BG Beter Geregeld ICT
Access reviews · 2 min leestijd · 12 December 2025

Getting managers involved in access reviews without pushback

A security officer can't assess who should have access to sales tools — that's the sales manager's call. Here's how to make it a natural part of their workflow instead of a yearly headache.

Access reviews don't work without managers. They know who actually uses what. You can only see whether access is switched on or off. So how do you keep it from becoming a drama?

Keep it short

A manager should be done in under 20 minutes per quarter. Show only the rows for their team. Pre-filter with "keep" suggestions so managers only need to look at the exceptions.

Make it business-relevant

Not "IT says you have to do this" — but rather "we've identified 8 accounts in your team that are generating more SaaS costs than necessary. Can you quickly check which ones we can cancel?" Budget is a better motivator than compliance.

Make it easy to do

  • 1 link in an email, no login hoops to jump through.
  • Keyboard-friendly (k for keep, r for revoke, c for change).
  • Bulk actions for similar rows.
  • Mobile-first — many managers do this between meetings.

Onboarding

First time: a 15-minute walkthrough per manager. Second time: a short refresher email. Third time: they do it without any help.

Accountability

A post-review report shows which managers completed their part on time — and which didn't. Transparency without naming and shaming works.

See also: review pillar, quarterly cadence.

Onderwerpen

#governance #access-review #managers

Volledige gids: Revisiones de acceso periódicas: proceso, frecuencia y evidencia

Dit artikel is onderdeel van onze uitgebreide Access reviews-gids. Lees de pillar voor het complete plaatje.

Lees de pillar →

Verwant leesmateriaal

Access reviews

Periodic access reviews: process, frequency, and audit evidence

An access review is an audit requirement that nearly every SMB struggles with. Once you set it up properly the first time, the second round won't cost you a whole week.

2 min
Access reviews

Reviewing service accounts — the invisible majority

Alongside real employees, you have service accounts: API integrations, scheduled jobs, automation. Often there are more of these than human users. Who owns them, and how do you review them?

2 min
Access reviews

Reviewing the Global Admin role: the highest-risk category

If there is one category where review discipline is absolutely critical, it's Global Admin and equivalent roles. Here is the dedicated procedure that sits on top of your standard access review.

2 min
Access reviews

Dealing with "former employees" in your review — the cleanup round

Your first review turns up 8 accounts belonging to people who left years ago. That's not a problem — that's progress. Here's how to handle it without it turning into a blame session.

2 min
Access reviews

Access review scope: what's in, what's out?

Not every user, not every system needs to be included in every review. Here's how to define your scope so it stays manageable — and defensible in an audit.

2 min
Access reviews

Bulk decisions in access reviews: faster without being careless

80% of the rows in a review are routine. You want to handle those in a single click. How do you do that without accidentally missing a critical row?

2 min
← Alle artikelen in "Access reviews"