Skip to content
Phishing for Trouble –
The IO Podcast returns for Series 2 Listen now
ISMS.online

ISO 27001 Access Control & Identity Management for MSPS

MSPs hold the keys to many client systems, making their access model a board-level concern. ISO 27001 turns access and identity risks into visible, auditable controls that win customer trust and regulator approval. Modern MSPs must show not just fast response, but evidence of disciplined, governed access—every day, for every client.

Author
Mark Sharron
Updated March 19, 2026
4/5 Stars

Why MSP Access Is Now a Board‑Level Risk

MSP access is now a board‑level risk because your engineers work inside every customer’s perimeter and can change critical systems quickly. That power can protect dozens of organisations at once, but if it is not deliberately designed and governed, a single compromise, mistake or insider issue can cascade into breaches, lost contracts and regulatory scrutiny across your client base.

This information is general in nature and is not legal, regulatory or certification advice; you should always seek guidance from appropriately qualified professionals for your specific situation.

Strong access decisions turn MSP power from silent risk into visible assurance.

The MSP “blast radius” problem

The MSP “blast radius” problem is that a single compromised technician identity can reach many customers before anyone notices. Remote monitoring and management tools, administrative cloud roles, VPNs and support portals give your staff deep, ongoing access to systems and data, which is essential for fast support but also means one compromised identity can trigger high‑impact changes within minutes.

That is why more customers, insurers and regulators are treating MSPs as part of their critical infrastructure rather than just another IT supplier. Supplier‑cyber‑risk guidance from national security agencies increasingly highlights managed service providers as high‑impact points in the digital supply chain, rather than ordinary vendors, because of the level of access they hold into multiple organisations. For example, government guidance on managing MSP cyber risk explicitly frames MSPs as key supply‑chain dependencies that must be governed carefully.

In the 2025 ISMS.online State of Information Security survey, about 41% of organisations named managing third-party risk and tracking supplier compliance as a top information-security challenge.

They increasingly expect you to demonstrate not only that you can respond to incidents, but that you can prove, from records, who performed which actions in which environments across every connected client. Privacy and security regulators place growing emphasis on accountability and auditability, including maintaining records that show who did what and when on systems handling sensitive information, rather than relying solely on incident response capability. Guidance such as the UK Information Commissioner’s accountability resources stresses the importance of structured records over informal practice in proving that responsibilities have been met in day‑to‑day operations.

ISO 27001 gives you a common language to describe and control that risk, so your access model is not just “how you have always done it” but a system that has been consciously designed, documented and tested. High‑level descriptions of ISO 27001 describe it as a standardised, risk‑based information security management system and control set for any type of organisation, which is why it works well as a shared framework between you, auditors, regulators and customers.

Why leadership must own the access storey

Leadership must own the access storey because access decisions now directly affect revenue, liability and reputation across many customers at once. Historically, choices about groups in a directory, VPN profiles or jump‑host access lived deep in technical teams; today, those same choices determine whether your organisation wins tenders, passes due diligence and avoids damaging incidents.

Board‑level and senior managers do not need to understand every RMM setting, but they do need a clear view of:

  • Which systems and customer environments your people and tools can reach
  • How privileged access is granted, monitored and revoked
  • How quickly you can remove rights when someone leaves or changes role
  • How all of this is captured in a repeatable management system

Those points give owners, managing directors and service leaders a simple way to see whether access is under control or drifting.

ISO 27001 turns access control from an opaque technical topic into a set of risks, controls, metrics and reviews that leadership can oversee. Once leaders understand the potential blast radius of unmanaged MSP access, they are far more likely to back the changes you need to make and to support investment in disciplined identity and access practices.

Book a demo


What ISO 27001 Really Requires for Access & Identity in an MSP

ISO 27001 requires you, as an MSP, to run a risk‑based information security management system that governs both your own access and the way your people and tools reach into customer environments. To meet that expectation, you must select, implement and maintain controls that keep access to information and systems appropriate and accountable throughout its lifecycle. The standard itself defines a risk‑based ISMS that must cover all in‑scope information and processes, which for MSPs naturally includes the access paths your staff and tooling use into client systems as well as your internal estate.

The 2025 State of Information Security report notes that customers increasingly expect suppliers to align with formal frameworks such as ISO 27001, ISO 27701, GDPR, Cyber Essentials, SOC 2 and emerging AI standards.

In practice, the clauses and Annex A controls translate into a simple cycle: understand your context, assess risks, apply controls and keep improving over time. Access and identity decisions run through that whole cycle, from risk identification to day‑to‑day control operation, so you cannot treat them as a one‑off configuration exercise.

At the management‑system level, ISO 27001 asks you to:

  • Define the scope of your ISMS
  • Understand internal and external issues and interested parties
  • Assess information security risks
  • Treat those risks with appropriate controls
  • Monitor, review and continually improve

Access control and identity management appear both in those high‑level clauses (for example, when defining risk criteria or competence needs) and in the reference controls of Annex A. The latest edition groups controls into organisational, people, physical and technological themes, with a strong emphasis on identity and access as core capabilities rather than add‑ons. Commentary on ISO 27001:2022 highlights how updated and new controls relating to identity, authentication and privileged access sit across those themes, reinforcing the idea that identity and access are central disciplines, not bolt‑ons.

