Home / Cyber Security / Password Managers / Password Managers and ISO 27001: How to Meet Access Control Requirements

Password Managers and ISO 27001: How to Meet Access Control Requirements

Table of Contents

If your business is pursuing ISO 27001:2022 certification — or preparing for a surveillance audit — access control and authentication are areas where auditors look hard. Password management sits right at the intersection of several Annex A controls, and a poorly implemented approach will generate non-conformities. This guide explains exactly which controls apply, what an auditor will want to see, and how a business-grade password manager helps you meet the evidence requirements without building a custom control framework from scratch.

The ISO 27001:2022 Controls You Need to Know

The 2022 revision of ISO 27001 reorganised many controls and introduced new ones. Four controls directly govern how your organisation manages passwords and authentication. Understanding each one — and the evidence it requires — is essential before you think about tooling.

A.5.16 — Identity Management

This control requires that the full lifecycle of identities (human and non-human) is managed through a defined process. That means provisioning, modification, and de-provisioning of user accounts must follow documented procedures. From a password management perspective, the key requirements are:

  • Users must be assigned unique identities — no shared accounts
  • Identities must be linked to a named individual or system (with a documented owner)
  • Processes must exist to disable or remove identities promptly when a person leaves or changes role

Where password managers help: a centrally managed vault with SCIM provisioning (automatic user sync from your directory service) gives you a single, auditable record of who has access to which credentials. When someone leaves, their vault access is revoked through a single offboarding action, and emergency access procedures allow designated admins to retrieve any credentials they held.

A.5.17 — Authentication Information

This is the control most directly about passwords, and it is worth reading in full. The control states that the allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling. The supplementary guidance identifies the following obligations:

  • A formal process must govern the issuance, resetting, and revocation of authentication information
  • Default passwords on systems and devices must be changed on initial deployment
  • Users must not share authentication information (passwords, tokens, keys) unless explicitly approved and controlled
  • Where passwords must be shared (for example, a shared service account), there must be a controlled mechanism — not a spreadsheet or email
  • Password storage must use approved cryptographic methods (i.e., not plaintext or reversibly encrypted)
  • Users must be required to keep authentication information confidential

A password manager addresses nearly every line of this control. Passwords are generated to policy-defined complexity standards, stored with strong encryption, and shared between users through controlled vault entries — not via email or chat. The policy enforcement features in business-tier products (minimum length, complexity, breach detection) give you documented, automated compliance rather than a policy on paper that nobody follows.

A.5.18 — Access Rights

Access rights must be provisioned, reviewed, modified, and removed through a formal process. Periodic access reviews — where a manager or IT administrator confirms that a user’s current rights are still appropriate — are a key audit evidence point. Password managers support this control by providing:

  • Role-based vault sharing: credentials are assigned to groups, not individuals, making access reviews straightforward
  • Audit logs showing who accessed which credentials and when
  • Clear visibility of privileged accounts (admin vaults, privileged access groups) for targeted review

A.8.5 — Secure Authentication

This control requires that secure authentication procedures are implemented based on access control policy. Specifically, it calls for multi-factor authentication (MFA) where technically feasible, and for systems to implement controls that limit the risk of credential-based attacks (lockout after failed attempts, session timeouts, and so on).

For MFA, hardware security keys are the strongest option for high-privilege accounts. If you are protecting privileged vault access or administrator accounts, a hardware key such as a YubiKey 5C NFC is worth considering — it eliminates the risk of phishing-based MFA bypass that affects TOTP and SMS methods. All of the business-grade password managers discussed below support FIDO2/WebAuthn hardware keys.

The ISO 9001:2015 Angle

Many UK SMBs pursue ISO 9001 alongside or before ISO 27001. Two clauses are relevant to access control and deserve a brief mention.

Clause 7.5.3 — Control of Documented Information requires that documented information (quality manuals, procedures, records) is protected from unintended modification and from access by unauthorised persons. If your quality management system documents are held in a cloud platform — SharePoint, Google Workspace, a QMS tool — controlling who can access and modify them is a direct requirement. Storing the credentials to those systems in a managed vault, with access restricted to named individuals by role, supports your 7.5.3 compliance position.

Clause 8.4 — Control of Externally Provided Processes, Products and Services applies when you rely on third-party suppliers for services that affect product or service quality. If your supply chain involves suppliers accessing your systems — through a portal, FTP, shared platform, or support access — controlling and monitoring those access credentials falls under this clause. A password manager with guest access or limited vaults allows you to issue and revoke third-party credentials with a full audit trail.

