Step-by-Step Guide to Your First ISO 27001:2022 Surveillance Audit for Identity Management

Your first surveillance audit under ISO 27001:2022 marks the point where auditors shift from accepting "transition plans" to testing whether your identity management actually delivers day to day.

By 2026, the regulatory landscape will be even tougher. NIS2 applies across the EU, DORA regulates financial entities, and compliance is shifting from documentation to evidence. Manual access management and SSO-only setups will no longer suffice-they will turn up as audit findings.

In this guide, you'll learn:

• What's new for identity and access in ISO 27001:2022
• How surveillance audits fit your three-year ISO cycle
• How to prepare identity lifecycle management, including non-human identities
• How to build audit evidence your external auditor and regulators now require
• Where automation and platforms like Iden turn "scramble every year" into repeatable, low-stress audits

Before You Start: Prerequisites for a Smooth Surveillance Audit

Before tackling checklists and tooling, ensure these fundamentals:

• Transition complete
  ISO/IEC 27001 was revised in 2022, replacing the 2013 edition as the current version of the standard^{1en.wikipedia.org}
  Organizations certified to ISO 27001:2013 had until 31 October 2025 to transition their certificates to ISO 27001:2022; certificates not transitioned by then lapsed^2itanet.eu
  Your Statement of Applicability (SoA) should reflect the 2022 control set.

• Clear identity scope
  Document the business units, locations, and systems in scope for your ISMS-and thus for Annex A 5.16 (identity management) and 5.17 (authentication information).

• Defined sources of truth
  HRIS for people records, directory/IdP (e.g., Okta/Entra) for accounts, CMDB or cloud inventory for infrastructure, with a clear owner for each.

• Documented joiner-mover-leaver (JML) processes
  Even partially manual processes require documented procedures showing how identities are created, changed, and removed.

• Non-human identities on the radar
  Service accounts, SaaS bots, API keys, CI/CD users, RPA bots, and machine identities must be inventoried-not left as "IT magic."

• Some level of centralization
  If you manage access via email and spreadsheets, you may still pass, but expect more findings. An IGA platform like Iden lets you centralize policies, workflows, and audit trails across human and non-human identities.

Step 1: Reframe Your Surveillance Audit in the 2026 Regulatory Context

Auditors now care about how your ISMS stands up to real regulatory standards-not just ISO text.

Why 2026 is different

• ISO 27001 certification runs in three-year cycles with annual surveillance audits in years one and two and a recertification audit in year three^3tuv.com
  If you certified or transitioned in 2024-2025, your 2026 audit is the first fully under the 2022 control set.

• NIS2 required EU Member States to transpose its requirements into national law by 17 October 2024 and apply them from 18 October 2024^4trade.gov
  Many tech, finance, and professional-services firms in the EU are now designated as "essential" or "important."

• Under NIS2, essential entities can face fines of up to 10 million euros or 2% of global annual turnover for serious non-compliance, whichever is higher^5pwc.de
  The stakes for lax access management have never been higher.

• The EU's Digital Operational Resilience Act (DORA) started to apply to in-scope financial entities and their ICT providers on 17 January 2025, introducing harmonized ICT risk-management and incident-response requirements^{6eba.europa.eu}
  Identity and access control are central to these requirements.

Your auditor is fully aware of this context. Be prepared for questions such as:

• "Show evidence all access changes are tied to an identity and approval."
• "How do you ensure non-human identities are regularly reviewed and revoked when unnecessary?"
• "How do you confirm SSO groups match actual job roles, rather than old setups?"

Tip
Frame your audit for leadership as part of your NIS2, DORA, HIPAA, or CMMC readiness-not just "an ISO thing." ISO 27001 now anchors your wider regulatory compliance.

Step 2: Decode What Changed in ISO 27001:2022 for Identity Management

ISO 27001:2013 addressed access control, but the 2022 revision raises expectations for managing both human and non-human identities.

Annex A 5.16 - Identity management

Annex A 5.16 in ISO 27001:2022 requires organizations to manage the full lifecycle of digital identities so that access is attributable, authorized, and traceable, and it explicitly applies to both human and non-human identities^{7voragosecurity.com}

Auditors will look for:

• Lifecycle coverage
  Processes for creating, modifying, suspending, and revoking identities for all employee and system types.

• One person / one identity principle
  Named accounts over shared logins; clear owners for non-human identities.

• Risk-based treatment
  Stronger scrutiny for privileged accounts (admins, production, CI/CD, cloud control planes).

