Auditing access management for ISO 27001: the human friendly way


To be compliant with ISO 27001 Annex A.9.2 your organisation needs to be in control of access management. You also need to review user access rights at least annually “or when major changes take place”. But is annually enough? And what is a major change, ignoring a minor change can just as well lead to a security breach. Of course you can create strict procedures regarding role changes and access provisioning. But what if someone doesn’t follow your procedure , can still create a breach. On the other hand: you can’t continuously audit access rights now, can you? Good news: through the power of decentral authorisation in KeyHub: you can. And you can make it almost effortless.

The power of decentral authorisation

Who knows best which team members should have access to what? We believe in decentral autorisation, let a team manager manage the access rights. KeyHub makes it easy for a team manager to request access to a resource and for team managers to approve these requests. You might think that delegating this duty to a team manager has a downside: the team manager is now also in charge of revoking rights. Some team managers might be too busy with the business at hand and might forget to administer a team change when someone leaves the team. This is where the KeyHub periodic audit steps in. At regular intervals the team manager receives a notification to audit the team.


The audit itself is a quite easy, with a click of a button access rights will be revoked. Also the team manager can easily grant access to new team members during the audit. As you can see in the image below, auditing takes very little effort. So team managers can spend their precious time at other things.

Audit dashboard for security officers and audit managers

Delegating to team managers makes user access management really efficient. But what if for some reason a team manager doesn’t do the audit? A security officer or audit manager wants to know if the organisation is in control. That is why KeyHub offers an easy to use auditor dashboard. It shows in one view if there are any team managers that are behind on their auditing duties. This way the audit manager can take the appropriate actions to ensure the organisation is in control.

Would you like to know how KeyHub can help your organisation to manage privilege access management in a user friendly way? Send us a message and we’ll be in touch to schedule a demo.