Evidence for access reviews: what to keep and where
A review without evidence is, as far as an auditor is concerned, a review that never happened. Here's what to retain, in what format, and for how long.
During an ISO audit, auditors ask for evidence. "We do reviews" is not enough — they want to see what happened, by whom, and when.
What to retain per review
- Snapshot export: who had access to what at the time of the review.
- Decision per row: keep/revoke/change, plus any justification provided.
- Participants: who made which decisions.
- Timeline: start, close, and execution of actions.
- Execution: confirmation that revoke actions were actually carried out.
- Final report: 2-page PDF with a summary, names, and signature.
Format
PDF is ideal for handing over to auditors. Many tools generate this automatically — see the AccessGuard demo for a sample report.
Retention period
At least 3 years for ISO purposes. In practice: retain for as long as you hold ISO certification plus 1 year.
Storage location
One central location in your wiki or document system, with an ACL restricted to "compliance team and management only". Not scattered across inboxes.
What auditors reject
- Loose screenshots without context.
- Reports with no date or names.
- No traceable link between a decision and its execution.
- A review date in the future ("scheduled for next week").
See also: pre-audit checklist, review pillar.
Volledige gids: Revisiones de acceso periódicas: proceso, frecuencia y evidencia
Dit artikel is onderdeel van onze uitgebreide Access reviews-gids. Lees de pillar voor het complete plaatje.
Lees de pillar →