ISO 27001 Annex A.9: What the Auditor Really Wants to See

Annex A.9 — Access Control — is the most demanding of the 14 sections. Here's a practical breakdown per sub-control: A.9.1 through A.9.4, with what actually works as evidence in an SMB context.

Annex A.9 covers what ISO 27001 calls Access Control. It contains 14 sub-controls spread across 4 objectives. For SMBs, not all 14 carry equal weight — but your Statement of Applicability must state for each one either "implemented" or "not applicable, with justification".

A.9.1 Business requirements for access control

You need an access control policy: a single document that explains how access is granted, who approves it, and how it is reviewed. Two to four pages is sufficient.

Evidence: the policy itself, plus a changelog showing it is actively maintained.

A.9.2 User access management

• A.9.2.1 User registration: every account creation requires a request and approval. Evidence: logs or tickets.
• A.9.2.2 Privilege management: privileged access is recorded separately.
• A.9.2.3 Secret authentication information: how are temporary passwords issued? How is MFA reset?
• A.9.2.5 Review of user access rights: periodic access reviews. This is where most audit scrutiny tends to land.
• A.9.2.6 Removal of access rights: offboarding with a demonstrable removal timeline.

A.9.3 User responsibilities

Awareness: employees understand that they are responsible for their own credentials. Evidence: onboarding training log, signed acceptable use policy.

A.9.4 System and application access control

• A.9.4.1 Information access restriction: need-to-know — see least privilege.
• A.9.4.2 Secure log-on procedures: MFA wherever possible, with login attempt logging.
• A.9.4.3 Password management system: password complexity and rotation policies (or no rotation, provided MFA is in place).
• A.9.4.5 Access control to program source code: who can make changes to production code?

What auditors reject most often

• "We do reviews" without a report per review cycle — the auditor has no way to verify that claim.
• Privileged access inventory out of date — "Global Admin is X" but X left four months ago.
• Incomplete offboarding evidence — account disabled, but licence not cancelled.

See also: pre-audit checklist for the full list of what auditors look for.