What an ISO 27001 Auditor Will Actually Check

Auditors working to ISO 27001 are looking for evidence that controls are implemented and effective — not just documented. In the access control and authentication domain, expect the following areas to be examined:

Password Policy Document

You need a written password policy that defines minimum length, complexity requirements, password age limits, prohibition on reuse, and rules on sharing. The policy should reference your chosen tooling and be approved by management. If you do not have one, our password manager policy template for UK businesses gives you a solid starting point that you can adapt to your organisation’s controls.

Evidence of Policy Enforcement

A policy document alone is insufficient. Auditors will want to see that the policy is technically enforced, not just communicated. This means demonstrating that your password manager’s admin console is configured to require passwords that meet the policy — and that users cannot bypass those requirements. Screenshots of your admin policy configuration, exported as dated records, serve as evidence here.

MFA Use

The auditor will expect MFA to be enabled for at least privileged accounts, and ideally all accounts. Evidence includes your MFA policy statement, a report from your identity provider or password manager showing which users have MFA enrolled, and — for highly privileged accounts — evidence that a stronger second factor (hardware key or authentication app) is in use.

Audit Logs

Logs must show who authenticated, when, from where, and what they accessed. For password managers, this means exported audit logs showing vault access events. Auditors may ask you to demonstrate that you are retaining these logs for the required period (typically at least 12 months) and that they are protected against tampering.

Privileged Access Review

Access reviews for privileged accounts — IT administrators, finance system access, HR systems — must be conducted at defined intervals (quarterly is common for privileged access). You need documented records of these reviews, including who reviewed them, the date, what was confirmed, and any changes made as a result.

Offboarding Procedures

When an employee leaves, auditors will want evidence that their access — including vault access — was revoked promptly. A defined offboarding checklist, signed off by IT and HR, with timestamps, is the typical evidence form. Password managers with SCIM or directory sync make this automatable, but you still need the documented process and records.

How a Business Password Manager Supports ISO 27001 Compliance

Password managers are not a shortcut to certification — they are a technical control that, properly configured, supports multiple Annex A requirements simultaneously. Here is how the key features map to compliance needs:

  • Policy enforcement: Admin-enforced password strength, breach alerting (via HaveIBeenPwned integration), and mandatory MFA on vault access directly satisfy A.5.17 requirements for controlled authentication information management.
  • Audit trail and log export: Business-tier products provide exportable audit logs covering vault access, credential sharing events, admin actions, and failed login attempts — essential for both A.8.5 and your incident response evidence.
  • Secure sharing: Shared credentials (for service accounts, shared mailboxes, social media accounts) are managed through controlled vault entries with defined access, not via email or spreadsheets. This satisfies the A.5.17 prohibition on uncontrolled sharing.
  • MFA integration: SSO via SAML with MFA enforced at the identity provider, combined with MFA on the vault itself, creates layered authentication that satisfies A.8.5 and demonstrates defence in depth.
  • Emergency and offboarding access: Designated admins can access a leaver’s vault contents through formal emergency access processes, ensuring no credentials are lost and all access can be revoked and transferred — supporting A.5.16 lifecycle management and your offboarding procedures.
  • SCIM and directory sync: Automatic user provisioning and deprovisioning from Entra ID (Azure AD), Okta, or Google Workspace ensures identity management is centralised and auditable, directly supporting A.5.16 and A.5.18.

Feature Requirements Matrix for ISO Compliance

Not all password managers offer the features you need for ISO 27001 compliance. When evaluating products, check for these capabilities:

  • Exportable audit logs: Must cover individual user access events, not just admin actions. Check the retention period — some products limit log history on lower tiers.
  • Admin-enforced password policies: The admin must be able to set and enforce minimum password requirements organisation-wide, and prevent users from saving weak or reused credentials.
  • SCIM provisioning: Automatic sync with your directory service for user provisioning and deprovisioning. Essential for organisations with more than around 15 users.
  • SSO with MFA enforcement: SAML-based SSO allowing MFA to be enforced at the identity provider level. This means MFA policy is centrally managed, not dependent on individual users enabling it.
  • Role-based access control: Granular vault sharing with defined roles (viewer, editor, admin) for groups and collections, enabling meaningful access reviews.
  • Emergency access / admin recovery: Formal process for administrators to access credentials belonging to a leaver or incapacitated user, with approvals and audit trail.
  • Breach monitoring: Automated alerting when stored credentials appear in known breach datasets — supports continuous improvement obligations under ISO 27001.

