Skip to main content

Skillber v1.0 is here!

Learn more

ISO 27001 & ISMS

Checking access...

ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS). Unlike SOX, GDPR, or PCI DSS, ISO 27001 is a voluntary certification that demonstrates an organisation has implemented a comprehensive information security management system. IAM is a critical component of ISO 27001, with multiple Annex A controls specifically addressing identity and access management.

ISO 27001 Structure

Clauses 4-10 (Mandatory Requirements)

These clauses define the ISMS requirements that any organisation must implement to be certifiable:

ClauseTitleIAM Relevance
4Context of the organisationDetermine which regulations and stakeholders drive IAM requirements
5LeadershipTop management commitment to IAM policy and objectives
6PlanningIAM risk assessment, risk treatment, and control selection
7SupportIAM awareness training, competency, communication
8OperationOperational IAM processes — provisioning, certification, access reviews
9Performance evaluationIAM monitoring, measurement, internal audit, management review
10ImprovementIAM nonconformity management, corrective action, continuous improvement

Annex A (Control Reference)

Annex A lists 93 controls across 4 categories. Annex A controls are selected based on the risk assessment — not all controls are mandatory, but the Statement of Applicability (SoA) must justify why each control is included or excluded.

Annex A Controls Relevant to IAM

A.5 — Organisational Controls

ControlDescriptionIAM Implementation
A.5.1Policies for information securityIAM policy, access control policy, password policy
A.5.2Information security roles and responsibilitiesIAM team roles, access owners, data owners
A.5.8Information security in project managementIAM requirements included in new system projects
A.5.11Return of assetsUser offboarding — asset return before account disablement
A.5.15Access controlAccess control policy, rules, rights, and restrictions
A.5.16Identity managementFull identity lifecycle — creation, maintenance, deletion
A.5.17Authentication informationPassword policy, MFA, credential management
A.5.18Access rightsProvisioning, privilege management, access reviews
A.5.23Information security for use of cloud servicesCloud IAM, identity federation with cloud providers
A.5.24Information security incident managementIncident response with identity forensics
A.5.31Legal, statutory, regulatory, and contractual requirementsCompliance with SOX/GDPR/PCI/HIPAA through IAM
A.5.32Intellectual property rightsAccess controls over proprietary information
A.5.33Protection of recordsAudit trail preservation, access to records
A.5.36Compliance with policies and standardsAccess certification, compliance monitoring

A.6 — People Controls

ControlDescriptionIAM Implementation
A.6.1ScreeningBackground checks before access provisioning
A.6.2Terms and conditions of employmentAcceptable use policy for access, confidentiality agreements
A.6.3Information security awareness, education, and trainingIAM security awareness, phishing training
A.6.5Post-employment responsibilitiesContinued confidentiality obligations, access removal

A.7 — Physical Controls

ControlDescriptionIAM Implementation
A.7.1Physical security perimetersPhysical access to server rooms, data centres (PACS integration)
A.7.2Physical entry controlsBadge access, visitor management
A.7.6Working in secure areasClean desk policy, locked workstations

A.8 — Technological Controls

ControlDescriptionIAM Implementation
A.8.1User endpoint devicesDevice compliance for access (MDM, device posture)
A.8.2Privileged access rightsPAM — JIT, elevation, approval, recording
A.8.3Information access restrictionRBAC/ABAC, need-to-know, least privilege
A.8.4Access to source codeRepository access controls, code review requirements
A.8.5Secure authenticationMFA, passwordless, single sign-on
A.8.8Management of technical vulnerabilitiesPatching with authenticated vulnerability scanning
A.8.9Configuration managementBaseline configurations enforced through access controls
A.8.11Data maskingDynamic data masking based on user role
A.8.12Data leakage preventionDLP policies linked to user identity
A.8.15LoggingAuthentication logs, access logs, privileged session logs
A.8.16Monitoring activitiesReal-time monitoring of IAM events
A.8.24Use of cryptographyEncryption for credential storage, TLS for authentication
A.8.25Secure development lifecycleSecure coding for IAM integrations
A.8.29Security testing in development and acceptanceIAM control testing, penetration testing
A.8.30Outsourced developmentVendor IAM control requirements

ISO 27001:2022 Annex A Changes Impacting IAM

The 2022 revision introduced 11 new controls and updated several existing controls relevant to IAM:

New/Updated Control2022 ChangeIAM Action Required
A.5.23 — Cloud services (NEW)Explicit cloud security requirementsCloud IAM, workload identity federation
A.5.30 — ICT continuity (NEW)ICT readiness for business continuityIAM availability, PAM disaster recovery
A.5.37 — Operating procedures (NEW)Documented operating proceduresIAM operational procedures, runbooks
A.8.2 — Privileged access rights (UPDATED)Stronger focus on privilege managementPAM program, JIT access, privileged session recording
A.8.5 — Secure authentication (UPDATED)Emphasis on MFA and passwordlessMFA deployment, passwordless authentication
A.8.16 — Monitoring (UPDATED)Continuous monitoring requirementIAM event monitoring, SIEM integration
A.8.23 — Web filtering (NEW)Web access controlsIdentity-aware web gateway integration
A.8.28 — Secure coding (NEW)Coding standards for securityIAM API security, OAuth/OIDC secure implementation