In practical terms, the standard expects you to:

  • Set an access control policy that defines principles like least privilege, need‑to‑know and segregation of duties
  • Manage user access from onboarding to offboarding, including regular reviews
  • Protect authentication information and require strong authentication for high‑risk access
  • Control access to applications, networks and information based on business requirements
  • Monitor and log activities, especially where privileges are high

The detailed wording lives in the standards themselves, but the intent is clear: access is not ad hoc; it is governed, justified and checked as part of a living management system that your management team can understand and challenge.

What changes when you are an MSP

When you are an MSP, ISO 27001 expectations extend beyond your own systems to the many customer environments your people and tools reach into. A lot of general ISO 27001 guidance is written with a single‑organisation perimeter in mind; your reality spans multiple customers, tenants, networks and contracts.

You have a dual reality: your own internal systems and many customer environments, each with its own networks, tenants, applications and data, all touched by your people and tools. ISO 27001 does not let you ignore one half of that picture. If your tools or staff can reach into customer environments, those access paths belong in your scope and risk assessment. That does not mean you are responsible for every control at the customer, but it does mean you are responsible for how your organisation and its tooling behave wherever they connect.

Concretely, your ISMS should:

  • Identify all methods your people and tools use to access customer systems (RMM agents, cloud delegated administration, VPNs, jump hosts, direct logins, support portals)
  • Classify those methods by risk and privilege level
  • Define who can approve and assign those rights
  • Ensure authentication is appropriately strong for each path
  • Log and review activity in a way that allows you to reconstruct important actions when needed

Together these practices turn your ISMS from a set of documents into everyday discipline that engineers, service managers and security leads can follow and explain.

These expectations apply whether you are a ten‑person MSP or a global provider. The scale and technology may differ, but the principles are the same: access routes are known, justified, controlled and open to scrutiny.



ISMS.online gives you an 81% Headstart from the moment you log on

ISO 27001 made easy

An 81% Headstart from day one

We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.

Get started


From Accounts to Identities: IAM Lifecycle for MSP Engineers

An effective IAM lifecycle for MSP engineers treats every human and non‑human identity as a managed asset with a clear beginning and end. To meet ISO 27001 expectations, you need to move away from thinking in terms of individual accounts and towards managed identities whose creation, use and removal are all governed and auditable.

Designing a coherent identity model

A coherent identity model starts with a reliable source of truth, usually a central identity provider or directory where every engineer, service desk analyst, manager and automation account is defined. From there, identities are federated into customer tenants, RMM tools, ticketing systems and other applications, rather than creating unmanaged local accounts everywhere and hoping documentation keeps up.

Key design principles include:

  • Single identity per person: each human has one primary identity, even if they hold multiple roles
  • Named accounts instead of shared logins: shared “admin” or “support” accounts are avoided wherever possible, or strictly controlled when they cannot be eliminated
  • Role‑based group membership: instead of adding people directly to hundreds of resources, you place them in well‑defined groups or roles that carry permissions
  • Attribute‑aware policies: where feasible, access is constrained by attributes such as client, environment type, device compliance, location or time of day

This architecture makes it much easier to implement ISO 27001’s requirements around user access management and user responsibilities. Identity and access management best‑practice material consistently explains that central identity providers, named accounts and defined roles are the foundation for meeting requirements about who can access what, under which conditions, and how that is monitored. Resources such as introductory IAM guidance set out the same principles, reinforcing how well they align with ISO 27001’s expectations.

It also sets a foundation for automation, because changes to roles and attributes can flow automatically into the right systems instead of relying on manual updates everywhere.

Managing joiners, movers and leavers across many tenants

Managing joiners, movers and leavers across many tenants means treating every HR change as a trigger to add, adjust or remove access in a structured way. Identity lifecycle is often where MSPs struggle most with ISO 27001, because engineers move between teams and customers, contractors come and go, and each change multiplies across many environments.

A practical lifecycle model for an MSP should:

Create a repeatable onboarding workflow where HR or management triggers identity creation in your central directory, standard “starter” roles are applied, and customer‑specific access is granted only after explicit approval from the right people. This reduces reliance on ad hoc requests and ensures new staff start with appropriate, not excessive, access.

Step 2 – Treat role changes as access reviews

Treat internal transfers and role changes as events that require review and often reduction of access, not only additions. For example, a move from service desk to projects should prompt removal of old entitlements as well as assignment of new ones, so access remains aligned with the current job rather than accumulating over time.

Step 3 – Make leaver actions fast and complete

Ensure that when someone leaves, all access paths into both internal and customer environments are disabled or reassigned quickly, including VPN profiles, RMM console access, cloud roles and any local accounts that still exist. The goal is to close exposure windows rapidly and avoid orphaned accounts that nobody remembers until something goes wrong.

