — based on content published by Zluri: Access Management A Guide to ISO 27001 IAM Implementation

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

Questions worth separating out

Q: How should organisations implement ISO 27001 access reviews across human and machine identities?

A: Treat the review as a control check over current entitlements, not a workflow approval.

Q: Why do service accounts create ISO 27001 audit gaps?

A: Service accounts create audit gaps when they are invisible to inventory, lack named ownership, or keep standing access after their purpose ends.

Q: What breaks when access provisioning is not linked to deprovisioning?

A: The control breaks at the point where access outlives business need.

Practitioner guidance

• Build a single access inventory for all identities Include employees, contractors, service accounts, API keys, and application tokens in one entitlement register with named owners and business purpose.
• Tie every access grant to revocation evidence Record the approval, the expiry condition, and the deprovisioning proof so audits can verify that access was actually removed.
• Review roles for drift before certification cycles Check whether role memberships still match real duties, especially where permissions have accumulated through manual exceptions or project-based access.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step ISO 27001 IAM implementation guidance for provisioning, authorization, and monitoring.
• Practical examples of access review and certification workflows for audit readiness.
• Specific ways Zluri positions RBAC, SSO, and lifecycle management inside its access management workflow.
• Implementation-oriented detail on automating user access reviews and deprovisioning processes.

👉 Read Zluri's guide to ISO 27001 IAM implementation and access control →

ISO 27001 IAM governance gap: are access reviews keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →