TL;DR: Quick Takeaways
- •Access reviews are required by SOC 2 (CC6.1-CC6.3), ISO 27001 (A.5.15, A.5.18, A.8.2), HIPAA (164.312(a)), and PCI-DSS (Req 7-8). Missing them is a guaranteed audit finding.
- •Quarterly access certification campaigns are the industry standard. Annual reviews are increasingly considered insufficient by auditors.
- •Automated access reviews pull user lists directly from identity providers and critical systems, eliminating manual spreadsheet reconciliation.
- •Excessive access (permissions beyond job requirements) is the number one finding in access reviews. 73% of organizations have users with unnecessary admin privileges.
- •MFA enforcement across all critical systems is now a baseline expectation, not a best practice. Auditors flag any gaps immediately.
Why Access Reviews Are the Control Auditors Check First
Access control is the foundation of every compliance framework. It's the first area auditors examine because it touches everything else: if you can't demonstrate that only authorized users have access to sensitive systems and data, the rest of your security program is built on unstable ground.
Access reviews (also called user access certifications or entitlement reviews) verify that every user's access rights are appropriate for their current role. They answer three critical questions: Does this person still need this access? Is the access level appropriate for their job function? Are there any accounts that should have been deprovisioned?
The risk is real. Orphaned accounts (belonging to former employees), excessive privileges (accumulated through role changes without deprovisioning), and shared credentials represent the most common attack vectors. Access reviews are your systematic process for catching and remediating these issues before an attacker or auditor finds them first.
Access Control Requirements by Framework
Every major compliance framework mandates access reviews, but the specific requirements differ in scope and emphasis. Understanding these differences is crucial for building a unified access review program that satisfies all your frameworks simultaneously.
| Framework | Key Controls | Access Review Requirements | MFA Requirement |
|---|---|---|---|
| SOC 2 | CC6.1, CC6.2, CC6.3 | Periodic review of logical access. Must demonstrate provisioning, modification, and removal processes. Evidence of review approvals required. | Required for all systems in scope. CC6.1 specifically addresses authentication mechanisms. |
| ISO 27001 | A.5.15, A.5.18, A.8.2, A.8.5 | Regular review of access rights (A.5.18). Privileged access management (A.8.2). Must align with access control policy (A.5.15). | A.8.5 requires secure authentication. MFA strongly recommended for all privileged and remote access. |
| HIPAA | 164.312(a), 164.312(d), 164.308(a)(4) | Access authorization procedures. Workforce clearance. Unique user identification. Periodic review of information system activity. | Required as addressable safeguard for ePHI access. In practice, auditors expect MFA on all PHI-accessible systems. |
| GDPR | Article 5(1)(f), Article 32 | Appropriate technical measures to ensure data security. Access to personal data must be limited to authorized personnel with documented justification. | Article 32 requires "appropriate" security. MFA is widely considered a minimum technical measure for personal data access. |
| PCI-DSS 4.0 | Req 7.1, 7.2, 8.3, 8.4 | Semi-annual review of all user accounts (Req 7.2.5). Least privilege access to cardholder data environment. Immediate revocation upon termination. | Req 8.4.2: MFA required for all access to CDE. Req 8.4.3: MFA for all remote network access. No exceptions. |
The good news: despite the different control numbers and terminology, the underlying requirements converge. A well-designed access review program that covers provisioning, periodic certification, privileged access, MFA, and deprovisioning will satisfy 90%+ of access control requirements across all five frameworks. LowerPlane's multi-framework mapping ensures a single access review campaign generates evidence for every applicable control.
Running Quarterly Access Certification Campaigns
An access certification campaign is a structured review where managers and system owners verify that each user's access is still appropriate. Here's how to run one efficiently:
Phase 1: Data Collection (Automated)
Pull current user lists from all critical systems via integrations. For each user, capture: name, email, role, permissions granted, last login date, MFA status, and provisioning date. LowerPlane does this automatically across Okta, Google Workspace, Azure AD, AWS IAM, GitHub, and 370+ other tools.
Time required: 0 hours (fully automated)
Phase 2: Review Assignment
Assign each user's access for review to their direct manager or the system owner. For privileged accounts (admin, root, super-admin), route to both the manager and the security team for dual approval. Set a 5-business-day deadline for completion.
Time required: 30 minutes to configure, then automated distribution
Phase 3: Certification Decisions
Reviewers certify each user's access with one of four decisions: Approve (access is appropriate), Modify (reduce permissions), Revoke (remove access entirely), or Flag for Review (needs additional investigation). The platform auto-flags anomalies like dormant accounts, excessive permissions, and MFA gaps.
Time required: 2-5 minutes per reviewer (platform highlights anomalies)
Phase 4: Remediation
Execute all modification and revocation decisions. For integrated identity providers, LowerPlane can trigger deprovisioning workflows automatically. Track remediation to completion and document the full certification cycle as audit evidence.
Time required: Varies; automated remediation completes in minutes
The entire campaign, from data collection to completed remediation, should take 7-10 business days. Without automation, organizations report spending 4-6 weeks on the same process using spreadsheets and email chains, with significantly lower completion rates and audit trail quality.
