IGA Glossary

ISO 27001

ISO 27001 is an international standard for information security management systems (ISMS). It provides a framework for organizations to identify, manage, and reduce information security risks through a systematic set of policies, processes, and controls.

What is ISO 27001?

ISO 27001 is the world's most widely recognized standard for information security management. Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it gives organizations a structured approach to protecting their information assets.

Unlike a checklist you simply tick off, ISO 27001 requires you to build and maintain an information security management system — a documented, ongoing approach to managing security risks. The standard does not tell you exactly which tools to buy or which configurations to use. Instead, it requires you to assess your own risks and implement controls appropriate for your situation.

The current version is ISO/IEC 27001:2022, which updated the 2013 edition. The 2022 revision reorganized the control set and added new controls for areas like cloud security and threat intelligence.

Why do organizations get ISO 27001 certified?

There are several practical reasons.

Many enterprise customers, especially in Europe, require their vendors to hold ISO 27001 certification. It is often a checkbox item in procurement processes and RFPs. ISO 27001 also aligns well with regulatory requirements like GDPR and NIS2 — while it does not guarantee compliance with these regulations, it demonstrates that you have a systematic approach to security.

Going through the ISO 27001 process forces you to identify and address security gaps you might not have noticed. The structured approach catches things that ad hoc security efforts miss. For SaaS companies and service providers, certification also signals to the market that you take security seriously, and can be the deciding factor in competitive evaluations.

How is ISO 27001 structured?

The standard has two main parts.

The management system requirements (Clauses 4-10) define how to set up and run your ISMS. This covers context, leadership commitment, risk assessment, planning, support, operations, performance evaluation, and continuous improvement. These clauses are mandatory.

Annex A controls provide a reference list of security controls organized into four themes (in the 2022 version): organizational controls (37 controls covering policies, roles, asset management, supplier relationships), people controls (8 controls covering screening, training, and awareness), physical controls (14 controls covering physical security and equipment protection), and technological controls (34 controls covering access management, cryptography, logging, and network security).

You do not have to implement every Annex A control. You perform a risk assessment, identify which controls are relevant to your situation, and document the reasoning for including or excluding each one in a Statement of Applicability (SoA).

What does ISO 27001 require for access control?

Access control is covered extensively in ISO 27001. The relevant controls (using the 2022 numbering) include:

A.5.15 Access control. Rules for controlling physical and logical access must be established and implemented based on business and security requirements.

A.5.16 Identity management. The full lifecycle of identities must be managed — creating, modifying, and deleting user accounts.

A.5.17 Authentication information. Passwords and other authentication credentials must be managed securely, including allocation, storage, and periodic changes where appropriate.

A.5.18 Access rights. Access rights must be provisioned, reviewed, modified, and removed in accordance with the organization's access control policy. This is where regular access reviews come in.

A.8.2 Privileged access rights. The allocation and use of privileged access (admin accounts, elevated permissions) must be restricted and controlled.

A.8.3 Information access restriction. Access to information and application functions must be restricted according to the access control policy.

In practical terms, your auditor will want to see a documented access control policy, defined processes for granting, modifying, and revoking access, evidence of regular access reviews, controls around privileged accounts, and audit logs showing access activity.

How does the certification process work?

Getting ISO 27001 certified involves several stages. First, a gap analysis to assess your current security practices against the standard's requirements. Then building the ISMS — developing the required documentation including security policy, risk assessment methodology, risk treatment plan, and Statement of Applicability. Then implementing controls, which is usually the most time-consuming part.

From there: an internal audit to verify the ISMS is working as intended, a management review where senior leadership formally reviews ISMS performance, a Stage 1 audit (documentation review) by an external certification body, and a Stage 2 audit (implementation review) where the certification body verifies that your controls are implemented and working effectively.

If the auditor is satisfied, you receive your ISO 27001 certificate, valid for three years. Annual surveillance audits verify ongoing compliance, and a full recertification audit runs every three years.

The whole process from start to certification typically takes 6-12 months for a mid-sized organization, depending on your starting point.

How identity governance supports ISO 27001

Several ISO 27001 controls directly relate to identity governance practices. Managing user identities across their lifecycle, controlling access rights based on job roles, conducting regular access reviews, and maintaining audit trails are all things the standard expects.

Doing this with spreadsheets and manual processes is possible for very small teams, but it does not scale. As your organization grows, the effort required to maintain ISO 27001-compliant access management grows with it.

Adcyma connects to your Microsoft Entra ID tenant and automates the identity governance controls that ISO 27001 requires. Automated provisioning and deprovisioning handle the identity lifecycle (A.5.16). Scheduled access reviews satisfy the access rights review requirements (A.5.18). And comprehensive audit logging provides the evidence trail your auditor needs.

For companies preparing for ISO 27001 certification, having proper governance tooling in place before the audit starts makes the process significantly smoother. Auditors want to see that your controls are not just documented policies but working, automated processes.

See how Adcyma handles this:

Explore the Platform

Put these concepts into practice

Adcyma makes identity governance simple for companies using Microsoft Entra ID. See how these terms translate into actual features.

Start Free Trial