AC-2(3) / A.8.9 / CIS-5.3 NIST SP 800-53 Rev 5 SOC 2

Are user access reviews performed at least quarterly for in-scope systems, with evidence of approval and remediation?

Demonstrate that user access reviews are conducted at least quarterly for all in-scope systems, that reviews are formally approved by appropriate personnel, and that identified access issues are remediated in a timely manner.

Description

What this control does

This control requires organizations to conduct formal reviews of user access rights for all in-scope systems on a quarterly basis (at minimum every 90 days). Access reviews involve examining current user accounts, permissions, and privilege assignments against business justifications, verifying appropriateness with system owners or managers, documenting approval decisions, and remediating inappropriate or excessive access within defined timeframes. This practice ensures access remains aligned with the principle of least privilege and current job responsibilities, particularly as employees change roles, leave the organization, or no longer require specific system access.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Former employees or contractors retain active accounts after termination, enabling unauthorized system access
Users accumulate excessive permissions over time through role changes without corresponding access removal (privilege creep)
Unauthorized privilege escalation goes undetected, allowing users to perform actions beyond their authorized responsibilities
Shared or dormant accounts remain active without business justification, creating unattributed access vectors
Segregation of duties violations persist undetected when users hold conflicting combinations of permissions
Orphaned accounts from system migrations or mergers provide untraceable entry points for threat actors
Non-compliance with contractual, regulatory, or certification requirements triggers audit findings or loss of attestation

Testing procedure

How an auditor verifies this control

Obtain a complete inventory of all systems within the SOC 2 scope boundary from management or the system owner matrix
Request user access review documentation for each in-scope system covering the most recent four quarters (twelve-month period)
Verify that each review was completed within the required quarterly frequency (maximum 90-day intervals between completion dates)
Examine each access review report to confirm it includes a comprehensive listing of users, associated permissions or roles, and review dates
Validate that each review includes documented approval by an appropriate authority (system owner, business unit manager, or designated approver)
Identify any access issues, exceptions, or inappropriate permissions flagged during the reviews and obtain corresponding remediation evidence
Confirm that remediation actions (account disablement, permission removal, role adjustment) were completed within the organization's defined timeframe
Select a sample of users from the most recent review and verify their current access in the target systems matches approved permissions through direct system interrogation or access logs

Evidence required Access review reports or spreadsheets showing user listings, assigned permissions, review dates, and approver signatures or email confirmations for each in-scope system across four consecutive quarters. Remediation tracking records such as ticketing system exports, change requests, or annotated review documents demonstrating closure of identified access issues. Screenshots or system-generated reports showing current user permissions for sampled accounts matching approved states.

Pass criteria All in-scope systems have documented user access reviews completed at least quarterly with no gaps exceeding 90 days, each review is approved by appropriate personnel, and all identified access issues have documented remediation completed within the organization's established timeframe.