BG Beter Geregeld ICT
Access reviews · 2 min leestijd · 04 January 2026

Access review scope: what's in, what's out?

Not every user, not every system needs to be included in every review. Here's how to define your scope so it stays manageable — and defensible in an audit.

Defining review scope is the first step of the review process. Get it wrong here and you'll either drown in unnecessary work — or miss something critical.

\n \n

People within scope

\n
    \n
  • Active employees: always.
    • \n
  • Scheduled to start: not yet active, not in scope yet.
    • \n
  • Scheduled to leave: in scope — final check before departure.
    • \n
  • Inactive since the previous review: in scope one more time to verify that access has genuinely been revoked.
    • \n
  • Contractors and external parties: a separate review track with its own cadence (typically monthly).
    • \n
\n \n

Systems within scope

\n
    \n
  • All tier-1 (critical) systems: always.
    • \n
  • Tier-2: included in every standard review.
    • \n
  • Tier-3 (nice-to-have SaaS): every six months, unless there is a specific reason to review sooner.
    • \n
\n \n

Document your scope decisions

\n

Record your scope policy in your ISMS. For each review, keep a scope snapshot that captures exactly what was included. This allows an auditor to compare across reviews and confirm that you are applying your scope consistently.

\n \n

See also: sample-based or full review, SaaS inventory.

Onderwerpen

#governance #access-review #scope

Volledige gids: Revisiones de acceso periódicas: proceso, frecuencia y evidencia

Dit artikel is onderdeel van onze uitgebreide Access reviews-gids. Lees de pillar voor het complete plaatje.

Lees de pillar →

Verwant leesmateriaal

Access reviews

Periodic access reviews: process, frequency, and audit evidence

An access review is an audit requirement that nearly every SMB struggles with. Once you set it up properly the first time, the second round won't cost you a whole week.

2 min
Access reviews

Reviewing service accounts — the invisible majority

Alongside real employees, you have service accounts: API integrations, scheduled jobs, automation. Often there are more of these than human users. Who owns them, and how do you review them?

2 min
Access reviews

Reviewing the Global Admin role: the highest-risk category

If there is one category where review discipline is absolutely critical, it's Global Admin and equivalent roles. Here is the dedicated procedure that sits on top of your standard access review.

2 min
Access reviews

Dealing with "former employees" in your review — the cleanup round

Your first review turns up 8 accounts belonging to people who left years ago. That's not a problem — that's progress. Here's how to handle it without it turning into a blame session.

2 min
Access reviews

Bulk decisions in access reviews: faster without being careless

80% of the rows in a review are routine. You want to handle those in a single click. How do you do that without accidentally missing a critical row?

2 min
Access reviews

Evidence for access reviews: what to keep and where

A review without evidence is, as far as an auditor is concerned, a review that never happened. Here's what to retain, in what format, and for how long.

2 min
← Alle artikelen in "Access reviews"