IAM Maturity Assessment for ISO/IEC 27001
ISO/IEC 27001:2022 is the international standard for information security management systems. Annex A contains a substantial block of identity and access controls, including A.5.15 to A.5.18 on access control and identity management and A.8.2 to A.8.5 on privileged access rights, information access restriction, and secure authentication. Certification requires controls that are implemented and demonstrably effective.
- Maturity threshold
- 2.5 / 4.0
- Mapped questions
- 32
- IAM domains
- 9
- Assessment scope
- All scopes
What ISO/IEC 27001 Expects from Identity Programs
The identity-relevant themes below reflect the AXIS capabilities mapped to ISO/IEC 27001 citations in the question bank. They paraphrase where identity fits, not the legal text itself.
- Identity lifecycle and access governance: registration, provisioning, access reviews, and removal of access rights
- Management of privileged access rights, secrets, and administrative sessions
- Secure authentication, single sign-on coverage, and device trust for the workforce
- Cloud and SaaS identity controls, including non-human identity governance
- Governance controls: policy management, metrics, and operating-model accountability
AXIS Questions Mapped to ISO/IEC 27001
32 of the 37 questions in the AXIS bank carry ISO/IEC 27001 citations, including 6 domino controls (foundational capabilities that cap the overall score when weak).
| Question | Domain | Capability | ISO/IEC 27001 references |
|---|---|---|---|
| IGA-01 Domino | IGA | Lifecycle Management (Joiner / Mover / Leaver) | ISO 27001:2022 A.5.16; ISO 27001:2022 A.5.18; ISO 27001:2022 A.8.3; ISO 27001:2022 A.5.38 |
| IGA-02 | IGA | Access Requests & Approvals | ISO 27001:2022 A.8.2; ISO 27001:2022 A.8.3; ISO 27001:2022 A.8.5; ISO 27001:2022 A.8.18 |
| IGA-03 | IGA | Access Reviews & Recertification | ISO 27001:2022 A.5.18; ISO 27001:2022 A.8.4 |
| IGA-04 | IGA | Role-Based Access Control (RBAC) & Access Modeling | ISO 27001:2022 A.5.15; ISO 27001:2022 A.8.2; ISO 27001:2022 A.8.3; ISO 27001:2022 A.5.18; ISO 27001:2022 A.8.18 |
| IGA-05 | IGA | Entitlement Discovery and Classification | ISO 27001:2022 A.5.15; ISO 27001:2022 A.8.2; ISO 27001:2022 A.8.3 |
| IGA-06 | IGA | Segregation of Duties (SoD) | ISO 27001:2022 A.5.15; ISO 27001:2022 A.5.18; ISO 27001:2022 A.8.3 |
| PAM-01 Domino | PAM | Admin Credential Protection | ISO 27001:2022 A.5.15 (access control); ISO 27001:2022 A.5.15/A.8.15 (monitoring) |
| PAM-02 Domino | PAM | Secrets Management (Non-Human & Application Credentials) | ISO 27001:2022 A.5.17; ISO 27001:2022 A.8.16; ISO 27001:2022 A.5.38 |
| PAM-03 | PAM | Endpoint Privilege & Local Admin Control | ISO 27001:2022 A.8.18; ISO 27001:2022 A.8.2 |
| PAM-04 | PAM | Just-In-Time (JIT) Cloud & Infrastructure Access | ISO 27001:2022 A.8.2 |
| PAM-05 | PAM | Session Management and Recording | ISO 27001:2022 A.8.15 |
| AUTH-02 | Auth/SSO | Single Sign-On (SSO) Coverage & Enforcement | ISO 27001:2022 A.8.5; ISO 27001:2022 A.5.15 |
| AUTH-03 | Auth/SSO | Device Trust & Zero Trust Enforcement | ISO 27001:2022 A.8.3; ISO 27001:2022 A.8.8 |
| AUTH-04 | Auth/SSO | Phishing-Resistant MFA & Session Integrity | ISO 27001:2022 A.8.5 |
| AUTH-05 | Auth/SSO | Account Recovery & Identity Verification Resistance | ISO 27001:2022 A.5.17; ISO 27001:2022 A.5.16 |
| CLOUD-01 Domino | Cloud | Multi-Cloud Permission Management (CIEM) | ISO 27001:2022 A.5.15 |
| CLOUD-02 | Cloud | Non-Human Identity (NHI) Governance | ISO 27001:2022 A.8.2 |
| CLOUD-03 | Cloud | SaaS Application Discovery & Shadow IT Control | ISO 27001:2022 A.5.9; ISO 27001:2022 A.5.19; ISO 27001:2022 A.5.1; ISO 27001:2022 A.5.22 |
