Quarterly access recertification of admins
Demonstrate that all administrative and privileged accounts are reviewed and re-certified by authorized personnel at least quarterly, with documented approvals and timely remediation of exceptions.
Description
What this control does
This control requires a formal review and re-approval of all administrative and privileged account access rights at least once per calendar quarter. During each review cycle, account owners or business managers confirm that each privileged user still requires their current level of access based on job responsibilities. Any accounts identified as no longer necessary, belonging to terminated employees, or exceeding least-privilege requirements are flagged for immediate remediation. This periodic validation prevents privilege creep, detects orphaned accounts, and ensures accountability for high-risk access.
Control objective
What auditing this proves
Demonstrate that all administrative and privileged accounts are reviewed and re-certified by authorized personnel at least quarterly, with documented approvals and timely remediation of exceptions.
Associated risks
Risks this control addresses
- Terminated or transferred employees retain privileged access, enabling unauthorized system modifications or data exfiltration
- Privilege creep occurs as administrators accumulate unnecessary elevated permissions over time without business justification
- Dormant or orphaned administrative accounts remain active and unmonitored, providing targets for credential compromise
- Insider threats leverage stale privileged access that should have been revoked when job duties changed
- Compromised administrative credentials go undetected because no regular validation confirms account legitimacy
- Compliance violations occur when excessive privileged access contradicts separation-of-duties requirements
- Third-party vendors or contractors retain elevated access after contract expiration or project completion
Testing procedure
How an auditor verifies this control
- Obtain the organization's privileged access recertification policy and procedure documents to confirm quarterly review requirements are formally defined
- Request a complete inventory of all accounts classified as administrative or privileged across in-scope systems, including operating systems, databases, applications, cloud platforms, and network infrastructure
- Collect recertification evidence from the most recent four calendar quarters, including review logs, approval records, attestation forms, and remediation tracking documents
- Verify that all quarterly recertification cycles occurred within the required timeframe by examining review completion dates and comparing to quarter-end deadlines
- Select a sample of at least 25 privileged accounts (or 10% of population, whichever is larger) and trace each account through the most recent recertification cycle to confirm documented manager or owner approval
- Identify any accounts flagged for remediation during recertification reviews and verify that corrective actions (revocation, modification, transfer) were completed within the organization's defined SLA
- Test for completeness by cross-referencing the recertification inventory against Active Directory, IAM platforms, or PAM solution reports to identify any privileged accounts excluded from the review process
- Interview personnel responsible for conducting recertifications to confirm they understand escalation procedures for non-responsive approvers and have authority to disable accounts pending re-approval