Ask any auditor for the control startups most often fumble, and access reviews are near the top. They’re conceptually simple, easy to neglect, and heavily tested. Here’s how to do them well.

What is an access review?

A user access review (also called access recertification) is a periodic check that answers one question: does everyone who has access to a system still need it? You take the current list of people with access, and for each one decide to keep, revoke, or modify their access — then act on the revocations.

It catches the things that quietly accumulate risk: the contractor who left but still has a login, the engineer who changed teams but kept production access, the shared account nobody owns.

Why frameworks care so much

Both SOC 2 (under the common criteria for logical access) and ISO 27001 (Annex A access-control expectations) require that access is granted on a least-privilege basis and reviewed periodically. It’s a direct test of whether your access controls actually work over time, not just on the day you set them up.

How often should you run one?

  • Quarterly for critical production systems and your identity provider is a common, defensible cadence.
  • At least annually for lower-risk systems.
  • Event-driven reviews after major reorganizations or offboarding waves.

The right answer is “often enough that access never drifts far from need.” Quarterly is a safe default for a growing company.

What auditors look for

  • A complete population — the review covered everyone with access, not a convenient subset.
  • A decision per person — keep/revoke/modify, not a blanket “looks fine.”
  • Evidence the revocations happened, not just that they were flagged.
  • A date and a reviewer — who certified it and when.
  • A cadence — that this happens on a schedule, not once before an audit.

Common mistakes

  • Reviewing only the easy systems and skipping the messy ones.
  • Deciding “keep” for everyone to save time — auditors notice a review with zero changes across a growing company.
  • Flagging revocations but never completing them.
  • Running one heroic review right before fieldwork and never again.

Turn it into evidence automatically

The best access review is one that produces its own audit trail. When you complete a review, you should end up with a dated, signed record of the population, the decisions, and the follow-up — ready to hand to an auditor without extra work.

How Keel helps

Keel syncs your staff directory from Microsoft Entra, Google Workspace, or a CSV, then lets you run an access review over that live population. You record keep/revoke/modify (with notes) per person, and completing the review automatically files it as attestation evidence and generates remediation tasks for every revoke/modify decision. A cadence indicator flags when it’s time for the next one.

Start free and run your first access review in minutes.