Which Products Meet the Bar

The best business password managers for UK organisations vary in how fully they support ISO 27001 compliance requirements. Here is a practical summary:

LastPass Business

LastPass Business meets the core requirements: admin-enforced policies, SCIM provisioning, SAML SSO, exportable audit logs, and MFA integration including hardware keys. The Security Dashboard gives a portfolio view of password health across the organisation, which is useful for evidencing ongoing monitoring. The audit log functionality is comprehensive at the Business tier. Full marks for ISO compliance feature coverage.

1Password Business

1Password Business is arguably the strongest option for organisations where compliance is a primary driver. The Activity Log is detailed and exportable, Watchtower provides continuous breach and weak-password monitoring, and the Collections and Groups model makes access reviews straightforward. SCIM provisioning and SAML SSO are both supported at the Business tier. Guest accounts allow controlled external access. Recommended for organisations where audit evidence quality matters.

Bitwarden Teams (and Enterprise)

Bitwarden is open source and well regarded in the security community. At the Teams tier, audit logging is available but has some limitations compared to 1Password and LastPass. Organisations requiring full audit log retention and export — particularly for ISO 27001 — should consider either the Enterprise tier or self-hosted deployment, which gives complete control over log retention and infrastructure. Self-hosting introduces operational overhead, but for organisations with the capability it provides maximum control. Bitwarden is a partial recommendation at Teams tier; full recommendation at Enterprise or self-hosted.

Dashlane Business

Dashlane Business includes a Security Score dashboard, detailed activity logs, SAML SSO, SCIM provisioning, and policy enforcement. The admin console is notably user-friendly, which helps with ongoing compliance management for teams without a dedicated security function. Meets the full ISO 27001 feature requirements at the Business tier.

The UK GDPR Dimension

ISO 27001 certification and UK GDPR compliance are distinct obligations, but they are closely related and auditors from certification bodies are aware of both. UK GDPR Article 32 requires that controllers and processors implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk — including, specifically, measures to ensure ongoing confidentiality, integrity, and availability of processing systems.

Using a business-grade password manager with enforced MFA, encrypted credential storage, and a documented access control process is a concrete technical measure you can cite in your Records of Processing Activities and your Data Protection Impact Assessments. In the event of an ICO investigation following a breach, evidence that you had appropriate access controls in place — and that they were actively maintained — is materially important to your defence. A password manager that generates audit logs and enforces policy gives you that evidence automatically.

Building Your Compliance Evidence Pack

Certification audits succeed or fail on documentation and evidence, not good intentions. If you are preparing for an ISO 27001 Stage 2 audit, the following evidence items relating to access control and authentication should be ready:

  • Written password and authentication policy, version-controlled and management-approved
  • Screenshot evidence of your password manager admin console showing policy configuration
  • User list from your password manager showing MFA enrolment status for all accounts
  • Exported audit log samples (at minimum, the last 90 days)
  • Access review records for privileged accounts (dated, signed off)
  • Offboarding checklist records showing access revocation for recent leavers
  • SCIM or directory sync configuration evidence (if applicable)
  • Incident response procedure referencing credential compromise scenarios

Most business-tier password managers make the majority of this evidence easy to produce. The audit log export, MFA enrolment report, and admin policy configuration can typically be captured in under an hour once you know what you need.

Final Thoughts

Password management is not the most glamorous part of an ISO 27001 programme, but it is one of the most auditable. Controls A.5.16, A.5.17, A.5.18, and A.8.5 together create a detailed framework for identity and authentication management, and a well-configured business password manager maps neatly onto every one of them. For UK SMBs where a dedicated security team is not an option, this kind of automated, policy-driven control is particularly valuable — it gives you the evidence an auditor expects without requiring manual record-keeping at every turn.

Whether you are at the gap analysis stage or preparing for your surveillance audit, getting your password management infrastructure right is time well spent. The products discussed above all offer free trials — test the audit log export and admin policy features specifically before committing.

This article is guidance only and does not constitute professional compliance or legal advice. For ISO 27001 certification, engage an accredited certification body registered with UKAS. For UK GDPR advice, consult a qualified data protection practitioner.

Sign Up For Daily Newsletter

Stay updated with our weekly newsletter. Subscribe now to never miss an update!

[mc4wp_form]

Leave a Reply

Your email address will not be published. Required fields are marked *