Standards & Certifications

IAM Maturity Assessment for ISO/IEC 27001

ISO/IEC 27001:2022 is the international standard for information security management systems. Annex A contains a substantial block of identity and access controls, including A.5.15 to A.5.18 on access control and identity management and A.8.2 to A.8.5 on privileged access rights, information access restriction, and secure authentication. Certification requires controls that are implemented and demonstrably effective.

Maturity threshold
2.5 / 4.0
Mapped questions
32
IAM domains
9
Assessment scope
All scopes
Identity Expectations

What ISO/IEC 27001 Expects from Identity Programs

The identity-relevant themes below reflect the AXIS capabilities mapped to ISO/IEC 27001 citations in the question bank. They paraphrase where identity fits, not the legal text itself.

  • Identity lifecycle and access governance: registration, provisioning, access reviews, and removal of access rights
  • Management of privileged access rights, secrets, and administrative sessions
  • Secure authentication, single sign-on coverage, and device trust for the workforce
  • Cloud and SaaS identity controls, including non-human identity governance
  • Governance controls: policy management, metrics, and operating-model accountability
Question Mapping

AXIS Questions Mapped to ISO/IEC 27001

32 of the 37 questions in the AXIS bank carry ISO/IEC 27001 citations, including 6 domino controls (foundational capabilities that cap the overall score when weak).

AXIS assessment questions mapped to ISO/IEC 27001, with domain, capability, and framework references
QuestionDomainCapabilityISO/IEC 27001 references
IGA-01
Domino
IGALifecycle Management (Joiner / Mover / Leaver)ISO 27001:2022 A.5.16; ISO 27001:2022 A.5.18; ISO 27001:2022 A.8.3; ISO 27001:2022 A.5.38
IGA-02IGAAccess Requests & ApprovalsISO 27001:2022 A.8.2; ISO 27001:2022 A.8.3; ISO 27001:2022 A.8.5; ISO 27001:2022 A.8.18
IGA-03IGAAccess Reviews & RecertificationISO 27001:2022 A.5.18; ISO 27001:2022 A.8.4
IGA-04IGARole-Based Access Control (RBAC) & Access ModelingISO 27001:2022 A.5.15; ISO 27001:2022 A.8.2; ISO 27001:2022 A.8.3; ISO 27001:2022 A.5.18; ISO 27001:2022 A.8.18
IGA-05IGAEntitlement Discovery and ClassificationISO 27001:2022 A.5.15; ISO 27001:2022 A.8.2; ISO 27001:2022 A.8.3
IGA-06IGASegregation of Duties (SoD)ISO 27001:2022 A.5.15; ISO 27001:2022 A.5.18; ISO 27001:2022 A.8.3
PAM-01
Domino
PAMAdmin Credential ProtectionISO 27001:2022 A.5.15 (access control); ISO 27001:2022 A.5.15/A.8.15 (monitoring)
PAM-02
Domino
PAMSecrets Management (Non-Human & Application Credentials)ISO 27001:2022 A.5.17; ISO 27001:2022 A.8.16; ISO 27001:2022 A.5.38
PAM-03PAMEndpoint Privilege & Local Admin ControlISO 27001:2022 A.8.18; ISO 27001:2022 A.8.2
PAM-04PAMJust-In-Time (JIT) Cloud & Infrastructure AccessISO 27001:2022 A.8.2
PAM-05PAMSession Management and RecordingISO 27001:2022 A.8.15
AUTH-02Auth/SSOSingle Sign-On (SSO) Coverage & EnforcementISO 27001:2022 A.8.5; ISO 27001:2022 A.5.15
AUTH-03Auth/SSODevice Trust & Zero Trust EnforcementISO 27001:2022 A.8.3; ISO 27001:2022 A.8.8
AUTH-04Auth/SSOPhishing-Resistant MFA & Session IntegrityISO 27001:2022 A.8.5
AUTH-05Auth/SSOAccount Recovery & Identity Verification ResistanceISO 27001:2022 A.5.17; ISO 27001:2022 A.5.16
CLOUD-01
Domino
CloudMulti-Cloud Permission Management (CIEM)ISO 27001:2022 A.5.15
CLOUD-02CloudNon-Human Identity (NHI) GovernanceISO 27001:2022 A.8.2
CLOUD-03CloudSaaS Application Discovery & Shadow IT ControlISO 27001:2022 A.5.9; ISO 27001:2022 A.5.19; ISO 27001:2022 A.5.1; ISO 27001:2022 A.5.22
CLOUD-04CloudInfrastructure-as-Code (IaC) IAM Guardrails & Drift ControlISO 27001:2022 A.8.32; ISO 27001:2022 A.5.15
CLOUD-05CloudAI Agent Identity GovernanceISO 27001:2022 A.5.16; ISO 27001:2022 A.8.15; ISO 27001:2022 A.5.23
SEC-01
Domino
SecurityIdentity Threat Detection & Response (ITDR)ISO 27001:2022 A.5.24; ISO 27001:2022 A.6.8; ISO 27001:2022 A.8.15/A.5.24
SEC-02SecurityIdentity Resilience & Disaster RecoveryISO 27001:2022 A.8.2; ISO 27001:2022 A.5.29
SEC-03SecurityUser Behavioral Analytics (UBA)ISO 27001:2022 A.8.15; ISO 27001:2022 A.5.25; ISO 27001:2022 A.8.8
SEC-04SecurityData Security Posture & Identity-to-Data Risk Mapping (DSPM)ISO 27001:2022 A.8.2; ISO 27001:2022 A.8.3; ISO 27001:2022 A.5.37; ISO 27001:2022 A.5.15
SEC-05SecurityIdentity Posture & Attack-Surface Management (ISPM)ISO 27001:2022 A.5.16; ISO 27001:2022 A.8.9; ISO 27001:2022 A.5.36; ISO 27001:2022 A.8.8
GOV-01
Domino
GovernanceIdentity Data OwnershipISO 27001:2022 A.5.2; ISO 27001:2022 A.8.2
GOV-02GovernanceIAM Metrics, Risk & Executive VisibilityISO 27001:2022 A.5.1; ISO 27001:2022 A.5.2; ISO 27001:2022 A.5.4
GOV-03GovernanceIAM Policy Definition, Enforcement & Drift ControlISO 27001:2022 A.5.1; ISO 27001:2022 A.5.36; ISO 27001:2022 A.8.16; ISO 27001:2022 A.5.37; ISO 27001:2022 A.5.38
GOV-04GovernanceIAM Operating Model and SkillsISO 27001:2022 A.5.2; ISO 27001:2022 A.6.3; ISO 27001:2022 A.5.3; ISO 27001:2022 A.5.36
CIAM-04CIAMB2B Delegated Administration & Partner IdentityISO 27001:2022 A.5.18
CIAM-DATA-01CIAM × DataCustomer Access-to-Data Visibility & Impact ControlISO 27001:2022 A.8.2
CIAM-PAM-01CIAM × PAMCustomer-Admin Privilege GovernanceISO 27001:2022 A.8.3; ISO 27001:2022 A.8.15
Scoring Model

