Question on ISO 27001

First is important to note that ISO 27001 does not prescribe such a requirement about the restriction of user IDs. This information can be found in ISO 27002, a supporting standard that defines guidance and recommendations for implementation of ISO 27001 Annex A controls, and these are no mandatory and can be adopted at the discretion of each organization.

Additionally, in the recommendations for implementation of control A.9.2.1, you can find that shared IDs may be permitted where they are necessary for business or operational reasons, and in such cases, this use should be approved and documented.

Considering that, you can argue with your supplier that the use of shared accounts is possible without compromising ISO 27001 compliance, provided it is specifically approved and documented, but please note that the provider may have a business or legal reason to define this specific rule in its policy about no shared IDs and may not be allowed to open any exceptions. In this case it is your decision to accept this condition or do not make deal with this provider.

As an alternative, you can open an email address in a specific name to which the supplier will send service tickets, and then automatically forward all received emails to service email.

These articles will provide you a further explanation about ISO 2700e and access control:
- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/