ISO 27001:2022 reorganised the Annex A control set from 114 controls across 14 domains to 93 controls across four themes. The identity and access management controls that were previously spread across multiple domains are now consolidated primarily within Theme 5 (Organisational Controls) and Theme 8 (Technological Controls). The reorganisation did not reduce the technical requirements. If anything, the 2022 revision made several controls more specific, adding A.8.15 on logging, A.8.16 on monitoring activities, and A.8.18 on use of privileged utility programs where the 2013 version had less granular requirements.
Organisations pursuing ISO 27001 certification frequently underestimate the evidence burden of the access control and identity management controls. A.5.18 requires periodic review of access rights with documented outcomes. A.8.2 requires that privileged access rights be restricted, controlled, and reviewed. A.8.15 requires logging of user activities, exceptions, faults, and security events, not login timestamps alone. Each of these controls requires a technical implementation that produces structured, auditor-reviewable evidence as a byproduct of normal operations.
This blog covers the ISO 27001:2022 Annex A controls most relevant to identity and access management, what each control requires at the implementation level, and how IAM controls address them. All control references are drawn from the ISO 27001:2022 standard and Akku’s ISO 27001 compliance mapping documentation, which supports 41 unique clauses with 60 total mappings across 11 platform modules.
ISO 27001:2022 organises Annex A controls into four themes: Organisational (A.5), People (A.6), Physical (A.7), and Technological (A.8). The IAM-relevant controls are distributed primarily across A.5 and A.8, with some people-related controls in A.6 covering remote working and clear desk policies.
Theme 5 Organisational Controls contains the core access management controls: A.5.15 (access control), A.5.16 (identity management), A.5.17 (authentication information), A.5.18 (access rights), and A.5.19 through A.5.22 covering supplier relationships and information security in supplier agreements.
Theme 8 Technological Controls contains the operational security controls: A.8.2 (privileged access rights), A.8.3 (information access restriction), A.8.4 (access to source code), A.8.5 (secure authentication), A.8.15 (logging), A.8.16 (monitoring activities), A.8.18 (use of privileged utility programs), and A.8.19 (installation of software on operational systems).
The main clause requirements in Clauses 4 through 10 also contain IAM-relevant obligations. Clause 8.1 requires planning and control of processes needed to meet information security requirements. Clause 9.1 requires monitoring, measurement, analysis, and evaluation of the ISMS. These main clause requirements interact directly with the Annex A controls and are part of what certification auditors assess.
A.5.15 through A.5.18 form the core identity and access governance control cluster in ISO 27001:2022. Together they define the access control policy, identity management process, credential management, and access rights lifecycle that the standard requires.
A.5.15 requires that rules for access control to information and associated assets be established, documented, and reviewed based on business and information security requirements. Access control policy must cover physical and logical access, differentiate between different types of users, and be reviewed at defined intervals.
A.5.16 requires that the full lifecycle of identities be managed: creation, maintenance, and deletion of identities for users, services, and systems. The identity management process must ensure that access rights are assigned and maintained based on defined roles and that identities are removed promptly when no longer required.
A.5.17 requires that management of authentication information follow a formal process covering allocation, storage, and change of authentication credentials. Passwords must meet defined complexity requirements, and credential management must prevent unauthorised disclosure.
A.5.18 requires that provisioning and revoking of access rights follow a formal process. Access rights must be reviewed at defined intervals, and rights that are no longer required must be revoked. The review must produce documented evidence of decisions made.
A.5.15 is addressed through Akku’s access control infrastructure. RBAC defines access entitlements by role. Contextual access controls apply IP, device, time-of-day, and geo-location restrictions. The IGA module’s SoD rules engine enforces segregation of duties. Access policies are centrally defined and technically enforced, not policy-stated.
A.5.16 is addressed through automated User Lifecycle Management. Identity creation, modification, and deletion follow structured workflows. Birthright access is provisioned on joining. Role changes trigger re-provisioning. Departure triggers automated deprovisioning across all connected applications. SCIM-based provisioning synchronises lifecycle events to connected applications with full audit trail coverage. Akku’s ISO 27001 mapping shows User Lifecycle Manager addresses A.8.2 and A.11.5.
A.5.17 is addressed through Akku’s password management capabilities. Password policies enforce complexity, length, expiry, history, and lockout rules at the organisation, group, or role level. Self-service password reset reduces helpdesk burden while maintaining identity-verified reset flows. Password sync maintains consistent credentials across connected systems.
A.5.18 is addressed through access review and re-certification campaigns. Periodic certification requests go to managers and resource owners. Every decision is timestamped and logged. The output is an auditor-ready evidence record of who reviewed which entitlements, on which date, and what action resulted. Identity and Access Governance addresses A.5.18 across the largest single-module mapping count in Akku’s ISO 27001 documentation at 16 clause references.
A.8.2 is one of the most audit-intensive controls in ISO 27001:2022. It requires that the allocation and use of privileged access rights be restricted, controlled, and reviewed. Certification auditors examine A.8.2 with particular scrutiny because privileged access failures are disproportionately represented in security incidents at certified organisations.
