Skip to content
Insights
Request Services
ISO 27001 IAM
Compliance deep dive · reviewed 2026-05-22

ISO/IEC 27001:2022 IAM controls — Annex A access controls explained

The IAM-relevant Annex A controls in ISO/IEC 27001:2022 + ISO 27002 implementation guidance — with practical evidence patterns for ISMS auditors.

Share

Authority

ISO (International Organization for Standardization) + IEC

Effective date

ISO/IEC 27001:2022 published October 2022; transition deadline from 2013 version was October 2025.

Jurisdiction

International — globally recognized standard

Evidence cadence

Initial certification audit + annual surveillance audits + 3-year recertification cycle

Scope

Any organization seeking ISO/IEC 27001 certification of an Information Security Management System (ISMS). Scope is defined by the certified entity — can be a single product, a department, or the whole organization.

IAM-relevant controls

The controls that matter for IAM.

  • A.5.15

    Access Control

    What it requires: Establish + implement + review access control rules based on business + information security requirements.

    Evidence example

    Documented access-control policy + RBAC role model + role assignments mapped to business functions.

  • A.5.16

    Identity Management

    What it requires: Full lifecycle management of identities — from creation, through changes, to deletion.

    Evidence example

    HRIS-driven JML automation + audit log of every identity-event + retention policy.

  • A.5.17

    Authentication Information

    What it requires: Allocation + management of authentication information controlled by a management process.

    Evidence example

    Password policy + MFA enforcement evidence + service-account credential rotation log.

  • A.5.18

    Access Rights

    What it requires: Access rights to information + assets shall be provisioned, reviewed, modified, and removed in accordance with the organization's topic-specific policy.

    Evidence example

    Access certification campaign output + SoD violation reports + termination revocation audit.

  • A.5.19

    Information Security in Supplier Relationships

    What it requires: Address information-security risks associated with use of supplier products or services through agreements.

    Evidence example

    Vendor inventory + supplier-IAM-requirements in BAA / DPA / MSA + supplier risk-assessment reports.

  • A.8.2

    Privileged Access Rights

    What it requires: Allocation + use of privileged access rights shall be restricted + managed.

    Evidence example

    PAM vault inventory + JIT elevation logs + privileged account quarterly review.

  • A.8.3

    Information Access Restriction

    What it requires: Access to information + other assets restricted in accordance with the established topic-specific policy.

    Evidence example

    Authorization rules (RBAC / ABAC / ReBAC) + data-classification + access logs.

  • A.8.5

    Secure Authentication

    What it requires: Secure authentication technologies + procedures shall be implemented based on information access restrictions + the topic-specific policy.

    Evidence example

    MFA configuration evidence + phishing-resistant MFA on privileged accounts + login-flow documentation.

  • A.8.15

    Logging

    What it requires: Logs that record activities, exceptions, faults, and other relevant events shall be produced, stored, protected, and analyzed.

    Evidence example

    SIEM topology + IAM event-source inventory + retention policy + log-integrity protection.

  • A.8.16

    Monitoring Activities

    What it requires: Networks, systems, and applications shall be monitored for anomalous behavior + appropriate actions taken to evaluate potential incidents.

    Evidence example

    ITDR detection rules + investigation runbook + monthly review meeting minutes.

How ISO 27001 differs from SOC 2 + NIST

ISO 27001 certifies an Information Security Management System (ISMS) — the organizational structure + risk-management process + ongoing operation. Annex A is the control catalog you choose from based on risk assessment. SOC 2 reports on whether you meet the Trust Service Criteria over an observation window. NIST 800-53 is a control catalog used by FISMA + FedRAMP + CMMC. ISO is the most internationally recognized; SOC 2 is the dominant US B2B SaaS standard; NIST drives US federal compliance.

The 2022 revision in one paragraph

ISO/IEC 27001:2022 reorganized Annex A from 114 controls in 14 domains into 93 controls across 4 themes (Organizational, People, Physical, Technological). New controls cover cloud services (A.5.23), data masking (A.8.11), data leakage prevention (A.8.12), and ICT readiness for business continuity (A.5.30). The IAM-relevant controls are largely renumbered rather than re-thought; the substance is similar to 2013.

