ISO 27001

What teams tell us before they switch

We run access reviews every quarter. Half the approvals get rubber-stamped because reviewers don't know what they're looking at, and we can't prove otherwise to auditors.

Our core banking system sits outside every IGA tool we've tried. Every audit cycle, we're back to explaining why it's a special case. Auditors are running out of patience.

Engineers keep their admin access long after the incident closes. We have a process on paper, we just can't enforce it or prove it's working.

What is ISO 27001?

The international standard for information security management.

ISO/IEC 27001 defines the controls an organisation must implement to systematically manage information security risk. Its Annex A contains 93 controls, roughly a third directly govern identity: how access is granted, reviewed, and revoked, and whether you can prove it to an auditor. Certification requires an accredited auditor to verify your controls work in practice, not just in policy documents. The identity controls are consistently where organisations accumulate the most risk and produce the least evidence.

How BalkanID addresses ISO 27001

Every identity control the auditor will test.

Six capabilities mapped to named Annex A controls, producing continuous, timestamped evidence, not a pre-audit export.

Authoritative identity scope & source of truth

BalkanID integrates with your HRIS as the single source of truth for every identity lifecycle event. Joiners, movers, and leavers trigger automated provisioning and deprovisioning, logged with timestamp, trigger, and approver. Scope includes employees, contractors, service accounts, and agentic AI, nothing carved out.

Centralized RBAC & ABAC policy engine

Access policies, role-based by job function, attribute-based by data classification, are defined once and enforced across every connected application. One policy change propagates everywhere. Policy version history and review log maintained automatically for audit evidence.

Just-In-Time, Purpose-Based Access Control (JITPBAC)

No one holds standing privileged access. Engineers request elevated access for a specific purpose, approved, time-boxed, and auto-revoked when the session ends. Every session is logged with purpose, approver, duration, and ticket..

Birthright access & automated JML

On Day 1, a new employee's HRIS role triggers automatic provisioning of exactly the access their job requires, no manual tickets, no overprivileged groups. On last day, deprovisioning is automatic, verified across every connected system, and logged.

Continuous access reviews with AI prioritization

BalkanID replaces the spreadsheet-driven review with a continuous, risk-ranked process. Reviewers see only the decisions that need judgment, not a 5,000-row CSV. Evidence of every campaign is stored and exportable for auditors. Covers connected apps, custom apps, and legacy systems with no API.

Non-human & agentic identity governance

Service accounts, API keys, CI/CD pipeline identities, and agentic AI are the blind spot in most ISO 27001 implementations. BalkanID brings them into the same governance plane, same policies, same reviews, same immutable audit trail. Your scope statement doesn't need a footnote.

Identity scope for ISO 27001

Human. Non-human. Agentic. All in one governance plane.

ISO 27001 doesn't distinguish between identity types, your controls need to cover everything. Most IGA platforms stop at the first column.

Human Identities

Employees (FTE)

Contractors & vendors

Privileged / admin users

Temporary / project staff

Offboarded (verified deprovisioned)

Non-Human Identities

Service accounts

API keys & tokens

CI/CD pipeline identities

Cloud workload identities

Shared / functional accounts

Agentic AI Identities

LLM agents & copilots

RPA bots

Autonomous workflow agents

AI tool integrations

Purpose-scoped AI sessions

Access reviews

Every app in scope. Including the ones with no API.

ISO 27001 doesn't exempt your legacy systems from access reviews. BalkanID covers all three categories with the same depth and the same audit evidence.

Connected apps

Native connectors · SCIM / REST

Entitlements pulled in real time, risk-ranked by AI, surfaced to the right reviewer. No CSV exports, no stale data.

Okta

Active Directory

AWS IAM

Salesforce

GitHub

Workday

Azure AD

GCP

ServiceNow

Automated evidence

Custom applications

Internal apps · REST / GraphQL

Internally-built apps connect via BalkanID's API or a custom connector. Reviews run identically to native connectors, same evidence, same controls.

Internal portals & dashboards

Proprietary trading platforms

Homegrown admin consoles

Custom connector

Disconnected & legacy systems

No API · No SCIM · Legacy stack

AI operators interact at the UI layer, no API required. Legacy systems auditors always ask about are fully in scope, with the same evidence as everything else.

Core banking systems

Mainframe & AS/400 apps

Legacy ERP · On-premise clinical

AI operator

ISO 27001 Compliance

What teams tell us before they switch

The international standard for information security management.

Every identity control the auditor will test.

Human. Non-human. Agentic. All in one governance plane.

Every app in scope. Including the ones with no API.

Schedule a demo to see how BalkanID can help you with your ISO 27001 audit

ISO 27001 Compliance

What teams tell us before they switch

The international standard for information security management.

Every identity control the auditor will test.

Human. Non-human. Agentic. All in one governance plane.

Every app in scope. Including the ones with no API.

Schedule a demo to see how BalkanID can help you with your ISO 27001 audit

The international standard for information security management.

Every identity control the auditor will test.

Human. Non-human. Agentic. All in one governance plane.

Every app in scope. Including the ones with no API.