A.5.15 / A.5.16 / A.5.17 / A.5.18 — Are access rights granted on a need-to-know basis, periodically reviewed and revoked on leaver?
Demonstrate that access rights are granted according to documented need-to-know requirements, undergo periodic management review with remediation of exceptions, and are consistently revoked or modified within defined timeframes upon employee termination or role change.
Description
What this control does
This control ensures access rights are provisioned based on the principle of least privilege and need-to-know, formally reviewed at defined intervals (typically quarterly or semi-annually), and promptly revoked when users change roles or leave the organization. It combines lifecycle access management with periodic recertification campaigns to prevent privilege creep and orphaned accounts. Effective implementation requires integration between HR systems, identity management platforms, and access review workflows.
Control objective
What auditing this proves
Demonstrate that access rights are granted according to documented need-to-know requirements, undergo periodic management review with remediation of exceptions, and are consistently revoked or modified within defined timeframes upon employee termination or role change.
Associated risks
Risks this control addresses
- Former employees retain access to systems and data after termination, enabling malicious exfiltration or sabotage
- Users accumulate excessive permissions over time (privilege creep) as roles change without corresponding access reduction
- Unauthorized users gain access to confidential information due to overly permissive default provisioning without business justification
- Dormant or orphaned accounts provide low-visibility attack vectors for lateral movement or persistence
- Lack of periodic review allows inappropriate access grants to persist undetected, violating segregation of duties or regulatory requirements
- Insider threats exploit excessive privileges granted beyond job function requirements to commit fraud or data theft
- Compliance violations occur when access does not align with documented authorization records during regulatory examination
Testing procedure
How an auditor verifies this control
- Obtain the organization's access provisioning policy and procedures documenting need-to-know criteria, approval workflows, review frequency, and revocation timelines
- Request identity and access management (IAM) system reports showing all active user accounts, assigned roles, permissions, and last activity dates for a sample period
- Select a random sample of 20-25 users across different departments and risk levels, ensuring inclusion of recent joiners, role changers, and at least 3 terminated employees
- For each sampled active user, trace access requests back to formal authorization records (ticketing system, email approvals, or access request forms) and verify documented business justification aligned with job function
- Review access recertification or periodic review reports from the past 12 months, identifying review scope, approver participation rates, exceptions identified, and remediation evidence for revoked or modified access
- For sampled terminated employees, compare HR termination dates against account deactivation timestamps in Active Directory, IAM, and critical business applications to validate revocation SLA compliance (typically same-day or within 24 hours)
- Examine audit logs or workflow records for at least two role change events, verifying that permissions were adjusted to reflect new responsibilities and prior excessive access was removed
- Test a sample of privileged accounts (administrators, database admins, financial system users) to confirm elevated privileges have documented approvals and recent recertification evidence from account owners' managers