ISO 27001 Annex A Access Control & Privileged Access Management

Close your ISO 27001 SSH access control gaps. In under 30 minutes.

Ezeelogin maps directly to the privileged access, session logging, identity lifecycle and access revocation controls your auditor will check — out of the box, self-hosted, no cloud dependency.

Satisfies ISO 27002:2022 controls

8.2 Privileged Access Rights

8.15 Logging

5.15 Access Control

5.16 Identity Management

5.18 Access Rights

The ISO 27001 SSH problem

Three gaps that stall ISO 27001 certification

These are the privileged access findings that appear on almost every ISO 27001 gap assessment for companies with Linux server infrastructure.

ISO 27001 — 8.2(j) & 8.15

“No evidence of audit trails for privileged SSH access.”

Auditors require documented proof that every privileged access event was logged with user identity, timestamp, and activity. SSH keys alone leave no trail.

Ezeelogin logs every SSH session automatically — user, server, timestamp, full session recording. Exportable for auditors on demand.

ISO 27001— 5.16(d) & 5.18(d)

“Access rights not removed in a timely fashion when personnel leave.”

ISO 27001 explicitly requires identities to be disabled or removed promptly when no longer needed. Manual SSH key removal across server fleets routinely fails this test.

Ezeelogin removes access to every server in a single action — seconds after a user departs, with a full audit trail of the removal.

ISO 27001 — 8.2(h) & 5.3

“Shared root credentials and no segregation of privileged duties.”

Shared admin accounts violate 8.2(h). ISO 27001 requires each person to have a separate identity so privileged actions can be attributed to a specific individual.

Ezeelogin creates individual gateway identities per user. No shared root. Every action attributed. Segregation enforced by design.

ISO 27001:2022 control mapping

See How Ezeelogin Helps Meet
ISO 27001 Access Control Requirements

A direct map between the ISO 27001:2022 controls your auditor will check, and the Ezeelogin features that satisfy each one.

ISO 27001 Controls - Ezeelogin
Control ISO 27001:2022 Requirement How Ezeelogin satisfies it
8.2

Privileged Access Rights

Restrict and manage allocation of privileged access. Log all privileged access for audit. No shared admin IDs. Break-glass / just-in-time access for maintenance.

  • Individual gateway identities per user — no shared root
  • RBAC grants minimum access required per role
  • Every privileged session logged with full session recording
  • Temporary access windows can be scoped per user
8.15

Logging

Produce logs of user IDs, timestamps, system access events and privileges. Protect logs against tampering. Support SIEM integration.

  • Automatic session logs: user ID, server, date/time, commands
  • Full session replay for every SSH connection
  • Logs searchable by user, server and date range
  • Export for auditor review or SIEM ingestion
8.16

Monitoring Activities

Monitor networks and systems for anomalous behaviour. Establish baselines. Real-time alerting.

  • Real-time visibility of active SSH sessions
  • Command Guard blocks or flags prohibited commands
  • Admin notifications on access events
5.15

Access Control

Establish rules for physical and logical access. Apply least privilege and need-to-know principles.

  • RBAC enforces least-privilege access
  • Users only access assigned servers
  • Group inheritance simplifies policy management
  • MFA enforced at gateway
5.16

Identity Management

Manage the full lifecycle of identities. Disable or remove identities when no longer required.

  • Central identity management
  • Single action disables user across fleet
  • Unique gateway identity per user
  • Identity creation/removal audit trail
5.18

Access Rights

Provision, review, modify and remove access rights. Maintain a central record of granted access.

  • Instant revocation across all servers
  • Central access rights registry
  • Periodic access review reports
  • Timestamped audit trail
5.3

Segregation of Duties

Separate conflicting duties using RBAC.

  • Separate admin, operator and read-only roles
  • Approval workflows
  • Independent client access scopes
8.18

Privileged Utility Programs

Restrict use of utility programs that override controls. Log all use.

  • Command Guard allow/block lists
  • Sudo access restrictions
  • Command execution audit logging
8.22

Segregation of Networks

Group information services into segregated domains and control traffic between them.

  • All SSH routes through one jump server
  • Production servers never directly exposed
  • Server grouping by environment or sensitivity
5.17

Authentication Information

Control authentication information. Enforce MFA. Manage password lifecycle.

  • MFA with Google Authenticator, Duo and YubiKey
  • Centralized SSH key management
  • No direct server credentials exposed to end users
Getting started

Setup ISO 27001 access control before your next audit

Self-hosted on your own infrastructure. No cloud dependency. No data leaving your environment — which matters for ISO 27001 scope boundary documentation.

Install on your server

Run the installer on any Linux server. Standard VPS setup completes in under 10 minutes.

Add your servers

Onboard servers individually or in bulk. Group by environment, sensitivity level or business unit.

Set access rules​

Assign roles via RBAC. Enforce MFA. Set command restrictions. Every control documented.

Evidence generated

Audit logs, session recordings and access reports are produced automatically from day one.

What your auditor is actually asking for

"Can you show me evidence of how privileged SSH access is controlled, logged, and revoked across your server estate?"

This single auditor question maps to at least five ISO 27001:2022 controls. Without a centralised SSH gateway, answering it requires assembling logs from dozens of servers, tracking down SSH key records, and hoping nothing was missed. With Ezeelogin, you pull one report.

8.2 Privileged Access

8.15 Logging

5.15 Access Control

5.16 Identity Management

5.18 Access Rights

Real scenarios

How teams use Ezeelogin during ISO 27001 audits

IT Manager — Gap Assessment

The consultant's gap report lists privileged access controls as "not evidenced"

Without Ezeelogin: the team scrambles to compile SSH key inventories, server access spreadsheets, and manual offboarding checklists — none of which satisfy 8.2 or 8.15 in a documented, auditable way. With Ezeelogin: install, configure RBAC, and the evidence starts generating automatically. Gap closed before the next review.