A.8.2 requires that privileged access rights be allocated to users on a need-to-use basis and event-by-event basis in line with the access control policy. Users should not be given privileged access rights beyond what is required for their current function.
A.8.2 requires that a process exist for managing privileged access rights, including formal authorisation, defined scope, time limits where appropriate, and periodic review. Standing, unlimited privileged access with no defined scope or time limit is inconsistent with A.8.2’s requirements.
A.8.2 requires that the use of privileged access rights be logged and that logs be reviewed. Authentication records confirming that a privileged session occurred do not satisfy this requirement. The log must capture what happened during the privileged session.
JIT access removes standing privilege entirely. No user holds persistent access to servers, databases, or Kubernetes clusters. Access is granted for the duration of an approved, time-bound session and revoked automatically on expiry. This is the event-by-event, need-to-use access model A.8.2 requires.
AkkuArka generates per-session ephemeral credentials for every privileged session. The credential is generated at session approval, injected at the protocol layer by AkkuReka, and permanently revoked on session close. The user never sees or types the target credential. This eliminates the shared, persistent credential problem that A.8.2’s allocation controls are designed to prevent.
SMARTAudit Trails satisfy A.8.2’s logging requirement. SSH sessions produce full screen recordings and complete keystroke logs. Database sessions produce structured SQL query capture. RDP sessions produce full screen video recordings. All recordings are indexed for forensic search and accessible from the Akku admin console. This is the session-level evidence that A.8.2 requires and that authentication logs cannot provide.
Periodic privileged access reviews ensure that privileged entitlements are certified regularly and that access no longer required is revoked. Akku’s ISO 27001 mapping shows Privileged Access Manager addresses A.8.3, A.16.2, A.16.6, A.16.7, and A.16.8.
A.8.15 is one of the controls that the 2022 revision made more specific. The control requires logging and monitoring of user activities, exceptions, faults, and security events. The distinction between user activity logs and authentication logs is central to what A.8.15 requires, and it is a distinction that ISO 27001 certification auditors examine carefully.
A.8.15 requires that logs recording user activities, exceptions, faults, and security events be produced, kept, and regularly reviewed. Logs must be protected against tampering and unauthorised access.
A.8.15 requires that the logging system be capable of capturing: user activities including commands executed and data accessed, exceptions and error events, security events including authentication failures and policy violations, and system events relevant to information security.
A.8.15 requires that log retention periods be defined and that logs be available for investigation when security incidents occur.
For privileged users, SMARTAudit Trails produce the session-level activity logs A.8.15 requires. Every command executed in an SSH session is logged with a timestamp. Every SQL query executed in a database session is captured as structured data. Every screen action in an RDP session is recorded as video. These are user activity logs, not login event records.
For all users, Akku’s identity and access security monitoring captures login and session tracking across all connected applications with time, location, authentication factor, and outcome per event. Failed authentication attempts, MFA failures, and policy-triggered access blocks are captured as security events.
The audit log is append-only and tamper-evident. Existing records cannot be modified or deleted. Logs are exportable in JSON and CSV format and accessible via API for SIEM integration. This satisfies A.8.15’s tamper protection and availability requirements.
Akku’s ISO 27001 mapping shows SSO and IDP addresses A.8.5, A.11.7, A.16.1, A.16.4, and A.18.8, covering the authentication and access event logging layer that complements SMARTAudit Trails’ session activity logging.
A.8.16 is a new control in ISO 27001:2022 with no direct equivalent in the 2013 version. It requires that networks, systems, and applications be monitored for anomalous behaviour and that appropriate actions be taken when anomalies are detected. This moves the standard from reactive log review to proactive anomaly detection.
A.8.16 requires that monitoring procedures be established and implemented to detect anomalous behaviour in networks, systems, and applications. Monitoring must be capable of detecting potential information security incidents.
A.8.16 requires that monitoring results be evaluated regularly and that anomalies trigger defined response actions. Passive log storage that is reviewed only after an incident is reported does not satisfy the proactive monitoring requirement.
A.8.16 requires that monitoring cover the full environment including privileged access activity, authentication events, and network traffic where relevant.
Akku’s Adaptive MFA provides the first layer of anomaly detection at the authentication layer. AI-powered anomaly detection evaluates each authentication event against the user’s behavioural baseline. Deviations in location, device, time-of-day, or access pattern trigger step-up authentication challenges and generate security events for review.
Risk and audit dashboards surface MFA failure spikes, geographic anomalies, access outside defined time windows, and behavioural deviations as actionable alerts. This is the proactive monitoring capability A.8.16 requires, not passive log storage.
For privileged access specifically, real-time session monitoring through AkkuReka allows administrators to view all active privileged sessions and terminate suspicious sessions instantly. Session termination events are logged with actor, timestamp, and reason.
Akku’s ISO 27001 mapping shows Adaptive MFA addresses Clauses 8.1, 8.3.a, A.8.1, A.8.4, A.11.7, A.16.3, A.16.4, A.18.1, and A.18.4 across nine clause references, the highest single-module count in the ISO 27001 mapping.
Akku’s ISO 27001:2022 compliance mapping supports 41 unique clauses with 60 total mappings across 11 platform modules, covering Main Clauses 4 through 10 and Annex A controls.
