Newsletter · Edition #8 · Access · 3 min read
The access review everyone fakes
Rubber-stamping a user list once a quarter is not an access review — and auditors can tell.
The periodic access review is one of the most-required and least-respected controls. Done properly it prevents privilege creep and insider risk. Done as a rubber stamp, it’s an audit finding waiting to happen.
What a real review looks like
A reviewer who actually owns the system confirms each person still needs their level of access, and revocations happen. Leavers are gone within a day, not discovered months later. The output is dated evidence with decisions — not a screenshot of an unchanged list.
The failure mode
The classic failure: IT “reviews” access by exporting a list nobody with business context ever looks at. Then a former employee’s account turns up active in a breach. That’s the whole control, defeated.
The bottom line
Put access reviews in the hands of system owners, capture the decisions, and act on them. It’s a small habit that closes a large risk.
Get the next edition in your inbox
Practical PCI DSS, ISO 27001, SOC 2 and DPDP insight from CERT-In empanelled auditors — a few times a month, no spam.
