Quarterly cadence for access reviews: planning and rhythm
Four reviews a year sounds like a lot. In practice, a well-structured approach takes just 3–4 hours per quarter. Here's the cadence that works for a 40-person SMB.
A quarterly cadence is the natural rhythm for access reviews at an SMB of up to around 100 employees. Less frequent falls short of ISO compliance; more frequent creates unnecessary work.
\n\nThe 3-week cycle per quarter
\n- \n
- Week 1: snapshot + scope (30 min). Usually on the first working day of the quarter. \n
- Week 2: managers make decisions for their teams (30 min per manager). \n
- Week 3: IT carries out revokes/changes. The report is signed off and archived. \n
Annual calendar
\n- \n
- Q1 review: 2nd week of January, report finalised by end of January. \n
- Q2: 2nd week of April. \n
- Q3: 2nd week of July. \n
- Q4: 2nd week of October — also feeds into the management review. \n
Who handles coordination?
\nOne person acts as "review owner" — typically the security officer or operations lead. Not the CEO; that doesn't scale.
\n\nEscalation
\nIf a manager hasn't responded within 5 working days, escalate to management. Consistency here matters more than the content itself — once managers sense that deadlines aren't taken seriously, the entire process starts to slip.
\n\nSee also: review pillar, involving managers.
Volledige gids: Revisiones de acceso periódicas: proceso, frecuencia y evidencia
Dit artikel is onderdeel van onze uitgebreide Access reviews-gids. Lees de pillar voor het complete plaatje.
Lees de pillar →