To show this is happening, you need records that tie HR events, tickets or requests to identity changes, along with periodic checks that no abandoned accounts remain. From an ISO 27001 perspective, this is strong evidence that your controls operate in practice, not just on paper, and it reassures customers that access does not linger long after someone has left your organisation. Guidance on evidencing ISO 27001 compliance stresses the importance of keeping artefacts that demonstrate real control operation-such as lifecycle records and review logs-rather than only holding policy documents that describe what should happen.

Owners, service managers and security leads can all use these lifecycle records to answer common audit questions such as “How do you remove access when an engineer leaves?” without scrambling.



Designing a Dual‑Scope Access Control Model for MSPs

An ISO 27001‑aligned access model for an MSP must cover your internal environment and your privileged footholds in customer environments at the same time. The most effective approach is to design one coherent model with clearly marked “zones” rather than treating them as two completely separate worlds that evolve independently.

Internal vs customer access: one policy, two lenses

You can start by defining a single access control policy that explicitly states it covers access to your own systems and information as well as access by your personnel, tools and automations into customer‑owned environments. Within that policy, you can then distinguish how you treat internal and customer access without losing overall coherence or creating conflicting rules.

At a minimum, the policy should distinguish:

  • Internal access: focused on protecting your own data, finances, intellectual property and operations
  • Customer access: focused on protecting each client’s systems and data, complying with their obligations and avoiding cross‑tenant impact

Both lenses should share core principles: least privilege, need‑to‑know, segregation of duties, strong authentication, logging and regular review. The differences are mainly in scope boundaries and who authorises what. For example, creating a new engineer account in your RMM console may require internal management approval, but granting that engineer admin rights on a particular customer’s production tenant may also require customer approval.

Using RBAC and ABAC across multiple clients

Using a mix of RBAC and ABAC across multiple clients lets you describe complex access needs in a structured, auditable way. Together they let you reflect real‑world complexity without falling back into one‑off, opaque entitlements that nobody can explain clearly under pressure.

  • RBAC: defines standard roles such as “Service Desk Analyst”, “Tier‑2 Engineer”, “Cloud Architect”, “Security Specialist” and “Billing Administrator”. Each role has a clear set of responsibilities and associated permissions, which you can document once and reuse consistently.
  • ABAC: adds conditions based on attributes like client, environment (production versus test), data sensitivity, device compliance or time of day. For example, a Tier‑2 Engineer role may allow admin access only to the clients they are assigned to, during support hours, from managed devices.

A dual‑scope model like this is exactly what auditors and mature customers want to see: a consistent logic that explains why each person can do what they can do, internally and in each customer environment, with no “mystery access” left unaccounted for.

To make the contrast clear, it can help to compare where you are now with where you want to be:

A simple illustration:

Aspect Unmanaged MSP access ISO 27001‑aligned MSP access
Identities Shared admin logins, local accounts Named identities, central directory, role‑based
Privileged access Ad hoc, tool‑specific entitlements Approved roles, customer‑aware permissions
Logging and evidence Inconsistent logs and screenshots Standard logs, reviews and audit‑ready artefacts
Customer confidence Frequent questions, slow renewals Clear explanations, faster due diligence and renewals

The biggest win is the shift from shared, opaque access to named, role‑based identities that you can explain and defend to auditors and customers. This kind of comparison helps you show internal stakeholders that aligning access to ISO 27001 principles is not just “compliance work” but a meaningful reduction in operational and commercial risk.



climbing

Free yourself from a mountain of spreadsheets

Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.

Book your demo


Handling Privileged & Remote Access into Client Environments

For an MSP, privileged and remote access into client environments is among the highest‑impact areas of your risk, and often where ISO 27001 scrutiny is particularly intense. You are expected to treat these paths as high‑risk channels that are tightly controlled, strongly authenticated, well monitored and regularly reviewed, because misuse at this layer can have immediate, visible impact.

Treating remote access as a controlled gateway

You treat remote access as a controlled gateway by routing privileged connections through a small number of hardened entry points that enforce your policies every time. Instead of letting technicians connect directly from anywhere to anything, a secure model routes all privileged access through gateways that centralise authentication, authorisation and monitoring.

Typical patterns include:

  • RMM platforms or remote access tools configured with per‑user authentication and authorisation
  • Bastion or jump hosts that mediate administrative sessions into sensitive environments
  • Cloud delegated administration or management planes that centralise high‑privilege actions

Each gateway should enforce strong authentication, preferably multi‑factor, and limit what each identity can do based on roles and attributes. Sessions should be logged in sufficient detail to reconstruct important actions if there is a dispute or incident, and high‑risk changes to security settings, identity providers or network controls should be visible to your monitoring. By designing these gateways as part of your ISO 27001 control set, you demonstrate that privileged access is not ad hoc but deliberately constrained and observable.

