IAM-004 Access Review and Recertification
Description
Access rights for all users are reviewed and revalidated on a defined periodic schedule (at minimum annually) and upon significant role changes. Reviews confirm that access remains appropriate to current job function and least privilege principles. Results are documented.
Rationale
Access tends to accumulate over time. Periodic reviews catch stale permissions and over-provisioning before they become a security or compliance finding.
Framework Mappings (3)
| IAM-08 | Access Review | full |
| 5.18 | Access rights | partial |
| AC-2 | Account Management | partial |
Evidence (2)
Access review report from the most recent recertification cycle documenting the scope, reviewers, decisions made, and remediation actions taken.
Example: Access review report from a tool such as Vanta, Drata, Tugboat Logic, or a manually compiled spreadsheet showing each user, their current access, the reviewer's decision (approve/revoke), and the date of review. Report must be dated within the last 12 months.
Test: Request the latest access review report. Verify: (1) the review was completed within the last 12 months (or more frequently if the policy requires it), (2) all in-scope users and systems are represented, (3) the report records a named reviewer per access entry, (4) revocations identified during the review are reflected as deprovisioning tickets or log entries.
Audit log entries confirming access was revoked for accounts flagged during the access review, within the defined remediation timeframe.
Example: IdP audit log export (Okta, Azure AD) filtered for revocation events with timestamps falling after the access review completion date, cross-referenced with accounts marked for removal in the review report.
Test: From the access review report, extract the list of accounts flagged for revocation. Query the IdP audit log for corresponding disable or delete events. Verify: (1) every flagged account has a matching revocation log entry, (2) revocation occurred within the remediation SLA stated in the policy.
Questions (2)
Are access rights for all users formally reviewed and revalidated on a defined periodic schedule?
Reviews must be documented, include a named reviewer per access entry, and result in revocation of any access no longer required. Ad hoc or informal reviews do not satisfy this control.
How frequently are access reviews (recertification campaigns) conducted?
Annual is the minimum; more frequent reviews are expected for privileged accounts and sensitive systems. Reviews should be triggered in addition to scheduled cycles when users change roles.