Evidence the auditor wants

ISO certification auditors care about three things: the ISMS exists + operates + is improving (PDCA cycle). For IAM specifically:

  • Documented topic-specific policy (access control policy + identity management policy)
  • Evidence that the policy is implemented (system configuration, audit logs)
  • Evidence the policy is reviewed (annual review meeting minutes)
  • Risk assessment showing why these controls were selected
  • Statement of Applicability (SoA) mapping which Annex A controls apply
  • Internal audit findings + management review minutes
Common findings
  • A.5.16 — identity lifecycle works for joiners + leavers but mover events (role changes, transfers) aren't fully automated
  • A.5.18 — access certification exists but follow-through on revocations is incomplete
  • A.8.2 — privileged-account inventory drifts; new service accounts created outside the vault
  • A.5.19 — supplier IAM requirements are in the contract but evidence of supplier compliance isn't collected
  • A.8.15 — logs are produced but log integrity / SIEM tamper-protection isn't demonstrated
Penalties

Loss of ISO 27001 certificate → loss of customers requiring it. No direct fines (ISO is a voluntary certification), but enterprise B2B sales increasingly require ISO 27001 + SOC 2 as table-stakes.

Evidence cadence

Initial certification audit + annual surveillance audits + 3-year recertification cycle. Continuous evidence collection between audits is not strictly required but heavily expected — the ISMS itself must operate continuously.

Practitioner notes

What the policy doesn’t tell you.

  • The 2022 revision consolidated 114 controls (Annex A) into 93 organized across 4 themes: Organizational, People, Physical, Technological. Most IAM controls live in the Organizational + Technological themes.
  • ISO 27001 ≠ SOC 2 + NIST. ISO is risk-based (defines an ISMS; you choose which controls apply based on risk assessment), SOC 2 is criteria-based (controls demonstrate Trust Service Criteria), NIST is catalog-based.
  • For most B2B SaaS companies, the practical move is to maintain both ISO 27001 + SOC 2 Type 2. The control overlap is high and one evidence-collection program serves both.
  • ISO 27001 is genuinely international — for EU + APAC enterprise sales, it carries more weight than SOC 2. For US Fed / Fed-adjacent, NIST + FedRAMP matter more.
Need help with this framework?

We deliver IAM control programs for ISO 27001 IAM.

Talk to a compliance leadCross-framework crosswalkAudit checklists

Identity, cybersecurity, and custom software for regulated enterprises. Audit-ready operations from advisory through audit.

Americas HQ

Wilmington, DE

America/New York

India HQ

Hyderabad, TG

Asia/Kolkata

Services
  • IAM Consulting
  • IAM Technologies
  • Custom Software & AI
  • IAM Staffing
  • Request Services
  • Case Studies
Resources
  • All Resources
  • Complete Guide to IAM
  • IAM Frameworks Compared
  • IAM Certification Roadmap
  • IAM API Hub
  • IAM Explainers
  • IAM Vendor Status
  • Release Notes
  • State of Identity
  • State of PAM
  • State of IGA
  • State of CIAM
  • State of AI Agent Identity
  • IAM Salary Benchmark
  • Vendor Pricing Index
  • Year in Review 2026
  • Acquisition Tracker
  • Outage Tracker
  • Identity Incidents
  • Vulnerability Tracker
  • Cheat Sheets
  • Standards Explainers
  • Migration Playbooks
  • Audit Checklists
  • Reference Architectures
  • RFP Templates
  • IAM Anti-Patterns
  • Compliance Crosswalk
  • Market Landscape
  • Awesome IAM
  • IAM Glossary
  • Compliance Frameworks
  • Integration Guides
  • Vendor Alternatives
  • IAM by Industry
  • Salary Lookup
  • Directory
Research & media
  • IAM Compensation 2026
  • Vendor Moves Q3 2026
  • Identity Incidents Q3 2026
  • Vendor Security Posture 2026
  • Vendor Pricing 2026
  • AI Citation Tracker
  • Top 50 IAM Tools 2026
  • Podcast
  • Videos
  • Newsletter
  • Newsletter Archive
  • Embed Widgets
Free tools
  • JWT Decoder
  • JWT Signer
  • SAML Decoder
  • SAML Metadata Diff
  • OAuth Flow Visualizer
  • OIDC Debugger
  • OIDC Discovery Validator
  • PKCE Generator
  • WebAuthn Tester
  • Bearer Token Inspector
  • SCIM Validator
  • Password Entropy
  • IAM RFP Template
  • PAM Vendor Selector
  • Maturity Assessment
  • ROI Calculator
  • TCO Calculator
  • MFA Bypass Risk
  • Audit-Prep Burden
  • Quizzes
Company
  • About
  • Leadership
  • Approach
  • Why Choose Us
  • Partners
  • Press Kit
  • Press Topics
  • Global Presence
  • Locations
  • Insights
  • Now
  • Community
  • Open Roles
  • Submit Resume
  • Training
  • Contact

© 2026 askmeidentity, Inc.. Safeguard your digital frontier.

  • Privacy Policy
  • Terms of Service
  • Accessibility