Sample-based or full access review: what does the auditor accept?
At larger scale, a full review becomes unworkable. Risk-based sampling is the answer — provided you can clearly explain how you sampled.
For a 200-person SMB with 40 systems, a full review means 8,000 rows per cycle. That simply doesn't work. A risk-based sample is the answer — but only if you can defend it.
\n \nWhen to do a full review?
\n- \n
- Fewer than 500 cells in total (roughly ±15 people × ±10 systems). \n
- The annual "big" review — even if quarterly reviews are sample-based, go through everything at least once a year. \n
- After a major incident. \n
When to use sampling?
\n- \n
- More than 1,000 cells. \n
- Quarterly reviews at larger organisations. \n
How do you sample on a risk-based basis?
\n- \n
- Prioritise privileged access. 100%. \n
- Inactive or recently activated users. 100%. \n
- High-risk systems (accounting, HR, customer data). 100% of access rows. \n
- Everything else: 20% sample per role, focused on role changes in the past quarter and the age of the last-verified date. \n
Documentation
\nThe auditor will want to see your sampling strategy — a written policy, not something you improvise differently with each review. See evidence requirements.
\n\nSee also: review pillar.
Volledige gids: Revisiones de acceso periódicas: proceso, frecuencia y evidencia
Dit artikel is onderdeel van onze uitgebreide Access reviews-gids. Lees de pillar voor het complete plaatje.
Lees de pillar →