Newsletter · Edition #8 · Access · 3 min read

The access review everyone fakes

Rubber-stamping a user list once a quarter is not an access review — and auditors can tell.

The periodic access review is one of the most-required and least-respected controls. Done properly it prevents privilege creep and insider risk. Done as a rubber stamp, it’s an audit finding waiting to happen.

What a real review looks like

A reviewer who actually owns the system confirms each person still needs their level of access, and revocations happen. Leavers are gone within a day, not discovered months later. The output is dated evidence with decisions — not a screenshot of an unchanged list.

The failure mode

The classic failure: IT “reviews” access by exporting a list nobody with business context ever looks at. Then a former employee’s account turns up active in a breach. That’s the whole control, defeated.

The bottom line

Put access reviews in the hands of system owners, capture the decisions, and act on them. It’s a small habit that closes a large risk.

Get the next edition in your inbox

Practical PCI DSS, ISO 27001, SOC 2 and DPDP insight from CERT-In empanelled auditors — a few times a month, no spam.

Compliance insights, no spam. Unsubscribe anytime.

← Browse all editions

Free tool
Free Security Assessment
Get a complimentary, no-obligation assessment from CERT-In empanelled senior auditors.
Try it free →