2026-03-08
By Emre SalmanogluPrivileged Access Management (PAM): The Complete Guide for Compliance and Security Teams
Learn how to implement privileged access management that satisfies ISO 27001, SOC 2, NIS2, and DORA requirements. Covers PAM architecture, session management, just-in-time access, credential vaulting, and compliance evidence.
PAM
privileged access
identity security
least privilege
compliance
What Is Privileged Access Management?
Privileged Access Management (PAM) is the security discipline that controls, monitors, and audits all access performed using elevated privileges across an organisation's IT environment. It protects the most powerful accounts in the organisation — administrator accounts, service accounts, and emergency access accounts — that, if compromised, would give an attacker unrestricted access to critical systems and data.
For compliance-driven organisations, PAM provides the controls and audit evidence needed to demonstrate that privileged access is properly governed under ISO 27001, SOC 2, NIS2, and DORA.
Types of Privileged Accounts
| Account Type | Description | Risk Level |
|---|---|---|
| Domain admin | Full control over Active Directory and all joined systems | Critical |
| Root/sudo | Unrestricted access on Linux/Unix systems | Critical |
| Cloud admin | AWS root, Azure Global Admin, GCP Organisation Admin | Critical |
| Database admin | Full access to database servers and data | High |
| Service account | Application-to-application authentication with system privileges | High |
| Network admin | Configuration access to routers, switches, firewalls | High |
| Break-glass account | Emergency access bypassing normal controls | Critical |
| Application admin | Administrative access within business applications | Medium-High |
PAM Architecture Components
| Component | Function | Examples |
|---|---|---|
| Credential vault | Secure storage and rotation of privileged credentials | CyberArk, BeyondTrust, Delinea |
| Session manager | Recording and monitoring of privileged sessions | CyberArk PSM, BeyondTrust, Teleport |
| Access gateway | Proxy for privileged connections without exposing credentials | CyberArk, Teleport, StrongDM |
| JIT access engine | Temporary privilege elevation with approval workflows | Azure PIM, CyberArk, Britive |
| Privilege analytics | Behavioural analysis of privileged activity | CyberArk, Securonix |
| Secrets manager | Application credential management and injection | HashiCorp Vault, AWS Secrets Manager |
PAM Controls
| Control | Description | Implementation |
|---|---|---|
| Least privilege | Grant minimum permissions needed for each role | Role-based access with periodic review |
| Credential vaulting | Store all privileged credentials in encrypted vault | Automated rotation, no shared passwords |
| Just-in-time access | Time-limited privilege elevation with approval | Workflow-based requests, auto-expiry |
| Session recording | Record all privileged sessions for audit | Video-like replay, keystroke logging |
| MFA enforcement | Require multi-factor for all privileged access | FIDO2 or hardware tokens for admins |
| Separation of duties | Prevent single person from completing critical tasks | Dual approval, role segregation |
| Access certification | Regular review of who has privileged access | Quarterly reviews with manager attestation |
Privileged Access Lifecycle
| Phase | Activities | Controls |
|---|---|---|
| Request | User requests privileged access with business justification | Approval workflow, risk assessment |
| Approve | Manager and security team review and approve | Dual approval for critical systems |
| Provision | Grant time-limited access, inject credentials | JIT elevation, credential vault |
| Monitor | Record session, monitor for anomalous activity | Session recording, behaviour analytics |
| Review | Audit privileged activity against expected behaviour | Post-session review, compliance checks |
| Revoke | Automatically remove access when time expires | Auto-expiry, credential rotation |
| Certify | Periodic review of all privileged access rights | Quarterly access certification |
Compliance Requirements
Framework Mapping
| Requirement | ISO 27001 | SOC 2 | NIS2 | DORA |
|---|---|---|---|---|
| Privileged access control | A.8.2 | CC6.3 | Art. 21(2)(i) | Art. 9(4) |
| Least privilege | A.8.3 | CC6.1 | Art. 21(2)(i) | Art. 9(2) |
| Access review | A.5.18 | CC6.2 | Art. 21(2)(i) | Art. 9(2) |
| Session monitoring | A.8.15 | CC7.2 | Art. 21(2)(g) | Art. 10(2) |
| Credential management | A.8.5 | CC6.1 | Art. 21(2)(j) | Art. 9(4)(b) |
| Separation of duties | A.5.3 | CC6.1 | Art. 21(2)(i) | Art. 9(2) |
Audit Evidence
| Evidence Type | Description | Framework |
|---|---|---|
| PAM policy | Documented privileged access management policy | All frameworks |
| Privileged account inventory | Complete list of all privileged accounts with owners | All frameworks |
| Credential rotation logs | Evidence of automated password and key rotation | All frameworks |
| Session recordings | Recordings of privileged sessions for audit review | ISO 27001, SOC 2, DORA |
| JIT access logs | Records of privilege elevation requests and approvals | All frameworks |
| Access certification reports | Quarterly review results with attestations | All frameworks |
| Anomaly detection alerts | Records of flagged suspicious privileged activity | NIS2, DORA |
Common Mistakes
| Mistake | Risk | Fix |
|---|---|---|
| Shared admin accounts | No individual accountability for privileged actions | Individual named accounts with PAM vault |
| Static service account passwords | Credential theft and lateral movement | Automated rotation, managed identities |
| No session monitoring | Cannot detect misuse of privileged access | Implement session recording and review |
| Standing privileges | Excessive attack surface from persistent admin access | Just-in-time access with auto-expiry |
| Excluding cloud from PAM | Cloud admin accounts unmanaged and unmonitored | Extend PAM to all cloud platforms |
| No break-glass procedures | Locked out during emergencies, or uncontrolled emergency access | Documented, tested, and audited break-glass process |
How Orbiq Supports PAM Compliance
Orbiq helps you demonstrate privileged access controls:
- Evidence collection — Centralise PAM policies, access reviews, and session logs
- Continuous monitoring — Track privileged access coverage and compliance posture
- Trust Center — Share your privileged access controls via your Trust Center
- Compliance mapping — Map PAM controls to ISO 27001, SOC 2, NIS2, and DORA
- Audit readiness — Pre-built evidence packages for auditor review
Further Reading
- Identity and Access Management — Comprehensive IAM strategy
- Multi-Factor Authentication — Securing privileged authentication
- Zero Trust — Privileged access in zero trust architecture
- Security Operations Center — Monitoring privileged activity
- Data Classification — Classifying data for access controls