How MDM Supports ISO 27001:2022 Access Control

Editor’s note: This post was originally published in May 2021 and has been fully updated to reflect ISO 27001:2022, which replaced the 2013 version of the standard. The October 2025 transition deadline has passed — if you’re pursuing or maintaining ISO 27001 certification, the 2022 version is the only game in town. The good news: everything we said about MDM doing the heavy lifting still holds. The control numbers have just moved around.

The great poet Tennyson said “In the spring, a young IT specialist’s fancy turns to thoughts of ISO 27001,” and honestly, after 28 years in this business I have to agree. There is something almost romantic about a well-structured information security management system.

If you’re pursuing ISO 27001:2022 certification — or maintaining an existing certification that’s just transitioned from the 2013 version — access control is one of the areas where MDM earns its keep most visibly. Let me walk you through how the 2022 controls map to what your MDM is already doing, and flag a few places where the update changes the picture.

‍

Quick Answer: Does MDM Still Help With ISO 27001 Access Control in 2022?

Yes — significantly. ISO 27001:2022 restructured controls from 14 domains into 4 themes and reduced the total from 114 to 93. Access control requirements are now distributed across the Organizational and Technological themes rather than concentrated in Annex 9. MDM covers a substantial portion of the relevant Technological controls (Annex A.8) and several Organizational ones (Annex A.5) — including encryption, authentication, access rights management, patch management, and audit trail generation.

‍

What Actually Changed in ISO 27001:2022?

The short version: the 2013 standard had 114 controls organized into 14 domains. The 2022 version has 93 controls organized into 4 themes. That’s not just a cosmetic reorganization — 24 controls were merged, 58 were revised, and 11 entirely new controls were added.

For our purposes, the key structural change is that the old “Annex A.9 Access Control” cluster — which the original version of this post was built around — no longer exists as a standalone section. Access control requirements are now distributed across:

• Annex A.5 (Organizational Controls) — covers access control policy, access rights management, identity management, and authentication requirements.
• Annex A.8 (Technological Controls) — covers the technical implementation: privileged access, secure authentication, encryption, vulnerability management, and audit logging.

The substance hasn’t changed much. The philosophy is identical: only the right people should have access to the right systems, using strong authentication, with access reviewed and revoked when circumstances change. The 2022 version just aligns the controls more naturally with how modern organizations actually operate — cloud-first, remote-first, and increasingly device-centric.

If you were certified under ISO 27001:2013 and are now transitioning, the conceptual work you did under the old Annex 9 isn’t wasted. Most of it maps directly to the 2022 equivalents. The main task is updating your Statement of Applicability to reference the new control numbers.

‍

How MDM Capabilities Map to ISO 27001:2022 Access Control Requirements

Here’s where MDM earns its compliance ROI. The table below maps MDM’s core capabilities to the specific ISO 27001:2022 controls they support. This isn’t comprehensive — MDM touches other parts of the standard too — but it covers the access control territory specifically.

The May Blog 3 is the ISO 27001:2022 post. Here's the MDM-to-controls mapping table reformatted in bold-label prose:

Automated encryption (A.8.24) — Ensures data on devices is protected at rest. If a device is lost or stolen, encryption prevents unauthorized access to sensitive business data.

Zero-touch provisioning and MDM enrollment (A.5.18, A.8.2) — Covers access rights management and privileged access. New hires receive only the access they're authorized for from day one — nothing more.

Role-based access control (A.5.15, A.5.18) — Covers access control policy and access rights management. Employees get what they need for their role, applied automatically through configuration profiles.

User deprovisioning and remote wipe (A.5.18, A.6.5) — Covers access rights management and responsibilities after termination. Access is revoked immediately at offboarding, and devices can be wiped remotely regardless of location.

OS patch enforcement (A.8.8) — Covers management of technical vulnerabilities. Patches are deployed automatically to enrolled devices on a defined schedule — no waiting for employees to remember to update.

Screen lock and authentication enforcement (A.8.5) — Covers secure authentication. Screen lock, PIN or biometric requirements, and session timeouts are all enforced by MDM policy, not left to individual discretion.

Audit trail and compliance reporting (A.5.33, A.8.17) — Covers protection of records and clock synchronization. MDM generates timestamped logs of device events that give auditors documented proof the controls have been running continuously.

Cloud SSO and MFA integration (A.8.5) — Covers secure authentication. Single sign-on with MFA eliminates weak passwords as a vulnerability and creates a single, monitored point of entry across all company systems.