Managing shared accounts, contractors and emergencies

You handle shared accounts, contractors and emergencies by minimising their use, tightly controlling credentials and keeping detailed activity records when they are unavoidable. Reality is messy: some legacy systems, vendor portals or customer environments still require generic or shared accounts. You may also rely on contractors, third‑party specialists or temporary staff, and genuine emergencies do happen.

Pragmatic practices include:

  • Minimising the number of shared accounts and documenting why each one exists
  • Storing shared credentials in a secure vault with per‑user check‑out so you can see who used them and when
  • Using session recording or detailed command logging for activity performed with shared or break‑glass accounts
  • Applying strict time limits and approvals for contractor and temporary access, with clear end dates and responsibilities for revocation
  • Defining and rehearsing “break‑glass” procedures that balance speed with accountability, including retrospective review of emergency actions

Handled this way, exceptional access becomes something you can explain and defend to auditors and customers rather than a collection of unknown shortcuts that nobody quite understands. These controls go a long way towards satisfying ISO 27001’s expectations around privileged access management, even where technology constraints exist. Analyses of the ISO 27001:2022 updates underline how the refreshed identity and privileged access‑related controls are meant to ensure high‑risk access is governed, justified and observable, so disciplined handling of shared and emergency access aligns well with that direction.



Proving Control: Logging, Monitoring & Audit Evidence

ISO 27001 is as much about proving that your controls work as it is about designing them. For access control and identity management, that means you need systematic evidence that requests, approvals, changes, reviews and monitoring are happening as described across your internal systems and customer environments. Practical guidance on evidencing ISO 27001 compliance repeatedly emphasises that auditors look for artefacts showing controls in operation-such as records, tickets and reports-not just policies and intent.

In the 2025 survey, only around 29% of organisations reported receiving no fines for data‑protection failures, meaning most had been fined at least once.

Building an audit‑ready access evidence set

An audit‑ready access evidence set should let you reconstruct key access decisions and activities without digging through dozens of inboxes and consoles. It also needs to map back cleanly to your policies and risk assessments so you can show that you are doing what you said you would do rather than relying on informal practice.

A typical evidence set around access and identity includes:

  • An access control policy that clearly covers internal and customer environments
  • Procedures or runbooks for onboarding, changing and offboarding staff and contractors
  • Role and group definitions, including who can approve membership
  • Records of access requests and approvals, ideally linked to tickets or change records
  • Periodic access review records, both for internal systems and for key customer environments
  • Configuration snapshots for critical controls such as multi‑factor authentication, conditional access, RMM permissions and privileged roles
  • Logs or reports showing who used privileged access channels and when

From this evidence, you can answer common audit questions such as “Who approved this engineer’s access to the RMM platform?” or “When was access to this customer tenant last reviewed?” without creating new artefacts at short notice.

If you maintain these artefacts continuously, updating them as part of business‑as‑usual work, you avoid the need to assemble evidence under time pressure before an audit. It also means that if something goes wrong, you have a clear trail to learn from and you can demonstrate to customers and auditors that your controls operate in practice.

Monitoring access in line with your risk register

ISO 27001 expects your monitoring to be proportionate to your risks, not just a generic log collection exercise. In an MSP context, that usually means prioritising the systems and access paths that would cause the greatest harm if misused or compromised, and making sure your monitoring clearly reflects those priorities. This follows directly from the standard’s risk‑based approach, which calls for controls and monitoring to be selected and tuned based on impact and likelihood rather than copied from a generic checklist.

In practice, this often includes:

  • More intense monitoring of privileged access into customer production environments
  • Monitoring of authentication events for your central identity provider and administration consoles
  • Alerting on unusual access patterns, such as logins from unexpected locations, mass changes to groups or repeated failed attempts to access high‑risk systems
  • Retaining logs for long enough to support investigations and demonstrate control operation over time

The key is to tie monitoring use cases back to your risk assessment. If you have identified that compromise of your RMM platform would have severe impact, your monitoring should show how you are watching for that: tuned alerts, tested notification paths, and clear responsibilities for triage and response. That turns monitoring into a living ISO 27001 control, not just a checkbox.

An ISMS platform such as ISMS.online can help you link each access‑related risk to controls and to the evidence that those controls are working, so you can show auditors and customers a coherent storey instead of a pile of isolated logs and screenshots. If you want to see what that looks like in practice, a short walkthrough of a working ISMS can make the connections between risks, controls and evidence much easier to visualise for both technical and non‑technical stakeholders.



ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.

Manage all your compliance, all in one place

ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.

Book your demo


Defining Roles & Responsibilities with Customers

Access control for an MSP is not just an internal matter; it is a shared concern with every customer you serve. ISO 27001 expects roles and responsibilities to be clear, and in the MSP context that means being explicit about who requests, approves, implements and reviews access on both sides of the relationship. The standard itself calls for defined roles, responsibilities and authorities for information security, so mapping those concepts into joint access‑governance arrangements with customers is a natural extension rather than a stretch.

