Certifications such as ISO 27001 are an important step toward mature information security for many organisations. With the arrival of the NIS2 directive, the requirements become even stricter, as organisations must not only demonstrate that they work securely but that this security is systematically and continuously ensured.

Both standards have a strong focus on identities and access management. And that's not surprising. Access determines which employees, externals, systems, and processes can access company data. As long as that management is fragmented, security remains vulnerable.

Many organisations already have tooling, policies, and procedures but find during audits that it is not enough. The auditor asks simple questions, such as:

• Can you explain why this person has access to this system?

• How do you ensure that externals are timely deactivated?

• How do you demonstrate that rights are managed structurally?

• Where is it recorded when someone gained or lost access?

Without IAM, it takes days or weeks to demonstrate this. With IAM, it takes minutes. And that difference determines whether audits run smoothly or become an annual struggle.

Why ISO 27001 and NIS2 find IAM so important

Although ISO 27001 and NIS2 differ in setup, both frameworks revolve around the same basis: organisations must demonstrate that access to information is logical, secure, and controllable.

ISO 27001 requires, among other things:

• clear policy rules for access

• segregation of duties and minimisation of rights

• correct and timely deprovisioning

• logging of access provisioning and changes

• periodic reviews of all access rights

NIS2 obliges organisations to:

• implement strict access control

• regulate and monitor external access

• continuously improve cybersecurity processes

• control risks within the chain

• prevent incidents and adequately justify them

IAM forms the bridge between these requirements and practice. Without IAM, you can hardly demonstrate that access is managed in a controlled manner.

The practice: why organisations often get stuck during audits

Many companies have their technical security in order. Firewalls, encryption, virus protection, multi-factor authentication. But when an auditor starts talking about access rights, the biggest problems arise.

Typical scenario without IAM:

• HR has a spreadsheet with employees but no integration with IT.

• IT manages accounts manually in AD and separate SaaS apps.

• Externals are registered via email or purchasing but not formally deactivated.

• Rights are assigned based on requests, not on policy.

• No one knows exactly what historical rights someone has accumulated.

• Licenses continue even if accounts are inactive.

• Audit questions are answered with screenshots and exports.

This leads to stress, risks, and a significant lack of confidence in the process.

IAM structurally solves these problems by not correcting access but automating it.

How IAM helps to successfully pass ISO 27001 and NIS2 audits

IAM changes the entire foundation of access management. No longer dependent on individuals, processes, or separate systems, but one central layer that determines and processes access consistently.

1. One source of identity through HR integration

HR continues working in the HR system, such as YouServe, AFAS, Personio, or Deel. Joinly synchronises all relevant identity data, such as roles, departments, locations, and contract forms. This creates a reliable starting point for all access decisions.

2. Access is determined according to policy via RBAC and ABAC

In Joinly, you determine access not per person but based on policy.
RBAC uses roles, for example:

• HR employee

• Marketing lead

• IT administrator

ABAC uses characteristics such as:

• Location

• Type of employee (internal, external)

• Certification level

• Project assignment

This model is not only technically efficient but also audit-proof. Auditors want to understand why access is granted, and RBAC/ABAC provides exactly that insight.

3. Provisioning and deprovisioning happen automatically

One of the biggest risks during audits is forgotten accounts. IAM eliminates that risk entirely. Joinly ensures:

• automatic creation of accounts

• automatic revocation upon departure

• automatic adjustment for role changes

• automatic cleanup of licenses

• uniform processing of external access

This shows auditors that the process does not rely on manual work but on controlled processes.

4. Everything is logged and immediately demonstrable

Joinly automatically records all access decisions and changes. No screenshots. No Excel lists. No paper dossiers.

For auditors, this is ideal. They only need to see how the process works. The evidence is built-in.

5. External access is fully under control

NIS2 imposes extra stringent requirements on suppliers and chain partners. Many organisations have risks there. Externals remain active too long, have too broad rights, or are not structurally managed.

Joinly makes externals part of the same IAM process.
They receive:

• controlled onboarding

• limited, policy-driven rights

• automatic offboarding based on end date

This aligns perfectly with NIS2.

Why Joinly accelerates certification instead of delaying it

With Joinly, IAM becomes not a technical project but a strategic building block for security. The platform makes organisations demonstrably safer and audit-ready without teams getting extra work. Identities are consistent, rights are explainable, processes are automated, and reports are immediately available.

The result:

• audits take less time

• auditor findings decrease drastically

• risks become visible earlier

• security becomes proactive instead of reactive

• compliance becomes continuous instead of annual

Joinly makes ISO 27001 and NIS2 structurally achievable.

IAM as the foundation for modern security

ISO 27001 and NIS2 are not checklists but frameworks that must make organisations safer. IAM is not a small part of this, but the basis on which all security rests. Without central, automatic, explainable access management, no organisation is truly secure or audit-ready.

Joinly ensures that IAM is understandable, scalable, and controllable. Exactly what is needed to meet the highest security standards in a modern digital environment.