Annex A 5.17 - Authentication information

5.17 covers how you manage passwords, keys, tokens, and other secrets. Auditors connect this to your identity lifecycle:

• Are secrets rotated when an identity or access changes?
• Are API keys and service-account credentials managed like user passwords?

Common mistake
Treating 5.16 as just another access control. Auditors will sample JML flows, non-human identities, and approvals across multiple controls-not just your SSO.

Step 3: Build a Complete Identity Inventory (Human and Non-Human)

Control starts with knowing all your identities. Build-and continually update-a complete inventory.

3.1 Start with human identities

1. Pull from HRIS and directory
   Export all current and recently inactive staff from HRIS and IdP.

2. Normalize identity keys
   Assign a unique identifier (employee ID or HR number) across all systems.

3. Map to roles and departments
   You don't need perfect RBAC, but you must know each person's team or function.

3.2 Add non-human identities

Non-human identities are now the common source of ISO 27001:2022 audit findings.

Inventory at least:

• Service accounts (databases, OS, backup)
• Application accounts used for integrations
• CI/CD users and deployment bots
• API keys used by external services
• SaaS bots and automations
• Machine identities in infrastructure (containers, VMs, IoT)

For each non-human identity, log:

• Purpose and owning system
• Business owner (not just "IT")
• Technical owner
• Data and systems accessed
• Authentication method
• Creation, rotation, and revocation process

Tip
Use logs to start: cloud IAM listings, IdP service principals, SaaS admin consoles, etc. Iden can consolidate identities from SSO, HRIS, and 175+ SaaS apps-no need to hunt across 30 admin UIs.

Step 4: Design and Document Lifecycle Processes Auditors Will Test

With your inventory in place, show evidence that each identity's lifecycle is controlled.

4.1 Joiners - day-one access

• Trigger: HR creates/updates a record.
• Process:
  • Identity is provisioned in directory/IdP from HR.
  • Birthright access (email, collaboration, ticketing) granted by role/team.
  • Exceptions or elevated access require documented approval.

Auditors expect:

• Evidence access matches policy
• Approval records for exceptions
• No "shadow" accounts created outside this process

4.2 Movers - role and team changes

Movers typically introduce privilege creep and SoD issues.

• Ensure HR role changes trigger access review
• Define removal rules for changing roles/departments
• Capture approvals for temporary or overlapping access

4.3 Leavers - offboarding (including non-human identities)

You must demonstrate, quickly, "What happens when someone leaves?"

At minimum:

• HR offboarding auto-disables accounts
• Key system access is removed or transferred
• Non-human identities tied to the person are identified and revoked/reassigned

Common mistake
Assuming "disable the AD account" is enough. Auditors now sample individual users and expect system-by-system proof that access was removed-including SaaS and less visible apps.

4.4 Document, then automate where possible

Document JML flows, then automate:

• IGA/identity governance (Iden) for policy, workflow, approvals
• SSO/IdP for account lifecycle
• HRIS as primary trigger

Iden automates policy-driven onboarding, changes, and offboarding across all identities (even for apps without SCIM or APIs), with fine-grained control and visibility.

Step 5: Automate Evidence Collection Across Your Stack

Manual evidence (screenshots, spreadsheets) is obsolete. Auditors require live, consistent proof.

5.1 Define strong evidence

Identity management controls require:

• Central logs (who was granted what, when, with approval)
• Complete user and access listings
• Historical reports for point-in-time reviews
• Automated user access review (UAR) records

5.2 Know SSO-only limitations

SSO is table stakes-not coverage:

• Many apps don't support SCIM or charge for it
• Fine-grained access (channels, repos, projects) isn't always managed by the IdP
• Non-human/local accounts may bypass SSO entirely

Iden addresses these gaps:

• Connects to any app-SCIM, API, or not
• Fine-grained permissions (workspace, channel, repo, project)
• Automated UARs and evidence collection

Iden automates provisioning and governance across more than 175 apps, including long-tail and non-SCIM SaaS tools, using universal connector technology

Customers using Iden typically see about 80% fewer manual access tickets and save roughly 120 hours per quarter on user access reviews

These aren't "nice to have" stats; they let you be audit-ready, not in annual fire-drill mode.

Tip
Always ask: "If an auditor asks us to prove this happened six months ago, what log or report will we show?" If the answer is "a spreadsheet" or "someone's inbox," that's an issue to fix.

Step 6: Run an Internal "Surveillance Audit" on Identities

An internal review before the real audit turns major risks into minor notes-or eliminates issues outright.

