Skip to main content
All CollectionsAccess Review
Example Access Review Procedure
Example Access Review Procedure
Updated over 2 years ago

Based on our experience, we recommend the following process for conducting access reviews covering your in-scope systems for your audit:

1. The [RESPONSIBLE DEPARTMENT/TEAM] initiates the review of user access by creating a ticket in the [COMPANY NAME] Ticketing System.

2. The [RESPONSIBLE DEPARTMENT/TEAM] is assigned to review [COMPANY NAME] users with access to in scope systems and services. The access review is conducted based on two key criteria:

  1. Is the user’s access to the system or service appropriate based on their role?

  2. Are the user’s permissions within the system or service appropriate based on their role?

3. If user access is found during review that is not in line with the least privilege principle, the [RESPONSIBLE DEPARTMENT/TEAM] will open a ticket to modify user access and notify the user of access changes.

  1. For repeat or significant access issues, a review should be conducted to determine the root cause to prevent issues in the future.

4. As each system or service is reviewed, the [RESPONSIBLE DEPARTMENT/TEAM] will attach the reviewed user listing or screenshot to the ticket.

5. Once the in scope systems and services have been reviewed, the ticket is closed or marked as done.

Did this answer your question?