| CLOUD-04 | Cloud | Infrastructure-as-Code (IaC) IAM Guardrails & Drift Control | ISO 27001:2022 A.8.32; ISO 27001:2022 A.5.15 |
| CLOUD-05 | Cloud | AI Agent Identity Governance | ISO 27001:2022 A.5.16; ISO 27001:2022 A.8.15; ISO 27001:2022 A.5.23 |
| SEC-01 Domino | Security | Identity Threat Detection & Response (ITDR) | ISO 27001:2022 A.5.24; ISO 27001:2022 A.6.8; ISO 27001:2022 A.8.15/A.5.24 |
| SEC-02 | Security | Identity Resilience & Disaster Recovery | ISO 27001:2022 A.8.2; ISO 27001:2022 A.5.29 |
| SEC-03 | Security | User Behavioral Analytics (UBA) | ISO 27001:2022 A.8.15; ISO 27001:2022 A.5.25; ISO 27001:2022 A.8.8 |
| SEC-04 | Security | Data Security Posture & Identity-to-Data Risk Mapping (DSPM) | ISO 27001:2022 A.8.2; ISO 27001:2022 A.8.3; ISO 27001:2022 A.5.37; ISO 27001:2022 A.5.15 |
| SEC-05 | Security | Identity Posture & Attack-Surface Management (ISPM) | ISO 27001:2022 A.5.16; ISO 27001:2022 A.8.9; ISO 27001:2022 A.5.36; ISO 27001:2022 A.8.8 |
| GOV-01 Domino | Governance | Identity Data Ownership | ISO 27001:2022 A.5.2; ISO 27001:2022 A.8.2 |
| GOV-02 | Governance | IAM Metrics, Risk & Executive Visibility | ISO 27001:2022 A.5.1; ISO 27001:2022 A.5.2; ISO 27001:2022 A.5.4 |
| GOV-03 | Governance | IAM Policy Definition, Enforcement & Drift Control | ISO 27001:2022 A.5.1; ISO 27001:2022 A.5.36; ISO 27001:2022 A.8.16; ISO 27001:2022 A.5.37; ISO 27001:2022 A.5.38 |
| GOV-04 | Governance | IAM Operating Model and Skills | ISO 27001:2022 A.5.2; ISO 27001:2022 A.6.3; ISO 27001:2022 A.5.3; ISO 27001:2022 A.5.36 |
| CIAM-04 | CIAM | B2B Delegated Administration & Partner Identity | ISO 27001:2022 A.5.18 |
| CIAM-DATA-01 | CIAM × Data | Customer Access-to-Data Visibility & Impact Control | ISO 27001:2022 A.8.2 |
| CIAM-PAM-01 | CIAM × PAM | Customer-Admin Privilege Governance | ISO 27001:2022 A.8.3; ISO 27001:2022 A.8.15 |
How AXIS Scores ISO/IEC 27001 Alignment
A threshold model: each mapped control either meets the ISO/IEC 27001 maturity bar or it does not, and the alignment percentage is the share that does.
Threshold: 2.5 of 4.0
Each framework in AXIS carries a research-derived maturity threshold (Methodology Section 7.2). For ISO/IEC 27001, a mapped control counts as passing when its answered maturity level reaches 2.5: documented and consistently enforced. The alignment percentage is the share of mapped controls at or above that bar.
Citations live on individual answer options, so the exact set of controls counted for ISO/IEC 27001 in a given assessment reflects the answers selected. The table above lists every question whose answer options carry ISO/IEC 27001 citations.
80%+
Aligned
60-79%
At Risk
<60%
Non-Compliant
Scope and Industry Awareness
ISO/IEC 27001 appears in every assessment scope: workforce, customer identity (CIAM), and full.
It is shown when the assessed organization operates in: Financial Services, Healthcare, Energy & Utilities, Technology/SaaS, Public Sector. Other industries see only the frameworks relevant to them.
Indicative Alignment, Not Certification
This page describes how the AXIS assessment maps its question bank to ISO/IEC 27001:2022. Alignment scores are indicative: they are not a certification, an audit opinion, or legal advice. Whether and how ISO/IEC 27001 applies depends on your organization, sector, and jurisdiction; consult qualified counsel or auditors for formal compliance determinations.
See Where You Stand Against ISO/IEC 27001
Run the AXIS assessment and get your maturity score, ISO/IEC 27001 alignment, and a prioritized roadmap in one pass. No signup required to start.