The pattern you’ll notice: MDM doesn’t just support one or two controls. It generates the evidence for a whole cluster of them simultaneously. When an auditor asks how you enforce access rights, enforce authentication requirements, manage patching, or produce audit trails — a well-configured MDM system gives you documented, timestamped answers to all of those questions at once.

‍

How Each MDM Capability Supports the 2022 Controls

Automated Encryption (A.8.24)

ISO 27001:2022 requires organizations to define and implement policies on the use of cryptography. MDM enforces device encryption automatically as part of the enrollment profile — no user action required, no opt-out available. Every enrolled device is encrypted from day one, full stop. If a device is lost or stolen before anyone notices, the data on it is protected. This is one of those controls where MDM doesn’t just support compliance; it makes compliance the path of least resistance.

‍

Access Rights Management: Provisioning and Deprovisioning (A.5.18, A.6.5)

A.5.18 covers the formal process for assigning, reviewing, and revoking access rights. A.6.5 requires that access rights be adjusted or revoked when employment ends. MDM handles both ends of this lifecycle. Zero-touch provisioning ensures new hires receive only the access they’re authorized for — applications, configurations, and permissions are applied automatically based on role. Deprovisioning at offboarding is equally automated: the managed container is wiped, access is revoked, and the device is prepared for return. The audit trail documents all of it.

This is one of the areas where having an MDM provider rather than managing it yourself makes a meaningful difference. The deprovisioning workflow runs on a process, not on whether someone remembers to do it.

‍

Role-Based Access Control (A.5.15, A.5.18)

A.5.15 requires an access control policy. A.5.18 requires that access rights be assigned on the basis of what’s actually needed for the role. Your inner security enthusiast will recognize this as the principle of least privilege, and it is indeed doing its thing here. MDM enforces this at the device level: configuration profiles, application deployments, and permission levels are set by role, not handed out on request. The engineering team gets different profiles than the finance team. Contractors get scoped access that doesn’t persist after the engagement ends.

‍

Patch Management and Vulnerability Remediation (A.8.8)

A.8.8 is one of the 2022 controls that’s more explicitly stated than its 2013 predecessor. It requires organizations to identify, evaluate, and remediate technical vulnerabilities in a timely manner. MDM’s patch management capability addresses this directly: OS updates and security patches are pushed automatically to enrolled devices on a defined schedule. The compliance dashboard shows patch status across the entire fleet. Auditors don’t need to take your word for it — the dashboard tells the story.

‍

Secure Authentication (A.8.5)

A.8.5 covers secure authentication — which in practice means strong passwords or better, MFA, session timeouts, and screen lock enforcement. MDM enforces screen lock and auto-lock policies at the device level. Our Cloud Single Sign-On integration adds another layer: SSO with MFA means employees authenticate through a single, strong, monitored point of entry rather than juggling credentials across dozens of systems. This eradicates the weak-password risk at its source — which auditors find extremely satisfying.

‍

Audit Trail and Compliance Reporting (A.5.33, A.8.17)

A.5.33 requires the protection of records. A.8.17 deals with clock synchronization — which sounds obscure but matters enormously for audit logs, because timestamped records are only useful as evidence if the timestamps are reliable. MDM platforms generate timestamped logs of device events: enrollment, policy application, authentication attempts, patch deployments, wipes. This documentation is the difference between telling an auditor what your controls do and showing them that the controls have been running continuously since implementation.

‍

What’s New in 2022 That Affects the MDM Picture?

Three of the 11 new controls in ISO 27001:2022 are relevant to what MDM does:

• A.5.7 Threat Intelligence. Organizations are now required to collect and analyze information about threats to their environment. MDM’s device health monitoring and vulnerability reporting feed into this — you’re building a picture of your threat exposure in real time, not just at audit time.
• A.5.23 Information Security for Cloud Services. With most small businesses now running on cloud-first stacks, this new control requires specific security policies for cloud service usage. MDM’s conditional access and app management capabilities — controlling which apps can access company data and under what conditions — map directly to this.
• A.8.9 Configuration Management. New in 2022, this control requires documented management of security configurations across hardware and software. MDM’s configuration profiles do exactly this: every enrolled device has a documented, version-controlled configuration profile that can be audited and updated centrally.