How AXIS Scores ISO/IEC 27001 Alignment

A threshold model: each mapped control either meets the ISO/IEC 27001 maturity bar or it does not, and the alignment percentage is the share that does.

Threshold: 2.5 of 4.0

Each framework in AXIS carries a research-derived maturity threshold (Methodology Section 7.2). For ISO/IEC 27001, a mapped control counts as passing when its answered maturity level reaches 2.5: documented and consistently enforced. The alignment percentage is the share of mapped controls at or above that bar.

Citations live on individual answer options, so the exact set of controls counted for ISO/IEC 27001 in a given assessment reflects the answers selected. The table above lists every question whose answer options carry ISO/IEC 27001 citations.

80%+

Aligned

60-79%

At Risk

<60%

Non-Compliant

Scope and Industry Awareness

ISO/IEC 27001 appears in every assessment scope: workforce, customer identity (CIAM), and full.

It is shown when the assessed organization operates in: Financial Services, Healthcare, Energy & Utilities, Technology/SaaS, Public Sector. Other industries see only the frameworks relevant to them.

Indicative Alignment, Not Certification

This page describes how the AXIS assessment maps its question bank to ISO/IEC 27001:2022. Alignment scores are indicative: they are not a certification, an audit opinion, or legal advice. Whether and how ISO/IEC 27001 applies depends on your organization, sector, and jurisdiction; consult qualified counsel or auditors for formal compliance determinations.

See Where You Stand Against ISO/IEC 27001

Run the AXIS assessment and get your maturity score, ISO/IEC 27001 alignment, and a prioritized roadmap in one pass. No signup required to start.