How often should you run a user access review?

Quarterly is common for in-scope systems, with higher-risk systems reviewed more often. The exact cadence should be defined in your policy and then actually followed - auditors check both.

What is the difference between an access review and an access audit?

They overlap. A review is the routine, scheduled check that access is still appropriate; an audit may be a broader, independent assessment of the whole access-control process. Routine reviews provide much of the evidence an audit relies on.

Who should perform the access review?

Typically the system or data owner, who knows what access each role needs, with oversight from security or compliance. The reviewer should be someone other than the person whose access is being reviewed.

User Access Reviews for ISO 27001 and SOC 2

Key takeaways

A periodic access review confirms that every user, especially privileged ones, has only the access their role requires.
ISO 27001 (Annex A access controls) and SOC 2 both expect access reviews on a defined cadence, with a record.
Leavers with live accounts and unjustified admin rights are the most common findings - and the easiest to prevent.

A user access review is one of the highest-value, most-audited controls in information security - and one of the easiest to let slide. ISO 27001 and SOC 2 both expect you to confirm, on a schedule, that people only have the access they should. Here is how to do it.

What a user access review is

An access review is a point-in-time check of who has access to what, and whether that access is still appropriate. You pull the current list of users, roles, and privileges for the systems in scope, then confirm each one against the principle of least privilege.

Why ISO 27001 and SOC 2 expect it

ISO 27001's Annex A access-control objectives require access to be granted on a need-to-use basis and reviewed. SOC 2's common criteria expect logical access to be restricted and periodically reviewed. In both cases, the auditor wants to see not just a policy, but evidence that reviews actually happen.

What to check

1. Joiners were provisioned with the right access, no more.

2. Leavers have had access fully revoked.

3. Privileged and admin accounts are justified and minimal.

4. Least privilege holds - flag access beyond what the role needs.

5. Shared and service accounts are controlled and owned.

The free user access review checklist covers each step.

Cadence and record

Quarterly is a common cadence for in-scope systems; higher-risk systems may warrant more. What matters to an auditor is that the review happened, who did it, what changed, and when. Record the revocations and approvals, and set the date of the next review before you close the current one.

The finding that fails the audit

An active account for someone who left

Nothing undermines an access-control claim faster than a former employee with a live login. A scheduled, recorded access review catches it - and proves you are watching.

Run access reviews on a schedule

Turn the user access review checklist into a recurring, assigned review in RakuOps, with each decision recorded and the next review scheduled automatically.

Get the free access review checklist

Where RakuOps fits

RakuOps is a compliance and audit management platform. It runs access reviews as scheduled, assigned checklists, records who reviewed what and when, and keeps the history as audit-ready evidence for ISO 27001 and SOC 2. See how it maps to ISO 27001.

User Access Reviews for ISO 27001 and SOC 2

What a user access review is

Why ISO 27001 and SOC 2 expect it

What to check

Cadence and record

Where RakuOps fits

Frequently asked questions

Ready to get audit-ready without the paperwork?

User Access Reviews for ISO 27001 and SOC 2

What a user access review is

Why ISO 27001 and SOC 2 expect it

What to check

Cadence and record

Where RakuOps fits

Frequently asked questions

Related articles

Ready to get audit-ready without the paperwork?