Co‑owning access governance through RACIs and contracts

A practical way to clarify responsibilities is to create a responsibility matrix for each customer, often in the form of a RACI (Responsible, Accountable, Consulted, Informed). This matrix can cover activities such as defining which roles your staff may hold in their environment, who approves new privileged access, how often reviews occur and who manages identity providers and logging.

Most organisations in the 2025 ISMS.online survey said they had been impacted by at least one third‑party or vendor-related security incident in the preceding year.

You can then align this matrix with your contractual documents: master service agreements, service level agreements and data processing agreements. These should contain clear expectations around:

  • Use of strong authentication for all MSP staff accessing customer systems
  • Logging and retention of MSP activities in the customer environment
  • Frequency and scope of access reviews
  • Notification timelines and collaboration during incidents involving MSP access

When the matrix and contracts match reality, you reduce surprises and make ISO 27001 compliance a joint effort rather than a one‑sided burden. It also gives both sides something concrete to point to when questions arise during due diligence, contract renewal or regulator interactions.

Turning access governance into a commercial asset

Access governance becomes a commercial asset when you can confidently answer detailed customer questions about how you control and monitor access to their systems. Customers increasingly ask questions such as “Which of your staff can reach our production tenant?”, “How do you review that access?” or “What happens if a privileged account is compromised?”. If you can describe your ISO 27001‑aligned access model clearly, show sample evidence and explain how you collaborate on approvals and reviews, you stand out from providers who offer only vague assurances.

Some MSPs go further and package access governance as part of their service value, for example:

  • Including regular access‑governance briefings as part of account reviews
  • Providing standard reports that summarise key metrics such as number of MSP identities with privileged access, recent changes and review status
  • Offering managed identity or privileged access services as add‑ons, underpinned by the same controls they use internally

Handled well, this transparency can strengthen commercial trust and make renewals and new opportunities easier to discuss with more mature or regulated customers. ISO 27001 then becomes not just a certificate on the wall but a framework you use to articulate why customers should trust you with their most powerful logins and how you protect them in a disciplined way.

If you want to frame this in commercial terms with your leadership team, you can position disciplined access governance as a differentiator that reduces sales friction, shortens security questionnaires and reduces the likelihood of security‑driven churn.



Book a Demo With ISMS.online Today

ISMS.online gives your MSP a single place to turn access control and identity management into a living ISO 27001 system that your team can actually operate. Instead of scattering policies, risks, control descriptions and access evidence across spreadsheets, email and shared drives, you can manage them coherently in one platform that reflects how your organisation really works. Public information about ISMS.online describes how it is designed as a central workspace for building and maintaining an ISMS, rather than leaving teams to manage static, disconnected documents.

Why an ISMS platform makes access governance manageable

An ISMS platform makes access governance manageable by providing a stable backbone for your ISO 27001 work as your business and tooling evolve. When you start to formalise access and identity under ISO 27001, you quickly realise that the biggest challenge is not deciding what “good” looks like, but keeping everything consistent and up to date as your staff, customers and remote access stack change.

About two‑thirds of organisations surveyed in State of Information Security 2025 said the speed and volume of regulatory change are making compliance harder to sustain.

With ISMS.online you can, for example:

  • Define your scope so it clearly covers both internal and customer‑facing access
  • Record the risks that arise from privileged MSP access and link them to specific controls
  • Store your access policies, runbooks and responsibility matrices in a structured way
  • Map critical tools such as your identity provider, RMM, VPN and privileged access solution to Annex A controls
  • Attach evidence such as screenshots, reports, tickets and review records directly to each control

With that foundation in place, audits become more predictable and less disruptive. Audit preparation checklists from independent practitioners regularly highlight that having pre‑linked risks, controls and evidence significantly reduces last‑minute evidence gathering and makes both internal and external audits easier to plan and execute. When your information is already organised by control and risk, you are not reinventing reports under pressure every time someone asks for proof.

What you can explore in a demo

A demo of ISMS.online focused on access control and identity management can walk you through, for example:

  • A model risk register entry for MSP privileged access, linked to Annex A controls and treatment plans
  • A sample access control policy that explicitly covers MSP access into customer environments
  • Workflows for documenting and evidencing joiner‑mover‑leaver processes for engineers
  • Ways to track access reviews, approvals and exceptions in a way that aligns with your ticketing and HR systems
  • How to prepare for an ISO 27001 audit or customer due‑diligence exercise with pre‑linked control records and evidence

If you are facing a six‑ to twelve‑month deadline for certification or a major customer assessment and your current access practices still feel messy, a short, focused session can help you prioritise where to start: for example, tightening RMM access, defining your identity model more clearly or getting your first set of access reviews into a repeatable rhythm.

Bringing your leadership, operations, technical and compliance perspectives together around a shared ISMS workspace is often the turning point. It shifts access control and identity management from a collection of heroic efforts by a few people into a structured, team‑wide discipline that protects your customers, supports your growth and stands up to scrutiny. If you want disciplined access governance to be easier to build, prove and maintain, booking a demo of ISMS.online is a practical next step for your MSP.

