Access governance and the audit trail as evidence for NIS2 and ISO 27001

Auditors don't ask for nice words about access control, they ask for evidence. Who had access to that folder on 3 March, under which rule, and when did it take effect and fall away again? This article is about how attribute-driven access governance produces that kind of evidence, and what it does and does not say about frameworks like NIS2 and ISO 27001. Be realistic: a tool does not make you compliant, it produces evidence for the access part.

TL;DR

• ServiceChanger does not make anyone compliant and is not a certification. It produces evidence that supports the access-control parts of frameworks like NIS2 and ISO 27001.
• One attribute value maps to a fixed set of groups and roles in Entra ID and on-prem AD. Equal attributes produce equal access, which is reproducible least privilege.
• Every membership change is recorded against the attribute that triggered it, so you can reconstruct who had which access when: a who-had-what-when audit trail.
• Relevant frameworks: GDPR (accountability for least privilege), ISO 27001 access control (A.5.15 and A.5.18), NIS2 (access-control and accountability obligations).
• ServiceChanger is not an access-certification or IGA suite and not a PAM tool. The License module only tracks usage. No AI, no predictive analytics.

What access governance means here

Access governance is the ability to justify why someone has the access they have, and to demonstrate that over time. In practice it breaks down into two questions. Who should have which access, and can you show it was actually set up that way?

ServiceChanger handles this through attributes. An attribute value, for example department, job title or location in Entra ID, maps to a fixed set of group and role memberships. When the value changes, the membership follows. The rule is the source of truth, not a manual click in an admin portal. As a result, everyone with the same attributes gets the same access, and anything off-pattern is visible rather than buried in scattered manual changes.

This is deliberately a narrow part of the governance landscape. It automates group and role memberships in Entra ID and on-prem AD, nothing more. It does not do access certification, periodic recertification, or privileged access management.

Reproducible least privilege

Least privilege is the idea that someone only holds the access the job requires. The hard part is not the definition, it is keeping it reproducible while people move between roles and departments.

When access hangs off an attribute, you can repeat the outcome. Two employees with the same job title and department should hold the same set of groups, and that is checkable. If someone deviates, you can see that the attribute does not match or that a manual exception exists outside the rules. For an auditor that difference is the whole point: not "we practice least privilege", but "here is the rule, here is who satisfies it, and here are the exceptions".

The who-had-what-when audit trail

The piece of evidence auditors actually want is the audit trail over time. ServiceChanger records every membership change against the attribute that triggered it: which user, which group or role, which attribute and value, which actor, timestamp and result.

That lets you reconstruct a point in the past. Who had access to that finance group on 3 March, and why? The answer is not "we think so", but a traceable chain: the person held attribute value X, which mapped to group Y, and the change took effect at that time. When the attribute changed or the account was disabled, the access fell away with it, also logged. That is the who-had-what-when audit trail.

Important to stay honest about: this logs the changes ServiceChanger itself makes based on attributes. Actions you perform separately in Microsoft's own tooling are logged by Microsoft, not here. The audit trail is evidence for the attribute-driven access part, not for everything that happens in your tenant.

How this produces evidence for NIS2 and ISO 27001

Here it is crucial to be precise. No tool makes you compliant with NIS2 or ISO 27001. What an attribute-to-group audit trail does do is supply evidence for specific access-control parts of those frameworks.

For ISO 27001, two controls are touched most directly: A.5.15 (access control) and A.5.18 (access rights, granting and revoking them). An auditor wants to see that access is granted and revoked according to policy. A rule that says "this attribute value grants these groups" plus a log of every grant and revocation is exactly the kind of underpinning those controls call for.

For NIS2, which carries obligations around access control and accountability, the same principle holds: you need to demonstrate that access is managed and traceable. The audit trail shows that changes follow a rule and trace back to an attribute and a time.

For GDPR, the relevance sits in accountability for least privilege on personal data. Being able to show who had access when, and on what basis, helps underpin that accountability obligation.

In all three cases the wording is the same: evidence for the access part, not certification and not a guarantee. Certification comes through your auditor and your full management system; ServiceChanger supplies one repeatable piece of the evidence.

FAQ

Does ServiceChanger make us compliant with NIS2 or ISO 27001? No. No tool does. ServiceChanger produces evidence for the access-control parts of those frameworks, namely a reproducible access rule and an audit trail of grants and revocations. Certification runs through your auditor.

Is this an IGA or access-certification suite? No. ServiceChanger does not do access certification or periodic recertification and is not a PAM tool. It automates attribute-driven group and role memberships in Entra ID and on-prem AD and logs those changes.

Can I export what an auditor needs? Yes. The membership changes ServiceChanger makes are recorded with user, group or role, the responsible attribute, actor, time and result, exportable for your records. Actions in Microsoft's own tooling are logged by Microsoft.

Does it use AI or predictive analytics to score risk? No. There is no AI or predictive analytics in it. The rules are deterministic: an attribute value maps to a set of groups, and that is recorded.

Further reading

• The broader idea behind all of this lives on the concept page access governance, digital security and compliance.
• Revoking access is the other side of the coin. What that looks like at departure is covered in IT offboarding checklist.

Next step

Want to see what the audit trail looks like for your own Entra ID and on-prem AD? Book a demo and we'll walk through a who-had-what-when example together.