What is ISO 27001?
ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS), published jointly by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC). The 2022 revision — ISO/IEC 27001:2022 — reorganised the previous 114 controls into 93 controls across four thematic areas: Organisational (A.5), People (A.6), Physical (A.7), and Technological (A.8).
Unlike SOC 2, which is an attestation produced by a CPA firm, ISO 27001 results in a certificate issued by an accredited certification body. Certification requires two stages: Stage 1 reviews your documentation and readiness; Stage 2 assesses whether controls are actually operating. After certification, annual surveillance audits and a three-year recertification cycle keep the ISMS under ongoing scrutiny.
Access control spans both organisational and technological controls, making it one of the larger evidence workstreams in an ISO 27001 audit.
The Access Control Controls: A.5.15 to A.5.18 and A.8.2
| Control | Requirement |
|---|---|
| A.5.15 | Access control — rules for access to information and other associated assets shall be established and implemented based on business and information security requirements. |
| A.5.16 | Identity management — the full lifecycle of identities (creation, maintenance, deletion) shall be managed. |
| A.5.17 | Authentication information — allocation and management of authentication information (passwords, keys, tokens) shall be controlled by a formal management process. |
| A.5.18 | Access rights — access rights to information and other associated assets shall be provisioned, reviewed, modified, and removed in accordance with the organisation's topic-specific policy on access control. This is the central control for periodic access reviews. |
| A.8.2 | Privileged access rights — the allocation and use of privileged access rights shall be restricted and managed. A separate and more rigorous review process is expected for admin accounts. |
A.5.18 is where evidence most often breaks down
The control requires that access rights are not only provisioned and removed, but reviewed regularly and modified when roles change. Organisations routinely have provisioning processes but lack the review records to demonstrate ongoing appropriateness. This is the single most common A.5.18 non-conformity.
Why this matters for management
ISO 27001 certification is recognised globally, making it the standard for international supply chains, EU public procurement, and cross-border enterprise contracts where SOC 2 may not be accepted. Many UK and European government contracts require it. Partners in regulated industries — financial services, healthcare, defence — increasingly mandate ISO 27001 certification in their vendor due diligence questionnaires. For M&A transactions, a current ISO 27001 certificate significantly reduces the security-related risk premium in due diligence. The cost of a non-conformity that results in certification suspension — or worse, withdrawal — is a commercial event, not just a compliance paperwork problem.
What certification auditors test at Stage 2
Stage 2 is an implementation audit. The auditor is not checking whether you have a policy — they are checking whether the policy runs in practice. For access control, this typically means:
- A.5.18 access rights review: "Show me the last two access rights reviews you conducted. Who performed each one, when, for which systems, and what access changes resulted?" They expect records, not a verbal description.
- Sampling provisioning: Select 5–10 user accounts and trace the provisioning event — was it approved by an authorised person, and does evidence exist of that approval before access was granted?
- Termination/role change: Select 3–5 users who left or changed roles in the past 12 months and verify that access was removed from all systems promptly.
- A.8.2 privileged access: Specifically ask for the list of admin-level accounts and the most recent review of each. Absence of a separate privileged access review process is a major non-conformity risk.
The Policy-to-Practice Gap
Nearly every organisation pursuing ISO 27001 has an access control policy. Most also have some provisioning process. Where the gap almost universally appears is at the review stage.
The scenario plays out like this: an auditor asks, "Show me your last access rights review for the finance system." The organisation produces a spreadsheet review from eight months ago, conducted over email, with no record of individual account decisions. The auditor classifies this as a minor non-conformity. If the pattern repeats across three systems — which it often does — it becomes a major non-conformity, potentially affecting certification.
Non-conformity: No evidence of periodic access rights reviews (A.5.18)
The standard requires reviews — but the review frequency, the method, and what constitutes evidence are all organisation-defined. Auditors accept systematic processes with timestamped, attributed records. They reject 'we check it informally when we think of it.'
Non-conformity: Privileged accounts not managed separately (A.8.2)
Admin accounts carry higher risk and the standard expects a more rigorous control. Treating privileged access the same as standard access is a gap auditors consistently flag.
Non-conformity: Access rights not reviewed after role change (A.5.18)
When an employee changes department or role, their access should be reviewed against their new requirements and excess rights removed. Without a systematic process, this consistently fails.
How AllowNow Maps to A.5.15–A.5.18 and A.8.2
| Control | AllowNow evidence |
|---|---|
| A.5.15 | Role-based access control — roles define which services a job function accesses and at what level. Policy is encoded in the system, not just a document. |
| A.5.16 | User records include employee ID, department, job title, and manager — full identity lifecycle tracking, including import and deactivation timestamps. |
| A.5.18 | Every access grant records who provisioned it and when. Every review records who reviewed it, the decision, and the timestamp. Every revocation is tracked through an implementor queue to actual removal. |
| A.5.18 reviews | 90-day check surfaces access not reviewed within the review window. Individual and bulk review with full attribution per record — exactly the evidence an A.5.18 review sample requires. |
| A.8.2 | Admin-level access is separately identified and tracked. ISO 27001 report shows admin account count, review recency, and flags privileged access with no recent review. |
AllowNow generates an ISO 27001:2022 Access Control Evidence Report that references A.5.15 through A.5.18 and A.8.2 explicitly. The observations section surfaces how many access rights have not been reviewed within the 90-day window, how many privileged accounts lack recent review evidence, and gaps in provisioning records — the exact questions a Stage 2 auditor asks. The report is designed to be produced on demand for Stage 2 audits, annual surveillance visits, and internal review.
Built for small organisations pursuing their first ISO 27001 certification
AllowNow is designed for teams of 5 to 100 people that need to close the A.5.18 evidence gap quickly, without building a dedicated ISMS programme from scratch. If your organisation is preparing for its first Stage 2 audit and does not yet have a systematic, documented access review process, AllowNow provides it — setup takes hours, not months.
For organisations maintaining ISO 27001 certification across surveillance cycles, AllowNow ensures access control evidence is always current — not assembled under pressure in the weeks before an audit visit.