Access reviews

what it is

An access review is a structured, time-bound process where the people responsible for a system or resource confirm that each account with access to it still belongs there. The output is a decision for every account: confirmed, modified, or revoked.

The review cycle is typically quarterly or half-yearly. Some regulated environments run monthly reviews for high-privilege or sensitive systems. The right frequency depends on how quickly your environment changes and which frameworks you're aligning with.

Access reviews address the fundamental drift that happens in any environment. Permissions go in. They don't automatically come out when the reason for them stops being valid. The review is the mechanism that closes that loop.

why it accumulates

Access is typically granted in response to a request or a need. Someone asks for access to a system; they get it. That event is logged. What doesn't happen as consistently is the removal when the need ends.

Role changes are a primary source of accumulated permissions. Someone moves between teams, receives the access their new role requires, and retains the access their old role had. Without a review, neither set ever gets re-evaluated.

Project-based access is another. A temporary grant for a specific project rarely has an automatic expiry. It stays until someone notices or a review catches it.

The structural issue is that removing access requires someone to know it should be removed. In most environments, no single person has a complete view. The review process creates a structured moment for resource owners, who do have that knowledge, to apply it.

what it costs you

Without access reviews, your environment holds permissions that haven't been validated in months or years. When an account is compromised, those unreviewed permissions define the blast radius. Broader permissions mean broader exposure.

The second cost is compliance. SOC 2 requires evidence of access control reviews as part of the logical access controls criteria. ISO 27001 addresses user access rights review under access control. NIS2 expects member states and covered entities to implement access management policies including periodic review. DORA, which applies to financial entities in the EU, includes requirements for ICT access control that extend to review cadence. Each framework approaches it differently, but all of them expect you to be able to show that access is reviewed.

The access review is also the mechanism that catches everything the JML process missed. Former employees still in SaaS apps. Contractors with project-end dates that passed. Accumulated admin rights from old temporary grants.

what works

A review that produces real revocations starts with deliberate scope. The organizations that get value from the exercise begin with their highest-risk systems, admin consoles, data repositories, customer systems, and financial tools, and maintain a standing list of every system in scope, who owns it, and how often it gets reviewed. Coverage of the long tail can grow from that base.

The raw material is an export of the current access state: a user list with roles and permission levels for each system in scope. That export is what reviewers work from, and a system that can't easily produce one has surfaced a visibility gap worth as much attention as the review itself.

Reviewer selection decides whether the review means anything. The person confirming each account has to know whether it still belongs, and that knowledge usually sits with the system owner or team lead rather than with IT. IT maintains the directory; business stakeholders know the team. Reviews routed to people without that context turn into bulk approval, which satisfies nobody, least of all an auditor.

The output that counts is a clear decision per account: confirmed, modified, or revoked. A review producing zero revocations is usually evidence that the process rubber-stamped, because some drift is close to universal in any environment that has been running for a while. Decisions then need a deadline attached. Most frameworks expect revocations to be executed within roughly 30 days of a review finding, and the documented record of decision plus action is exactly the evidence those frameworks ask organizations to show.