ISO 27001 / SOC 2 / Essential Eight Access Controls
Audit-ready access controls aligned with ISO 27001:2022, SOC 2, and the Australian Essential Eight, built on Microsoft Entra.
ISO 27001 / SOC 2 / Essential Eight access controls in one platform
ISO 27001, SOC 2, and the Australian Essential Eight all expect the same operating discipline around access: documented joiners, periodic access reviews and access certifications, least privilege, change management, privileged-access governance, and evidence an auditor can verify. Apporetum implements those controls on top of Microsoft Entra ID under a flat-fee subscription, with no per-user IGA licensing required to satisfy your access management clauses.
Key clauses Apporetum addresses
User Access Lifecycle
Manage user access from onboarding to departure, including granting, modifying, and revoking access.
Requesting Access
Create a formal system for users to request access to systems and applications.
Approving Access Requests
Implement a flexible approval process, ensuring only authorised personnel can grant access.
Access Management Policies
Structure the implementation of approved access, including user accounts and permissions. Promptly revoke access when users no longer need it or leave the organisation.
Managing Changes to Access
Update access permissions as users' employment roles change and adapt. Minimise entitlement creep as employees grow throughout your business.
Monitoring Access
Regularly monitor user access to detect anomalies or unauthorised activities. Ensure detections and alerts are in place with appropriate business policies to ensure effective remediation.
How Apporetum Helps Achieve ISO 27001:2022 Compliance
ISO 27001:2022 consolidated the Annex A controls and renumbered the access-control family. Apporetum directly supports the new control map: A.5.15 Access Control, A.5.16 Identity Management, A.5.17 Authentication Information, A.5.18 Access Rights, A.8.2 Privileged Access Rights, and A.8.3 Information Access Restriction. Where the 2013 standard referenced A.9.2.5 Review of user access rights, the equivalent obligation now sits under A.5.18, and Apporetum schedules, conducts and evidences those periodic reviews end-to-end. Regular reviews mitigate risks from former employees, temporary workers and contractors retaining access they no longer need.
Download the ISO 27001:2022 control-mapping matrix (CSV)A.5.15 Access Control
Apporetum defines and enforces access policies across Entra ID and connected applications, with guardrails on every assignment.
A.5.16 Identity Management
A single identity record per workforce person is correlated across HR, AD, Entra ID and ITSM and governed by deterministic JML rules.
A.5.17 Authentication Information
Apporetum delegates authentication to Microsoft Entra ID via SSO, inheriting your MFA and Conditional Access policies, with no local credential store.
A.5.18 Access Rights
Apporetum schedules and orchestrates periodic access reviews (replacing the A.9.2.5 obligation from the 2013 control map) with full per-entitlement audit evidence.
A.8.2 Privileged Access Rights
Secondary admin accounts and PIM-eligible role groups are governed with stricter guardrails, mandatory approvals and shorter review intervals.
A.8.3 Information Access Restriction
Entitlement-based access to applications, with time-bound elevations and automatic revocation when access falls out of policy.
Data Discovery Engine
Provides full visibility into user access data, allowing for thorough analysis and proactive monitoring of user activities. It automates the identification of managed, unmanaged, and shadow IT apps.
Unified Access Reviews
Centralizes user access data, enabling thorough examination of access privileges and real-time monitoring of user activities.
Automated & Manual Access Review
Automates the access review process, from creating certifications to updating review statuses, ensuring efficiency and accuracy. Document access reviews and their status for auditing and remediation purposes.
Time-bound Access
Automates the removal of access after a set period of time and enforce the renewal process to keep access for extended periods of time.
Deterministic Lifecycle Management
Automates the removal of access after a set period of time and enforce the renewal process to keep access for extended periods of time.
Membership Timeline Audits
Automates the removal of access after a set period of time and enforce the renewal process to keep access for extended periods of time.
Get compliant with your Identity & Access Management to reduce your cyber risk.
With Apporetum, your IT team can efficiently control, manage, and govern user access, ensuring data security and compliance with evolving standards.