Critical Systems: Where to Focus Your Access Reviews
Not every system needs the same level of access review scrutiny. Prioritize your efforts based on data sensitivity and regulatory impact. Here's a practical prioritization framework:
Tier 1: Review Quarterly
- ●Cloud infrastructure (AWS, Azure, GCP) - production accounts
- ●Identity providers (Okta, Azure AD, Google Workspace)
- ●Production databases with customer data or PHI
- ●Source code repositories (GitHub, GitLab) - production branches
- ●Payment processing systems (Stripe, payment gateways)
Tier 2: Review Semi-Annually
- ●CRM systems with customer data (Salesforce, HubSpot)
- ●HR systems with employee PII (Rippling, Gusto, BambooHR)
- ●Communication tools with sensitive channels (Slack, Teams)
- ●CI/CD platforms (Jenkins, CircleCI, GitHub Actions)
- ●Monitoring and logging tools (Datadog, Splunk, ELK)
For PCI-DSS compliance, any system in the Cardholder Data Environment (CDE) or connected to it must be reviewed at minimum semi-annually per Requirement 7.2.5. HIPAA-regulated organizations should review all systems with access to ePHI at least quarterly. LowerPlane automatically classifies systems by tier based on the data they handle and the frameworks you're pursuing.
Detecting and Remediating Excessive Access
Excessive access is the most common finding in access reviews. It happens gradually: an engineer gets admin access to debug a production issue and never loses it. A marketing manager moves to a new team but keeps access to the old team's resources. A contractor's access outlives their engagement by months.
LowerPlane's access review engine automatically detects these patterns:
- 1.Dormant accounts: Users who haven't logged in for 30+ days. These represent the highest risk because compromised dormant credentials may go unnoticed indefinitely.
- 2.Privilege creep: Users whose permissions exceed their role's standard access profile. The platform compares each user's actual permissions against role-based baselines.
- 3.Separation of duties violations: Users with conflicting permissions (e.g., ability to both approve and execute financial transactions, or both deploy code and approve deployments).
- 4.MFA non-compliance: Users accessing critical systems without MFA enabled. This is flagged as a high-severity finding across all frameworks.
- 5.Orphaned accounts: Accounts belonging to users no longer in the HR system or identity provider, indicating incomplete offboarding.
Each detected anomaly is presented with context (when access was granted, who approved it, last login date) and recommended remediation actions. Reviewers can approve, modify, or revoke access with a single click, and the decision is documented as audit evidence automatically.
Automate Your Access Reviews Across Every Framework
LowerPlane runs access certification campaigns that pull user data from 375+ tools, auto-detect excessive access, and generate evidence for SOC 2, ISO 27001, HIPAA, GDPR, and PCI-DSS. Replace spreadsheets with a platform that handles quarterly reviews in days, not weeks.
MFA Enforcement: The Non-Negotiable Baseline
Multi-factor authentication has moved from "recommended best practice" to "absolute minimum requirement" across every compliance framework. If your access review reveals users accessing critical systems without MFA, treat it as a critical finding requiring immediate remediation.
PCI-DSS 4.0 (effective March 2025) is explicit: Requirement 8.4.2 mandates MFA for all access to the cardholder data environment, and 8.4.3 requires MFA for all remote network access. There are no exceptions or compensating controls accepted.
For practical implementation, here's what auditors expect to see:
- •100% MFA coverage on identity providers (Okta, Azure AD, Google Workspace)
- •MFA on cloud consoles (AWS root and IAM users, Azure portal, GCP console)
- •MFA on source code platforms (GitHub, GitLab, Bitbucket) especially for production branches
- •MFA on VPN and remote access tools, with no exceptions for "convenience"
- •Hardware security keys (FIDO2/WebAuthn) recommended for privileged accounts over SMS or TOTP
LowerPlane's access review dashboard shows MFA enrollment status across all integrated systems in real time. During certification campaigns, users without MFA are automatically flagged as non-compliant, and the platform can trigger enrollment reminder workflows through Slack or email.
Key Takeaways
- 1Access reviews are required by every major compliance framework. A unified program satisfies SOC 2, ISO 27001, HIPAA, GDPR, and PCI-DSS simultaneously.
- 2Run quarterly certification campaigns for critical systems. Automate data collection and anomaly detection to complete reviews in days, not weeks.
- 3Focus on excessive access detection: dormant accounts, privilege creep, separation of duties violations, and orphaned accounts.
- 4MFA is non-negotiable. 100% enforcement on all critical systems is the baseline expectation across every framework.
- 5Document everything. Every certification decision, remediation action, and exception must be recorded for audit evidence.
Frequently Asked Questions
How often should we run access reviews?
Who should be responsible for approving access in reviews?
What do we do about service accounts and API keys?
How do we handle access review exceptions?
Can access reviews be fully automated without human involvement?
What's the difference between access reviews and access audits?
Get Compliance Insights Weekly
Join 5,000+ compliance professionals receiving actionable insights on access management, audit prep, and multi-framework compliance.
No spam. Unsubscribe anytime.