Periodic access reviews: process, frequency, and audit evidence
An access review is an audit requirement that nearly every SMB struggles with. Once you set it up properly the first time, the second round won't cost you a whole week.
Access reviews — periodically checking who has access to what and why — are not optional under ISO 27001 Annex A.9. Even without audit pressure, they're the only reliable way to keep your access matrix up to date.
\n\nFrequency: quarterly or twice a year
\nThe SMB standard: quarterly. Fewer than 20 people and low staff turnover? Every six months is also acceptable. Annual reviews are not sufficient for ISO purposes. See also ISO 27001 Annex A.9.
\n\nThe six steps
\n- \n
- Snapshot. Freeze a copy of the current matrix. \n
- Define scope. See defining your scope. \n
- Decide row by row. Keep, revoke, or change. Involve line managers — see involving managers. \n
- Bulk decisions for clear-cut cases. 80% will be "keep". See bulk decisions. \n
- Follow-up actions. Every "revoke" and "change" becomes a concrete task for IT. \n
- Retain evidence. See audit evidence. \n
Common pitfalls
\n- \n
- "There's never enough time." Block it in Outlook — otherwise it simply won't happen. \n
- Review done by a single person. The risk: most of their own access gets rubber-stamped without scrutiny. \n
- Decisions that never get actioned. A revoke on paper is worthless. \n
Automation
\nOur AccessGuard tool generates a review snapshot in a single click. The demo walks through a live review cycle.
\n\nSee also: quarterly cadence, AI in access reviews, sample-based vs. full review.
Volledige gids: Revisiones de acceso periódicas: proceso, frecuencia y evidencia
Dit artikel is onderdeel van onze uitgebreide Access reviews-gids. Lees de pillar voor het complete plaatje.
Lees de pillar →