They know by testing the controls before the external audit. Internal audits, evidence sampling, and control walkthroughs should show that access governance, risk treatment, and documentation all line up. If those checks fail, the issue is usually drift between policy and practice rather than a missing certificate.
Why This Matters for Security Teams
iso 27001 controls are only useful if they keep working after the policy is signed, the risk register is updated, and the certification date passes. Security teams need evidence that access reviews, logging, change control, and incident handling are operating as designed, not just documented as designed. That is why internal verification matters: it exposes drift between the control statement and the real workflow before an external auditor does.
For NHI-heavy environments, this gap is often larger than teams expect. NHIs outnumber human identities by 25x to 50x in modern enterprises, and the Ultimate Guide to NHIs — Standards shows how quickly hidden service accounts, API keys, and over-privileged tokens can undermine control effectiveness. The issue is not a missing certificate. It is usually a control that exists on paper but fails under real access patterns, real exceptions, and real operational pressure. ISO 27001 expects organisations to prove that controls are monitored, measured, and improved, which aligns with the broader control-testing approach reflected in the NIST Cybersecurity Framework 2.0.
In practice, many security teams discover broken control execution only after a painful audit finding or an incident review, rather than through intentional pre-audit testing.
How It Works in Practice
The most reliable way to judge control effectiveness is to test the control as it is actually used. For ISO 27001, that means sampling evidence, walking through the process with operators, and checking whether the records match the procedure. If the control says access is reviewed monthly, the evidence should show who reviewed it, what was reviewed, what was removed, and whether exceptions were approved. If the control says secrets are rotated, the team should validate rotation timing, revocation, and downstream dependency updates.
A practical testing cycle usually includes:
- control design review: confirm the control can achieve the stated objective
- control operation test: verify the process is happening on schedule and by the right owner
- evidence quality check: make sure logs, tickets, approvals, and reports are complete and tamper-resistant
- sample re-performance: re-run a subset of actions to see whether the result matches the evidence
- exception review: confirm deviations are tracked, approved, and remediated
For identity and access controls, it helps to compare ISO evidence with operational signals from service accounts, API keys, and privileged sessions. If the organisation lacks visibility into those assets, the control may look effective in a spreadsheet while failing in production. The State of Non-Human Identity Security reports that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which is a strong indicator that control testing must include third-party identity paths, not just employee access.
Teams can also align their verification approach with control monitoring concepts in the NIST Cybersecurity Framework 2.0 and use the Ultimate Guide to NHIs — Standards as a practical reference for lifecycle, rotation, and visibility checks. These controls tend to break down when evidence is manually assembled from disconnected systems because the sample no longer reflects live operational behaviour.
Common Variations and Edge Cases
Tighter control testing often increases operational overhead, requiring organisations to balance audit confidence against the time and friction of collecting evidence. That tradeoff becomes more pronounced in complex environments where the same ISO 27001 control is implemented differently across cloud, SaaS, and CI/CD pipelines.
Best practice is evolving around automation, but there is no universal standard for this yet. Some teams use continuous control monitoring, while others rely on periodic testing and stronger evidence sampling. The right choice depends on risk, control criticality, and how quickly the environment changes. Controls tied to NHI governance deserve extra scrutiny because credentials, roles, and permissions can drift faster than human access reviews catch them.
Edge cases include inherited controls from managed service providers, compensating controls that replace a failed primary control, and controls that are technically operating but not producing meaningful security outcomes. For example, an access review that always approves unchanged entitlements is compliance theatre, not evidence of control effectiveness. Similarly, a logging control without alerting, retention, or review ownership may satisfy a policy clause while failing to reduce risk. In those cases, current guidance suggests testing the outcome the control is supposed to create, not merely whether the form was completed.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | DE.CM | Control monitoring is central to proving ISO 27001 controls still work. |
| OWASP Non-Human Identity Top 10 | NHI-03 | NHI rotation and visibility issues often expose weak ISO control operation. |
| NIST AI RMF | The AI RMF verification mindset fits operational testing of control effectiveness. |
Test NHI rotation and revocation evidence, then close gaps where credentials outlive policy.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 7, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