Outcome: Gap report findings addressed with documented, repeatable controls.

Sysadmin — Stage 2 Audit

The auditor asks for a log of all privileged access to production servers in the last 90 days

Without Ezeelogin: logs are scattered across individual servers in different formats, some rotated or missing. The request takes days and the output is incomplete. With Ezeelogin: run the session log report, filter by date range and server group. A complete, timestamped, per-user export is ready in minutes.

Outcome: Auditor requirement met in one export. Certification unblocked.

CISO — Ongoing Compliance

Annual ISO 27001 surveillance audit requires evidence of access rights review

ISO 27001 5.18 requires regular review of access rights. Without a central system, this means chasing server admins for lists that go stale immediately. With Ezeelogin: the access rights registry is always current. The review is a report, not a project.

Outcome: Continuous compliance evidence. No annual scramble.

DevOps Lead — Offboarding

An engineer leaves. The ISO 27001 control requires prompt access removal and a record

ISO 27001 5.16(d) requires identities to be disabled “in a timely fashion.” Manual SSH key removal across dozens of servers is slow and error-prone — the exact pattern auditors flag. With Ezeelogin: one action removes access across every server and logs the removal with a timestamp.

Outcome: 5.16(d) satisfied. Full audit trail. Zero lingering access.

Features

Everything your ISO 27001 access control auditor needs to see — built in

MFA enforcement

Enforce two factor authentication or MFA at the gateway using Google Authenticator, Duo, YubiKey, FIDO2, or RADIUS. Supports ISO/IEC 27001:2022 control 5.17

ISO 27001 — 5.17

Instant access revocation

Remove a user's access to every server in a single action. Timestamped and logged. The documented, repeatable process 5.16(d) and 5.18(d) require.

ISO 27001 — 5.16, 5.18

HA cluster support

Master-slave high availability ensures your access control infrastructure meets the Availability requirements across 5.15, 8.14 and business continuity controls.

ISO 27001 — 8.14

Centralised SSH gateway

All access routes through one jump server. Production servers never directly exposed. Supports network segregation requirements under 8.22.

ISO 27001 — 8.22

Role-based access control

Assign least-privilege access by role, group or individual server. No user touches a server they aren't explicitly authorised to access. Satisfies 5.15 and 8.2.

ISO 27001 — 5.15, 8.2

Full SSH session recording

Every SSH session recorded and replayable. Timestamped, searchable by user, server or date. The primary evidence artefact for 8.15 logging requirements.

ISO 27001 — 8.15

Access rights registry

Central record of access rights granted to every user across every server. Always current. Supports periodic access rights reviews required under 5.18.

ISO 27001 — 5.1

Command Guard

Whitelist or blacklist specific commands per user or group. Restricts use of privileged utility programs as required under 8.18. All execution logged.

ISO 27001 — 8.18

Self-hosted deployment

Runs entirely on your infrastructure. Session data, logs and access records never leave your environment — critical for defining your ISO 27001 ISMS scope boundary.

Data sovereignty

Compliance coverage

ISO 27001 is one of several frameworks Ezeelogin supports

Ezeelogin’s centralised SSH access controls, session recordings and audit logs satisfy privileged access requirements across the compliance frameworks most commonly required by enterprise clients and regulatory bodies.

ISO 27001 / 27002

PCI-DSS

SOC 2

HIPAA

NIST

GDPR

SOX

FedRAMP

Common questions

Questions teams ask before ISO 27001 certification

Yes. Ezeelogin generates timestamped session logs containing user IDs, server identifiers, and command histories—the specific audit evidence referenced in ISO/IEC 27001:2022 controls 8.2(j) and 8.15. Session recordings provide non-repudiable evidence of the exact actions performed during privileged access. Many organizations use Ezeelogin exports directly as audit evidence.

Yes, significantly. Because Ezeelogin runs entirely on your own infrastructure, your access logs, session recordings and identity data stay within your ISMS boundary. This simplifies your scope documentation and avoids the third-party cloud risk assessment required when audit evidence is held by a SaaS provider.

The most common gap is session-level logging — most organisations have system-level logs but not full per-session SSH audit trails with session replay. The second most common gap is documented, timestamped access revocation. Both are explicit ISO 27001:2022 requirements (8.15 and 5.16/5.18) that SSH key management alone cannot satisfy.

Installation on a standard Linux server takes under 10 minutes. Adding servers and configuring RBAC typically takes 30–60 minutes for a standard fleet. Ezeelogin offers a free screen-share onboarding session to get you through initial setup. Most teams are generating audit-ready logs the same day they install.

Yes. Ezeelogin logs can be exported and ingested into SIEM platforms. ISO 27001:2022 control 8.15 references SIEM as the recommended mechanism for log analysis and alerting — Ezeelogin provides the structured SSH access logs that feed into it.

Yes. Ezeelogin is cloud-agnostic and works with any Linux server you can SSH into — AWS, GCP, Azure, bare metal, VPS or any combination. ISO 27001 scope often spans hybrid environments; Ezeelogin’s single gateway covers all of them from one control point.

Simple, server-based pricing. Your subscription is based on the number of servers added to the gateway, allowing you to scale your infrastructure without being limited by the number of users accessing the system. See full pricing →

Start closing your ISO 27001 privileged access management gaps today!

30-day free trial. Self-hosted setup in under 30 minutes. No credit card required. Free screen-share onboarding available.
Trusted by security-conscious teams managing server infrastructure since 2009.