Identity Controls for ISO 27001

ISO/IEC 27001 is the international standard for information security management. It does not prescribe products, but its Annex A controls lean heavily on identity, and auditors will expect you to show how access is granted, reviewed, and removed. This maps the identity-relevant controls to what you actually build.

What ISO 27001 expects of identity

The 2022 revision groups controls into themes. The identity-relevant ones include access control, identity management, authentication information, and privileged access:

• Access control (A.5.15): a documented policy and least-privilege enforcement.
• Identity management (A.5.16): a managed lifecycle for every identity, human and non-human.
• Authentication information (A.5.17): secure handling of credentials, pushing toward MFA and passwordless.
• Access rights (A.5.18): provisioning, review, and prompt removal, the joiner-mover-leaver lifecycle.
• Privileged access (A.8.2): restricted, monitored, and time-bound.

What good looks like

• SSO and MFA across in-scope systems, with phishing-resistant factors for privileged users.
• Automated provisioning and deprovisioning via SCIM, so leavers lose access promptly.
• Periodic access reviews with evidence, typically through IGA.
• PAM for privileged accounts with session logging.

Common pitfalls

• Access reviews that happen but are not evidenced; auditors want the artifact.
• Orphaned and service accounts outside the lifecycle.
• Privileged access granted permanently rather than just in time.

Related

IAM audit preparation, SOC 2 for identity. Vendors: IGA, PAM.