Book a demo


Frequently Asked Questions

You meet ISO 27001 expectations by being able to demonstrate, with live evidence, who can access what, why they have that access, and how you keep it under control across both your own systems and every customer environment you touch.

Anchor everything in a simple “design → operate → prove” loop

Instead of trying to memorise every Annex A control, structure your thinking around three repeatable layers:

  • Design: – clear, written intent:
  • One access control policy that explicitly covers:
  • Your internal estate (IdP, RMM, PSA, finance, HR, internal apps).
  • Customer estates your staff, tools and automations can reach.
  • A small, well‑named set of roles and groups that reflect how your engineers really work.
  • Straightforward procedures for joiners, movers, leavers and privileged access.
  • Operate: – day‑to‑day behaviour that matches the design:
  • Named accounts mapped to roles, not generic logins.
  • MFA enforced at the choke‑points that matter most.
  • Regular access reviews on high‑risk systems and key customer tenants.
  • Prove: – evidence you can show without scrambling:
  • Tickets or workflow records for access approvals.
  • Logs and reports answering “who had what, when, and who signed it off.”
  • Configuration exports that match your stated model.

When you capture all three layers in a structured environment like ISMS.online – risks, policies, roles, procedures, requests, reviews and logs linked together – you stop arguing about theory and start showing how your access controls actually work. That’s the point where auditors relax and customers start trusting your answers instead of challenging every detail.

How can an MSP create one coherent access model that genuinely covers both internal and customer systems?

You do it by defining one access framework, not two, and then wiring that framework into your identity, RMM and remote‑access stack so the same logic holds everywhere.

Start with a single scope statement that closes the “customer grey zone”

Most MSPs unintentionally create risk by treating customer access as something separate from “internal” security. Fix that explicitly in your access control policy by stating that it covers:

  • Access to all MSP‑owned systems and data.
  • Access by MSP staff, contractors, tools and automations to all customer systems and data.

Make that scope impossible to miss. Once it’s written down, customers and auditors stop wondering whether their environment is “in or out” of your ISMS.

Use a small, stable RBAC spine, then layer ABAC on top

A workable MSP model usually looks like this:

  • RBAC (role‑based access control) for structure:
  • Define 6–10 roles that match reality, for example:
  • Service Desk
  • Escalation / Tier‑2 Engineer
  • Cloud / M365 Engineer
  • Security Analyst
  • Platform Engineer (RMM / tooling)
  • Finance / Billing
  • For each role, document:
  • Internal systems it can use (RMM, PSA, ticketing, finance, logs, etc.).
  • Customer systems or tenant types it can touch (production vs test, specific platforms).
  • Who owns the role and who approves changes.
  • ABAC (attribute‑based access control) for nuance:
  • Use attributes to avoid role sprawl, such as:
  • Customer or customer group.
  • Environment (production vs non‑production).
  • Device posture (managed vs unmanaged).
  • Time band or location.
  • Example rule:
  • “Tier‑2 Engineers administer only their assigned production tenants, from managed devices, during approved support hours.”

That rule is readable in a policy, implementable in an IdP or RMM, and testable in an audit. That’s exactly the kind of clarity ISO 27001 is driving you towards.

Wire the model into the tools your team already lives in

The model only exists if it’s reflected in configuration:

  • Directory / IdP: – groups = roles, conditional access = ABAC, SSO into RMM and cloud consoles.
  • RMM / remote‑access platforms: – named accounts only, mapped to roles; MFA enforced; clear separation between “can see” and “can change.”
  • Cloud admin planes: – per‑tenant roles and admin units, not a single “god account” everywhere.
  • VPN / zero‑trust / jump hosts: – enforce the same role and attribute logic before anyone reaches a customer network.

A useful sanity check is whether you can sketch a single diagram with “MSP internal” on one side and “customer estates” on the other, draw your standard roles across the boundary with clear conditions, and then back that picture up with linked policies, group definitions and records in ISMS.online. If you can, you’re very close to an ISO 27001‑grade access design that still feels practical to engineers.

What does “real‑world” least privilege and MFA look like when engineers support dozens of tenants?

In real MSP life, least privilege and MFA work as a programme, not as a one‑off hardening exercise. The goal is a pattern you can sustain under ticket queues, emergencies and staff turnover – and still defend in an audit.

Turn least privilege into a continuous tuning loop

Rather than trying to perfectly lock down every permission on day one, focus on:

  • Standard roles first: – give each role only what’s needed for everyday tasks.
  • Just‑in‑time elevation: – use temporary, ticket‑backed elevation for unusual or high‑risk work.
  • Scheduled reviews: – at least quarterly for:
  • Core internal systems (IdP, RMM, PSA, cloud admin portals).
  • High‑risk customer tenants or regulated clients.
  • Usage‑driven tuning: – if a right is never used, remove it; if it’s misused or linked to an incident, tighten it.