6.1 Build a concise identity checklist

Based on Annex A 5.16/5.17 and your risks:

• Is there a current inventory of all human/non-human identities in scope?
• Can we show JML evidence for recent joiners, movers, leavers?
• Are privileged accounts and service accounts assigned to named owners?
• Recent user access reviews for high-risk systems?
• Are secrets (passwords, keys, tokens) managed per policy?

6.2 Sample real cases

Pick actual recent cases:

• New hires (last 3-6 months)
• Role or department changes
• Employee exits
• Critical service accounts and integrations

Follow the evidence trail:

• HR record -> IdP account -> app access -> approvals -> offboarding/change logs

With Iden, you get one identity record with full lifecycle and entitlement history-including bots and service accounts.

Common mistake
Only checking documentation exists, not whether processes are followed. Auditors will now always check the latter.

Step 7: Navigate the Surveillance Audit Day-and What Comes After

7.1 During the audit

• Be transparent
  If some access control is manual, acknowledge it-and show your automation roadmap.

• Lead with evidence
  When asked "How do you manage non-human identities?" show your inventory or IGA dashboard, not just slides.

• Note soft findings
  Comments like "this seems fragile" are improvement cues-act on them, don't just document.

7.2 After the audit

• Classify findings

  • Immediate fixes (e.g., missing revocation)
  • Process improvements (e.g., better HR triggers)
  • Structural upgrades (e.g., IGA adoption)

• Align actions to your roadmap
  Use findings to justify moving from manual to automated identity governance across all apps-not just the easy ones.

• Think multi-framework
  Automated JML, non-human management, and UAR evidence serve ISO 27001, HIPAA, SOC 2, CMMC, NIS2, and DORA. Iden is designed to be the single identity governance layer you need.

Next Steps: Turn Your Surveillance Audit into an Identity Upgrade

For Heads of IT and CISOs at SaaS-heavy organizations, this first ISO 27001:2022 surveillance audit is about proving identity governance-across human and machine identities-at scale, under real regulatory scrutiny.

Concrete actions:

• Use this audit cycle to baseline your identity inventory and JML processes
• Prioritize automation where audit risk and workload are highest: offboarding, privileged access, non-human identities, and access reviews
• Consolidate evidence from SSO, HRIS, and apps into a single, queryable place-either in-house or with Iden's unified platform

Done right, future audits are routine-because your identity governance operates continuously, not just during audit season.

FAQ: ISO 27001:2022 Surveillance Audits & Identity Management

1. How is a surveillance audit different from initial ISO 27001 certification?

The initial audit (Stage 1 + Stage 2) thoroughly assesses ISMS design and implementation. Surveillance audits are annual reviews that sample controls and confirm continual improvement.

In a typical ISO 27001 program, certification is valid for three years, with annual surveillance audits in years one and two and a full recertification audit in year three^3tuv.com

For identity management, expect auditors to test actual JML cases, management of non-human identities, and recent access reviews-not just ask for procedures.

2. What identity evidence do auditors expect under ISO 27001:2022?

Auditors frequently request:

• Updated inventories of all human and non-human identities
• Samples of JML workflows with timestamps and approvals
• Logs or reports showing account lifecycle events across key systems
• User access review (UAR) decision and remediation records
• Service account and API key management procedures

If you can answer "show me" evidence requests without scrambling for spreadsheets, you're in strong shape.

3. Do I need a full IGA platform to pass Annex A 5.16?

Not by the letter of the standard; well-designed manual processes are acceptable. But as SaaS footprints and non-SCIM tools increase, manual JML and spreadsheet-based reviews become:

• Costly in staff time
• Prone to errors (missed offboarding, privilege creep)
• Difficult to evidence consistently

That's why many growing organizations adopt platforms like Iden: comprehensive app coverage, policy-driven workflows, automated evidence, and no legacy IGA complexity.

4. How do we handle non-human identities for ISO 27001:2022?

Treat non-human identities as first-class within your ISMS:

• Include them in your risk assessment and SoA
• Assign each an owner, purpose, and lifecycle
• Apply appropriate authentication and rotation policies
• Review their access regularly, especially for production data or critical systems

Ignoring non-human identities is now an explicit audit gap.^{7voragosecurity.com}

5. How does ISO 27001:2022 identity management help with NIS2 and DORA?

NIS2 and DORA expect strong access control, accountability, and evidence that security controls work in practice. ISO 27001:2022 provides:

• Structured ISMS and risk-based rationale for identity controls
• Documented JML and non-human identity processes
• A framework for monitoring and improving those controls

When automated identity governance and audit trails support these controls, you deliver the continuous, evidence-based posture regulators now demand.