ISO 27001 · Identity Lens

ISO 27001

ISO 27001 is the management-system spine that an identity programme can hang on — the controls live in Annex A, but the discipline lives in the system.

Back to Thinking

Full name: ISO/IEC 27001:2022 — Information Security Management Systems
Region: International
Applies to: Any organisation seeking a certified information-security management system. Common driver for B2B contracts, supplier qualification, and customer trust statements.

ISO/IEC 27001:2022 is the international standard for information-security management systems. The 2022 revision restructured the Annex A controls into four themes (organisational, people, physical, technological) and reduced the count from 114 to 93. Identity-relevant controls are spread across all four themes, which is why a checklist approach against Annex A produces a brittle programme.

What it asks for

The Identity Lens

The clauses that bite when identity architecture is weak, rewritten in plain English. Authoritative text is linked below.

Access control (A.5.15 — A.5.18, A.8.2 — A.8.5)

Topic-specific policy for access control, identity management as a defined process, authentication information protection, privileged access rights, access to source code, secure authentication, and least privilege. These are not separate controls in practice — they are one identity discipline.

Identity management (A.5.16)

The full lifecycle of identities — issuance, modification, suspension, and removal — must be governed. Both human and non-human identities are in scope. Provisioning and deprovisioning have to be evidenced.

Authentication information (A.5.17)

How credentials are generated, distributed, stored, changed, and revoked. This is the clause where MFA strength, phishing-resistance, and password practices get decided.

Privileged access (A.8.2)

Allocation and use of privileged access rights must be restricted and managed. PAM, just-in-time access, session recording, and the lifecycle of break-glass accounts all sit here.

Information transfer and supplier relationships (A.5.14, A.5.19 — A.5.23)

Cross-organisation identity — federation, supplier access, cloud-service governance, and the contract clauses that hold them together — is treated explicitly in the 2022 revision.

Where teams miss it

Common Misses

Patterns we see again and again — usually because the identity programme runs in parallel to the compliance programme rather than inside it.

Annex A controls implemented as point solutions, with no management-system thread connecting access reviews to risk treatment to internal audit.

Non-human identities not visible to the ISMS scope statement. Auditors increasingly ask, and find gaps.

Statement of Applicability that records the control as implemented but cannot evidence it on demand.

Cloud and SaaS access excluded from the ISMS because it is treated as someone else's responsibility.

What works

Where Design Pays Off

Patterns we have seen survive supervisory review, audit, and the next change.

Identity architecture documented as one of the ISMS control objectives, with the same owner who signs the Statement of Applicability.

Continuous evidence (posture monitoring, drift detection, access certification) feeding the internal-audit programme instead of point-in-time sampling.

Annex A mapped to the actual platform configurations, so re-certification audits do not require a project to assemble evidence.

Authoritative sources

Read the source

Every claim above is checkable. Start here.

ISO

ISO/IEC 27001:2022 — Information security management systems

ISO

ISO/IEC 27002:2022 — Information security controls

ISO

ISO 27001 transition guidance (2022 revision)

Related Services

Need a ISO 27001-ready identity baseline?

We start with an assessment that maps your identity controls to ISO 27001 requirements, then design and operate the gaps.

Book a Conversation