In practice, that usually means:

  • No “global admin on everything by default” profiles.
  • Clear scoping by customer, environment and function.
  • A visible distinction between people who can view sensitive data and those who can change critical systems.

When you document your roles, elevation paths and review cadence in ISMS.online, and attach actual review records and tickets, you create a living storey that satisfies both ISO 27001 and your customers’ security teams.

Put MFA where compromise would be catastrophic – and route access through those points

Managing MFA separately in every individual tenant and tool doesn’t scale. Instead, concentrate on:

  • MSP‑controlled choke‑points:
  • Identity provider / directory.
  • RMM and remote‑access platforms.
  • Cloud management planes and key admin consoles.
  • VPN, zero‑trust or jump hosts in front of customer estates.
  • Routing rules:
  • “All privileged access must pass through at least one MSP‑controlled MFA checkpoint.”
  • “Local exceptions in customer estates are documented, justified and reviewed.”

This approach lets you say, with a straight face, to both auditors and customers:

No engineer can reach a customer’s production environment without going through at least one strong, MSP‑controlled authentication gateway.

If you can back that up with configuration exports, policy references and test records stored in ISMS.online, you stop arguing about edge‑case screen grabs and start talking about a coherent control strategy.

How should MSPs bring RMM platforms and shared admin accounts explicitly into ISO 27001 scope?

You do it by treating them as first‑class, high‑risk assets in your ISMS, rather than as “IT tools” that somehow sit outside formal governance.

Govern RMM like a critical system, not just a convenience

For each RMM or remote‑access platform, you should be able to show:

  • Asset registration and risk linkage:
  • It appears in your asset inventory as a critical privileged‑access component.
  • It’s linked to risks around remote access, supply chain and automation.
  • It has an identified owner and technical custodian.
  • Control coverage:
  • Access management: named accounts, MFA, role definitions.
  • Logging and monitoring: who did what, on which endpoints or tenants, and when.
  • Change management: how configuration and scripts are approved and deployed.
  • Supplier oversight: what you check and monitor if the platform is SaaS.
  • Config aligned to your model:
  • Roles in the RMM mirror your RBAC design (e.g. Service Desk vs Tier‑2 vs Platform Admin).
  • Dangerous features (mass scripting, registry editing, elevation) are restricted to clearly defined roles.
  • Agent deployment and removal are controlled actions, not something anyone can trigger.

When all of that is tied back to your policy and risk registers in ISMS.online, you can have calm, transparent conversations with customers who have read about RMM‑based supply‑chain attacks and now want detail rather than reassurances.

Put shared and “break‑glass” accounts under a bright spotlight

Where generic or emergency accounts still exist, you don’t hide them; you manage them visibly:

  • Maintain a short, justified register of such accounts:
  • Why each one exists.
  • Where it can be used.
  • Who owns and reviews it.
  • Place them in a secure password or secrets vault:
  • Accessed only via named logins.
  • With check‑out and check‑in logged.
  • With rotation on a defined schedule or after use.
  • Tie usage to documented scenarios:
  • Serious incidents and known, time‑boxed maintenance windows.
  • Temporary workarounds where vendors don’t support named accounts – with a plan to revisit.
  • Review the register regularly:
  • Remove accounts that are no longer justified.
  • Tighten conditions where you’ve seen drift or overuse.

Auditors and customers know that vendor limitations and legacy systems are real. They’re less worried about the existence of shared accounts than about whether you can show control and steady progress in reducing reliance on them. ISMS.online gives you a place to link the vault procedures, “break‑glass” playbooks, reviews and risk treatments into one coherent picture.

What specific ISO 27001 access‑control evidence should an MSP be ready to show without scrambling?

Think in two buckets: how you designed access to work and how you can prove it actually works that way. ISO 27001 auditors – and mature customers – will usually test both.

Design artefacts: how your access model is supposed to work

You’ll want to have, ready to hand:

  • A single access control policy that:
  • Clearly applies to both your internal environment and customer estates you touch.
  • Names key principles (least privilege, segregation of duties, MFA at gateways).
  • Assigns responsibilities and review frequencies.
  • A concise role and group catalogue that:
  • Lists each role, where it applies (internal, customer, or both).
  • Describes typical activities and system scope.
  • Identifies an owner for each role.
  • Procedures / runbooks: for critical activities:
  • Onboarding, role change and offboarding flows (including contractors).
  • Granting, changing and revoking privileged access.
  • Safe use of RMM and other remote‑access tooling.
  • Invoking and reviewing emergency / break‑glass access.

These don’t have to be glossy documents. They do need to be consistent, discoverable and linked to your risk assessments and Annex A controls inside ISMS.online.

