ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS). Unlike SOX, GDPR, or PCI DSS, ISO 27001 is a voluntary certification that demonstrates an organisation has implemented a comprehensive information security management system. IAM is a critical component of ISO 27001, with multiple Annex A controls specifically addressing identity and access management.
ISO 27001 Structure
Clauses 4-10 (Mandatory Requirements)
These clauses define the ISMS requirements that any organisation must implement to be certifiable:
Clause
Title
IAM Relevance
4
Context of the organisation
Determine which regulations and stakeholders drive IAM requirements
5
Leadership
Top management commitment to IAM policy and objectives
6
Planning
IAM risk assessment, risk treatment, and control selection
7
Support
IAM awareness training, competency, communication
8
Operation
Operational IAM processes — provisioning, certification, access reviews
9
Performance evaluation
IAM monitoring, measurement, internal audit, management review
10
Improvement
IAM nonconformity management, corrective action, continuous improvement
Annex A (Control Reference)
Annex A lists 93 controls across 4 categories. Annex A controls are selected based on the risk assessment — not all controls are mandatory, but the Statement of Applicability (SoA) must justify why each control is included or excluded.
Annex A Controls Relevant to IAM
A.5 — Organisational Controls
Control
Description
IAM Implementation
A.5.1
Policies for information security
IAM policy, access control policy, password policy
A.5.2
Information security roles and responsibilities
IAM team roles, access owners, data owners
A.5.8
Information security in project management
IAM requirements included in new system projects
A.5.11
Return of assets
User offboarding — asset return before account disablement
A.5.15
Access control
Access control policy, rules, rights, and restrictions
A.5.16
Identity management
Full identity lifecycle — creation, maintenance, deletion
ISO 27001 is a voluntary certification for an Information Security Management System (ISMS) — it requires a risk-based approach where IAM controls are selected based on the organisation’s specific risk assessment rather than prescribed by the standard
Annex A contains 93 controls across 4 categories (organisational, people, physical, technological) — IAM-relevant controls include A.5.15 (access control), A.5.16 (identity management), A.5.17 (authentication), A.5.18 (access rights), A.8.2 (privileged access rights), A.8.5 (secure authentication), and A.8.15 (logging)
The 2022 revision introduced new controls that impact IAM: A.5.23 (cloud services requiring cloud IAM), A.8.2 (stronger privileged access focus), A.8.5 (emphasis on MFA/passwordless), and A.8.16 (continuous monitoring requirements)
The Statement of Applicability (SoA) is the key document — it lists each Annex A control and justifies why it is included or excluded based on the risk assessment
Certification requires a risk assessment identifying IAM risks (unauthorised access, excessive privileges, orphaned accounts, SoD violations, insider threats), selection of appropriate Annex A controls, documentation of procedures, staff training, monitoring, and internal audit
The certification process spans preparation (3-6 months), implementation (6-12 months), Stage 1 audit (documentation review), Stage 2 audit (control testing), annual surveillance audits, and triennial recertification
IAM controls are interconnected — risk assessment for IAM must consider the full attack chain: authentication weaknesses, authorisation gaps, privilege management, lifecycle management, monitoring, and incident response