The Identity and Access Governance module carries the highest clause count at 16, addressing Clauses 8.1, 8.1.a, 8.1.c, 8.1.d, 9.1, 9.1.c, A.8.1, A.8.2, A.8.4, A.9.4, A.9.6, A.11.5, A.15.3, A.16.3, A.16.6, and A.19.4. This reflects how central access governance, SoD enforcement, access reviews, and re-certification are to ISO 27001 certification. Adaptive MFA carries nine clause references. Mobile Device Manager carries seven. SSO and IDP carries five.
One important note on scope: Akku supports ISO 27001 by implementing technical security controls, access governance, monitoring, and audit evidence generation. It is not a compliance management system and does not by itself ensure ISO 27001 certification. Final certification depends on the organisation’s overall policies, processes, and risk management practices. The Annex A controls Akku addresses are the technical layer. The ISMS documentation, risk assessment, management review, and internal audit requirements in Clauses 4 through 10 require governance measures beyond what any technology platform provides.
What changed in ISO 27001:2022 for access control and identity management compared to the 2013 version?
The 2022 revision consolidated the control set from 114 controls across 14 domains to 93 controls across four themes. Several new controls relevant to IAM were added: A.8.15 (logging) made activity logging requirements more explicit, A.8.16 (monitoring activities) added a proactive anomaly detection requirement with no direct 2013 equivalent, and A.8.18 (use of privileged utility programs) addressed privileged tool governance more specifically. Organisations certified under ISO 27001:2013 transitioning to the 2022 standard need to assess these additions against their current technical controls.
What evidence does a certification auditor expect for A.5.18 access rights review?
A certification auditor examining A.5.18 expects evidence of a structured, periodic access review process with documented outcomes. This typically includes the access review schedule and scope, evidence that reviews were conducted at the defined intervals, records showing which entitlements were reviewed and by whom, timestamped certification or revocation decisions for each entitlement reviewed, and evidence that revocations were actioned. An auditor who finds that access reviews are conducted informally, with outcomes recorded in email or spreadsheets, will likely raise a nonconformity.
Why does A.8.2 require session-level logging for privileged access rather than authentication records alone?
A.8.2 requires that the use of privileged access rights be logged and reviewed. Authentication records confirm that a privileged session occurred. They do not record what happened during the session: which commands were executed, which files were accessed, which configuration changes were made. For the purposes of security incident investigation, compliance audit evidence, and the accountability requirements A.8.2 imposes, session-level logs capturing actual activity are required. Authentication timestamps are a prerequisite for this logging, not a substitute for it.
What is the relationship between A.8.15 and A.8.16, and do they require separate technical controls?
A.8.15 requires that logs recording user activities, exceptions, faults, and security events be produced and kept. A.8.16 requires that networks, systems, and applications be monitored for anomalous behaviour and that anomalies trigger response actions. A.8.15 is about log generation and retention. A.8.16 is about active monitoring and anomaly detection. They require complementary but distinct technical controls. A.8.15 is satisfied by a structured logging infrastructure with tamper protection and defined retention. A.8.16 is satisfied by an active monitoring layer that evaluates events against baselines and generates alerts. Both are needed, and satisfying one does not satisfy the other.
How many ISO 27001:2022 Annex A controls does Akku address, and which areas are outside its scope?
Akku’s mapping supports 41 unique ISO 27001:2022 clauses with 60 total mappings, covering the identity management, access control, privileged access, authentication, logging, and monitoring controls. Controls outside Akku’s scope include physical security controls (A.7 theme), cryptographic key management beyond credential vault encryption, network security controls, vulnerability management, software development security controls, and business continuity management. Full ISO 27001 certification requires these technical controls combined with the ISMS governance, risk assessment, and documentation requirements in Clauses 4 through 10.
Can a single IAM deployment address both ISO 27001:2022 and SOC 2 Type II requirements simultaneously?
Yes. The overlapping technical controls are substantial. ISO 27001 A.8.5 and SOC 2 CC6.1 both require logical access security. ISO 27001 A.5.18 and SOC 2 CC6.3 both require periodic access rights review and modification. ISO 27001 A.8.2 and SOC 2 CC6.3 both require least-privilege access management for privileged users. ISO 27001 A.8.15 and SOC 2 CC7.2 both require activity logging and anomaly monitoring. A single IAM deployment implementing these controls produces compliance evidence for both frameworks from the same audit trail and governance infrastructure.
Indian companies with EU customers, EU operations, or EU-based employees are subject to the General Data Protection Regulation regardless of…
SOC 2 Type II has become a commercial prerequisite for Indian ITeS and BPO companies serving enterprise clients in North…
The Insurance Regulatory and Development Authority of India's Information and Cyber Security Guidelines, 2023 apply to all insurers, re-insurers, and…
The Securities and Exchange Board of India's Cybersecurity and Cyber Resilience Framework applies to all SEBI-regulated entities: stock brokers, depository…
The Reserve Bank of India's 2023 Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices applies to all…
Your organisation is likely operating under more than one compliance framework. RBI if you are a bank or NBFC. SEBI…