Operating records: how it works in everyday life

To show your design is alive, expect auditors to sample:

  • Access request / approval records:
  • Tickets or workflow entries showing who asked for access, what they needed, who approved it, and against which role.
  • Joiner–mover–leaver examples:
  • Evidence that accounts are created, adjusted and removed on time, including in customer tenants and third‑party portals.
  • Access review outputs:
  • Reports or minutes for regular reviews on:
  • IdP / directory groups.
  • RMM and privileged groups.
  • High‑risk customer environments.
  • Configuration evidence:
  • Screenshots or exports of:
  • MFA / conditional‑access rules.
  • RMM role and permission sets.
  • Admin group membership.
  • Logs and summaries:
  • Enough to answer, without new work:
  • “Which privileged accounts exist today?”
  • “Who used this RMM feature last week?”
  • “How would you spot unusual use of an engineer account?”

A simple internal drill that often exposes gaps is to pick one engineer and verify, using live artefacts stored in ISMS.online:

  • How their access was requested and approved.
  • Which internal and customer systems they can touch.
  • When that access was last reviewed.
  • How you would detect and handle misuse of their account.

If that storey is easy to tell and the evidence is genuinely up to date, you’re in a strong position for ISO 27001 certification and the tougher customer security reviews that often follow.

How can an MSP turn ISO 27001‑grade access control into something customers actively value and pay for?

You do it by bringing your access discipline into every serious customer conversation – from RFPs to quarterly reviews – and by offering services that extend those same disciplines into their side of the fence.

Answer the three access questions customers quietly worry about

Most security‑aware buyers want clear answers to:

  1. Who in your organisation can change our critical systems?
  2. How do you keep that access under control when people join, move and leave?
  3. What happens, in practice, if an account is misused or compromised?

Use the work you already do for ISO 27001 to respond with confidence:

  • Share a one‑page access diagram:
  • How your engineers reach their environment (IdP → RMM → cloud portal / VPN).
  • Where MFA sits.
  • Where logging and monitoring happen.
  • Provide a short, reader‑friendly role table, for example:
Role Typical access scope Review frequency
Service Desk Standard user support, no direct admin Quarterly
Tier‑2 Engineer Scoped admin for assigned tenants Quarterly
Security Analyst Logs, alerts, incident tooling, limited RMM Monthly
Platform Engineer RMM config, integrations, no customer data Monthly
  • Use clear language drawn from your ISMS.online artefacts:
  • “Here’s how we onboard and offboard engineers.”
  • “Here’s how we separate routine work from high‑risk changes.”
  • “Here’s how we review privileged access each quarter.”

When prospects see that you can speak calmly about access with supporting evidence, they’ll often set you apart from MSPs who can only say “we have MFA” and “we’re ISO certified” without detail.

Fold access governance into account management and services, not just audits

To make access governance part of your value, not just a back‑office chore, build it into how you run accounts:

  • Add a short “access and identity” section to regular service reviews:
  • Changes in MSP identities with access.
  • Date and outcomes of the last access review.
  • Completed hardening actions (e.g. retired generic accounts, tightened roles).
  • Offer add‑on services that mirror your own disciplines:
  • Managed access reviews of the customer’s own staff and third‑party suppliers.
  • Help designing RBAC/ABAC models for their line‑of‑business and SaaS platforms.
  • Assistance rolling out MFA, conditional access and privileged access workstations.

This is where a platform like ISMS.online quietly strengthens your positioning. When all your access‑related risks, policies, diagrams, procedures, tickets, reviews and logs sit in one place, it becomes natural to:

  • Give sales and account managers confidence to talk about access with customers.
  • Produce consistent, evidence‑backed answers to security questionnaires.
  • Show that your ISO 27001 certificate reflects a living system, not a once‑a‑year paperwork exercise.

Customers don’t just want “an ISO badge”; they want to feel that your engineers are a safe extension of their own team. Turning your access governance into a visible, repeatable part of how you sell and deliver is one of the most effective ways to earn that status – and to justify being chosen over a cheaper, less disciplined competitor.

Mark Sharron

Mark Sharron leads Search & Generative AI Strategy at ISMS.online. His focus is communicating how ISO 27001, ISO 42001 and SOC 2 work in practice - tying risk to controls, policies and evidence with audit-ready traceability. Mark partners with product and customer teams so this logic is embedded in workflows and web content - helping organisations understand, prove security, privacy and AI governance with confidence.

Twitter

Take a virtual tour

Start your free 2-minute interactive demo now and see
ISMS.online in action!

Try it now
platform dashboard full on mint

We’re a Leader in our Field

4/5 Stars
Users Love Us
Leader - Spring 2026
High Performer - Spring 2026 Small Business UK
Regional Leader - Spring 2026 EU
Regional Leader - Spring 2026 EMEA
Regional Leader - Spring 2026 UK
High Performer - Spring 2026 Mid-Market EMEA

"ISMS.Online, Outstanding tool for Regulatory Compliance"

— Jim M.

"Makes external audits a breeze and links all aspects of your ISMS together seamlessly"

— Karen C.

"Innovative solution to managing ISO and other accreditations"

— Ben H.