Skip to main content


Data-driven business Epical

How to make identity management meet information security standard – 4 steps towards ISO27001 certification


Pekka Oinonen
Information security is a hot topic receiving a lot of investment. Identity and access management (IGA) is an important part of information security, since up to 80% of data breaches occur by misleading employees. With the ISO27001 certificate, a company can demonstrate to its stakeholders that it takes care of information security. But how do you embrace this complex matter successfully?

All companies restrict their employees' access to information systems to ensure information security. Most often, this happens in accordance with the principle of least privilege access. Access rights are given only to the extent which are required for completing work tasks. Identity, user credentials and access rights are defined for each employee, and also for external stakeholders or non-human users, such as software robots. As situations change, the life cycle of identities must be monitored and access rights managed so that they keep meeting the requirements.

Identity and access management must be improved and maintained continuously. The ISO27001 information security standard is a good guideline for this work: it defines the general requirements that can be used to mirror the company’s situation. When these requirements are met, the company can achieve ISO27001 certification. This is how it is done.

1. Cut the cake into pieces

As such, the ISO27001 security standard is a big cake to eat; it is best to chop it into portions. The first step is to analyze the current state: together with business, you must look at the current state of identity and access management and compare it with ISO27001 requirements. This gives a gap analysis between the current state and the goal.

Next, you must plan how to turn the requirements into actions. What are the company's shortcomings in relation to the ISO27001? What practical actions does this call for? In which different areas do we need to improve and how? And what are the goals that we want to reach? This is not rocket science – you just need to plan your actions and set intermediate goals for creating the necessary outputs.

2. Focus on processes, documentation and governance

Identity and access management according to ISO27001 is not primarily about technology; it’s about processes, documentation and implementing modes of operation in business. Thus, it is important to involve business in this change from the very beginning. You must also tell business why we are doing this.

Identity life cycle management, Access Management and Governance, processes and standards, as well as Privileged Access Management are all central parts of this work. In addition, it is good to identify which are the most critical short-term changes in each area and which are the long-term policies that guarantee continuous improvement.

It is equally important to review the documentation for identity and access management. In an ISO27001 audit, the auditor asks many different questions. The company must be able to demonstrate how things have been done, documented and implemented in reality.

3. Harness technology for meeting the requirements

Technical solutions and systems support the implementation of identity and access management and the fulfillment of the requirements of the standard. Modern IGA systems contain versatile features – it is important that business stakeholders have the tools they need for meeting the ISO27001 requirements.

In technical implementation, you cannot stress enough the importance of planning. If decisions are made quickly without thinking carefully about architecture based on ISO 27001 requirements, we may easily end up in the woods. You have to include the necessary stakeholders in the project at an early stage to avoid false steps and additional work.

4. Keep the goal in mind – but remember that this is a journey

Information security must always be a priority, but with ISO certification it can be further improved. When you dive into the technical depths, there is a risk that the goal becomes blurred. The project must focus on ISO27001 requirements and the findings of the initial gap analysis. Otherwise, it's easy to get lost. At the same time, it is good to remember that you cannot finish everything at once.

Typically, the preparatory work required for the certificate takes about one year, depending on the initial situation. Development work continues also after certification. The ISO27001 certificate is valid for a maximum of three years, during which time the operation of the certificate is verified through annual certification evaluations This ensures that the requirements are followed constantly.

Do you want support in identity and access management?

Author Pekka Oinonen works as an IAM architect in the area of ​​identity and access management in Epical’s Digital Trust team in Finland.