ISO 27001 Certification Process for IAM

Preparation Phase (3-6 Months)

StepActivitiesIAM Deliverables
1. Define ISMS scopeDetermine which systems, processes, and locations are in scopeIAM scope: which identity stores, applications, and infrastructure are covered
2. IAM policyEstablish IAM policy aligned with business and legal requirementsIAM Policy document, Access Control Policy
3. Risk assessmentIdentify IAM risks, assess likelihood and impactIAM Risk Assessment Register
4. Risk treatmentSelect Annex A controls to address identified risksStatement of Applicability (SoA) with IAM controls
5. Control implementationImplement selected IAM controlsIAM operational controls deployed (PAM, IGA, IdP, MFA)

Risk Assessment for IAM

ISO 27001 requires a risk assessment process. For IAM risks, the assessment typically covers:

IAM RiskThreatLikelihoodImpactSelected Control
Unauthorised accessWeak authentication, credential theftHighHighMFA (A.8.5)
Excessive privilegesPrivilege creep, no PAMMediumHighPAM (A.8.2)
Orphaned accountsNo deprovisioning processMediumMediumIdentity lifecycle (A.5.16)
SoD violationConflicting access rightsMediumHighAccess rights review (A.5.18)
Insider threatAuthorised user misuseLowHighMonitoring (A.8.16)
Third-party accessVendor account compromiseMediumMediumCloud security (A.5.23)

Implementation Phase (6-12 Months)

ActivityDeliverableAudit Evidence
Deploy IAM controlsIGA, PAM, IdP, MFA deployed per SoADeployment documentation, architecture diagrams
Document proceduresIAM operational procedures, runbooksProcedure documents, change management records
Train staffIAM awareness training for all usersTraining records, completion reports
Monitor and measureIAM control monitoring, KPI trackingMonitoring dashboards, KPI reports
Internal auditPre-certification internal audit of IAM controlsInternal audit reports, remediation records

Certification Audit (2-3 Weeks)

PhaseActivitiesIAM Focus
Stage 1 — Documentation reviewAuditor reviews policies, SoA, risk assessmentIAM policy completeness, SoA accuracy, risk assessment adequacy
Stage 2 — Implementation auditAuditor tests controls, interviews staff, reviews evidenceIAM control operation, evidence quality, staff competency

Surveillance and Recertification

ActivityFrequencyIAM Requirements
Surveillance auditAnnualOngoing IAM control effectiveness, incident review
Recertification auditEvery 3 yearsFull reassessment of IAM controls, updated risk assessment
Internal auditAt least annuallyIAM internal audit with independent auditors
Management reviewAt least annuallyIAM performance review, resource adequacy, improvement opportunities

Statement of Applicability (SoA)

The SoA is a critical document that lists all Annex A controls and specifies whether each is applicable, and if excluded, the justification:

Control ID: A.5.16 — Identity management
Applicable: YES
Justification: Identity management is essential for controlling access to information assets
Implementation Status: Implemented
Implementation Description: Full identity lifecycle management through IGA platform integrated with HRIS
Evidence: IGA platform, provisioning/de-provisioning process documentation
Control ID: A.7.3 — Securing offices, rooms, and facilities
Applicable: YES
Justification: Physical security is required for on-premise identity infrastructure
Implementation Status: Implemented
Implementation Description: Data centre access controlled by badge system with visitor logs
Evidence: Physical access policy, badge access logs, visitor register

Key Takeaways

  • ISO 27001 is a voluntary certification for an Information Security Management System (ISMS) — it requires a risk-based approach where IAM controls are selected based on the organisation’s specific risk assessment rather than prescribed by the standard
  • Annex A contains 93 controls across 4 categories (organisational, people, physical, technological) — IAM-relevant controls include A.5.15 (access control), A.5.16 (identity management), A.5.17 (authentication), A.5.18 (access rights), A.8.2 (privileged access rights), A.8.5 (secure authentication), and A.8.15 (logging)
  • The 2022 revision introduced new controls that impact IAM: A.5.23 (cloud services requiring cloud IAM), A.8.2 (stronger privileged access focus), A.8.5 (emphasis on MFA/passwordless), and A.8.16 (continuous monitoring requirements)
  • The Statement of Applicability (SoA) is the key document — it lists each Annex A control and justifies why it is included or excluded based on the risk assessment
  • Certification requires a risk assessment identifying IAM risks (unauthorised access, excessive privileges, orphaned accounts, SoD violations, insider threats), selection of appropriate Annex A controls, documentation of procedures, staff training, monitoring, and internal audit
  • The certification process spans preparation (3-6 months), implementation (6-12 months), Stage 1 audit (documentation review), Stage 2 audit (control testing), annual surveillance audits, and triennial recertification
  • IAM controls are interconnected — risk assessment for IAM must consider the full attack chain: authentication weaknesses, authorisation gaps, privilege management, lifecycle management, monitoring, and incident response