‍

Bonus: If You Work in the Defense Supply Chain

The original version of this post included a section on CMMC (Cybersecurity Maturity Model Certification), and it’s worth keeping and updating. CMMC 2.0 has been in full effect since December 2024, and if you’re a contractor handling Controlled Unclassified Information (CUI) for the Department of Defense, certification is now a contract requirement rather than a future obligation.

The access control requirements in CMMC 2.0 Level 2 — which most defense subcontractors need — align closely with NIST SP 800-171 and, by extension, with ISO 27001:2022’s access control controls. MDM covers significant ground here too: device encryption, access provisioning, MFA enforcement, and audit trail generation are all directly relevant to CMMC access control practices. If you’re doing ISO 27001 and CMMC simultaneously, your MDM implementation is doing a lot of the work for both.

‍

A Practical Note on Evidence

ISO 27001 certification isn’t just about having the controls in place. It’s about being able to demonstrate that they’ve been running consistently. MDM is valuable here not just because it implements controls automatically, but because it documents them automatically. The timestamped logs, patch compliance reports, and enrollment records your MDM generates are the audit trail that turns “we do this” into “here’s proof we’ve been doing this.” If you want to understand how we configure MDM to support ISO 27001 audit readiness specifically, our mobile device management for small business page covers the implementation approach.

‍

Frequently Asked Questions

What happened to ISO 27001 Annex 9 (Access Control) in the 2022 update?

Annex A.9 no longer exists as a standalone section in ISO 27001:2022. The standard was restructured from 14 domains to 4 themes. Access control requirements are now distributed across Annex A.5 (Organizational Controls) and Annex A.8 (Technological Controls). The substance is largely the same; the control numbers and groupings have changed.

Do I need to redo my ISO 27001 certification for the 2022 version?

If you held a valid ISO 27001:2013 certification, the transition deadline was October 31, 2025. Any certification issued or renewed after that date must be to the 2022 standard. The transition typically requires a gap assessment against the new controls, updates to your Statement of Applicability, and a transition audit with your certification body.

How does MDM support ISO 27001:2022 access control specifically?

MDM directly supports several of the key access control-related technological controls in ISO 27001:2022, including A.8.5 (secure authentication), A.8.8 (vulnerability management), A.8.24 (use of cryptography), A.5.15 and A.5.18 (access control policy and access rights management), A.6.5 (responsibilities after termination), and A.8.9 (configuration management). It also generates the audit trail documentation that auditors need to verify these controls are running continuously.

What are the new ISO 27001:2022 controls that MDM supports?

Three of the 11 new controls in the 2022 version are directly relevant to MDM: A.5.7 (threat intelligence), which MDM supports through device health monitoring and vulnerability reporting; A.5.23 (information security for cloud services), which MDM supports through conditional access and app management; and A.8.9 (configuration management), which MDM supports through documented, version-controlled device configuration profiles.

Does MDM help with CMMC as well as ISO 27001?

Yes. CMMC 2.0, which has been required for defense contractors since December 2024, has significant overlap with ISO 27001:2022 in its access control requirements. MDM capabilities — encryption, access provisioning, MFA enforcement, audit trail generation — map to multiple CMMC Level 2 access control practices. Organizations pursuing both certifications can leverage the same MDM implementation for a significant portion of both.

Is ISO 27001 relevant for small businesses?

Increasingly, yes. ISO 27001 certification is required by enterprise customers in many industries as a condition of doing business. It’s also closely aligned with SOC 2, which many venture-backed startups need for sales cycles. For small businesses handling sensitive customer data, the certification demonstrates a level of security governance that matters in procurement conversations, investor due diligence, and competitive differentiation.

‍

The Bottom Line

ISO 27001’s 2022 update is a significant structural change, and the old blog post that referred to Annex 9 and its 14 sub-controls needed a proper refresh. The underlying argument, though, remains unchanged: a well-configured MDM system does a substantial amount of the technical compliance work for ISO 27001’s access control requirements — automatically, consistently, and with the audit trail to prove it.

The 2022 version actually makes this argument stronger in a few ways. The new configuration management control (A.8.9) formalizes exactly what MDM has been doing all along. The cloud services control (A.5.23) acknowledges the reality that security lives at the device and identity layer now, not the network perimeter.

We’ve been implementing MDM for compliance-focused clients since 1998. If you’re in the middle of a transition to ISO 27001:2022, or starting the certification process fresh, we’re happy to walk through what your MDM configuration would need to look like to support the audit.

‍