Access reviews—also called access certification or attestation—are a critical control for maintaining a secure identity landscape. They ensure that access rights remain appropriate as roles change, employees leave, and projects end. Here's how to conduct effective access reviews.
Why access reviews matter
The security imperative
Without regular access reviews:
- Former employees retain access to systems
- Excessive permissions accumulate over time
- Contractors keep access after projects end
- "Just in case" access becomes permanent
This accumulation creates attack surface that attackers exploit.
The compliance requirement
Most regulatory frameworks require access reviews:
- SOC 2: CC6.1 requires periodic review of access
- ISO 27001: A.9.2.3 requires periodic reviews
- GDPR: Requires appropriate access controls
- PCI DSS: Requires quarterly access reviews
The business benefit
Effective access reviews:
- Reduce the blast radius of potential breaches
- Demonstrate due diligence to auditors
- Ensure least privilege is maintained
- Identify accumulated permissions
Planning your access review programme
Define scope
What systems are in scope?
High priority:
- Identity providers (Active Directory, Okta, Azure AD)
- Cloud platforms (AWS, Azure, GCP)
- Financial systems
- HR systems
- Customer data systems
Medium priority:
- Productivity tools
- Communication platforms
- Project management tools
Lower priority:
- Low-risk utilities
- Read-only tools
Define frequency
How often should you review?
Quarterly: Critical systems, privileged access
- Identity systems
- Financial systems
- Admin consoles
Semi-annually: Important business systems
- CRM platforms
- HR systems
- Document management
Annually: Standard business applications
- Productivity tools
- Collaboration platforms
- Low-risk utilities
Define roles and responsibilities
Access review owner: Typically security or IT leadership
- Sets review schedule
- Defines scope and criteria
- Ensures remediation
Managers/reviewers: Business leadership
- Attests to direct reports' access
- Approves exceptions
- Escalates concerns
System owners: Application owners
- Provides access reports
- Defines appropriate access
- Reviews privileged access
Employees: End users
- Attests to their own access needs
- Requests access changes
- Confirms access is appropriate
Conducting effective access reviews
Pre-review preparation
1-2 weeks before:
- Generate access reports from each system
- Categorise users by role/department
- Identify privileged accounts
- Flag accounts requiring special attention:
- Dormant accounts
- Shared accounts
- Service accounts
- Contractors
1 month before:
- Notify reviewers of upcoming reviews
- Provide training on review process
- Set deadlines for completion
- Clarify escalation procedures
During the review
For each user, reviewers should verify:
- Does this person still work here?
- Is this person's role correct?
- Does the person still need access to each system?
- Does the person have appropriate access level?
- Are there any unusual permissions?
Questions to ask:
- Is this access required for current job function?
- When was this access last used?
- Are there alternative ways to provide needed access?
- Can we reduce access while maintaining productivity?
Post-review actions
Immediate:
- Remove access that's been flagged for removal
- Document any exceptions with approvals
- Update access as requested
Follow-up:
- Investigate any concerns raised
- Report summary to leadership
- Track metrics for continuous improvement
Access review best practices
Make it systematic
Standardised process:
- Use consistent templates
- Follow defined workflows
- Document every decision
Automated where possible:
- Automate data collection
- Automate notifications
- Automate access removal where safe
Regular cadence:
- Schedule reviews in advance
- Protect time for reviews
- Don't skip reviews
Focus on the right things
Prioritise by risk:
- Privileged accounts first
- Access to sensitive data second
- General access third
Look for anomalies:
- Dormant accounts
- Excessive permissions
- Unusual access patterns
- Accounts that shouldn't exist
Get good participation
Clear communication:
- Explain why reviews matter
- Make it easy to participate
- Set realistic deadlines
- Provide support
Management buy-in:
- Get leadership commitment
- Make reviewers accountable
- Report on completion rates
Document everything
Maintain records:
- Who was reviewed
- What access was verified
- What decisions were made
- When access was removed
Evidence for auditors:
- Review reports
- Approval documentation
- Exception justifications
- Remediation evidence
Common access review challenges
Challenge 1: Too many systems to review
Solution: Prioritise and phase
- Review high-risk systems quarterly
- Review lower-risk systems annually
- Automate where possible
Challenge 2: Unresponsive reviewers
Solution: Escalation and consequences
- Set clear deadlines
- Escalate to management
- Track completion metrics
- Report to leadership
Challenge 3: Legacy access with no owner
Solution: Conservative removal
- If you can't determine need, remove access
- Document the removal
- Enable easy restoration if needed
Challenge 4: Business disruption concerns
Solution: Careful communication
- Allow time for access requests
- Provide alternative access
- Test before removing critical access
- Have rollback plan
Challenge 5: Evidence management
Solution: Automated systems
- Use access review tooling
- Store evidence systematically
- Make evidence searchable
- Retain per requirements
Automating access reviews
Benefits of automation
- Consistent execution
- Reduced manual effort
- Better tracking
- Improved evidence
Automation options
Identity governance platforms:
- Automated campaign creation
- Workflow-based reviews
- Automated remediation
- Evidence generation
Native tools:
- Azure AD access reviews
- AWS IAM access analyzer
- Google Workspace access transparency
Custom solutions:
- Scripts to extract access data
- Workflow automation tools
- Custom reporting
What to automate
Review scheduling:
- Campaign creation
- Notification sending
- Deadline reminders
Data collection:
- Access extraction
- User attribution
- Privilege identification
Remediation:
- Automated deprovisioning
- Access modification
- Exception workflows
Measuring access review effectiveness
Completion metrics
- Percentage of planned reviews completed
- Time to complete reviews
- Number of access changes made
- Exceptions granted and approved
Security metrics
- Dormant accounts identified
- Excessive access removed
- Privileged accounts reviewed
- Risk findings addressed
Compliance metrics
- Evidence availability
- Audit finding trends
- Policy exception rates
- Remediation timeliness
Continuous improvement
- Track year-over-year trends
- Identify recurring issues
- Refine scope and frequency
- Improve processes
Quick reference: Access review checklist
Planning
- [ ] Define scope of reviews
- [ ] Determine frequency by system
- [ ] Assign reviewers and owners
- [ ] Set timeline and deadlines
Preparation
- [ ] Generate access reports
- [ ] Categorise by risk
- [ ] Identify privileged accounts
- [ ] Flag anomalies
Execution
- [ ] Notify reviewers
- [ ] Provide training/support
- [ ] Monitor completion
- [ ] Escalate as needed
Remediation
- [ ] Remove unnecessary access
- [ ] Document exceptions
- [ ] Update access as needed
- [ ] Verify changes
Documentation
- [ ] Maintain review records
- [ ] Store evidence
- [ ] Report to leadership
- [ ] Track metrics
Making access reviews sustainable
Build it into operations
- Include in IT operations cadence
- Link to performance objectives
- Make part of manager responsibilities
Continuous improvement
- Learn from each review cycle
- Refine processes
- Address gaps
- Expand automation
Balance security and productivity
- Don't block legitimate access
- Enable easy access restoration
- Communicate changes clearly
- Minimise business impact
Conclusion
Access reviews are essential for maintaining a secure identity landscape. The key is making them systematic, thorough, and sustainable.
Start where you are, build the programme progressively, and continuously improve. Every access review reduces your attack surface and demonstrates compliance.
The alternative—accumulated permissions and unchecked access—is a risk no organisation should accept.