When former employees or people in different roles still have access to customer data, financial records, or trade secrets, you face data theft, fraud, and compliance violations. A real example: a Delhi IT services company had an accounts staff member resign; six months later, that person logged in from outside and stole customer payment information, leading to a ₹45 lakh fraud case and loss of three major clients who discovered the breach during their audit. Regulatory bodies like CERT-In and data protection authorities now expect you to prove you regularly audit access; failure means fines and loss of customer contracts.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no list of who has access to what systems or data. When someone leaves or changes roles, IT just removes their login when asked, with no formal check of what they actually had access to.
Initial
You have a basic list of user accounts and systems, but it is rarely updated. When people complain they cannot access something, you add access, but no one checks if old access is still active or if the person still needs it.
Developing
You have a list of user accounts and their access rights that you check once a year. You remove obvious access for people who left, but you do not check whether people in different roles still have access they no longer need.
Defined
You formally review access rights every quarter. You check each person's access against their current job role, document who reviewed it, and remove access that does not match their role, keeping records of what was removed.
Managed
You review access rights every quarter with documented evidence. Your IT system automatically flags access that has not been used in 90 days, you investigate why, and you have a formal process where the employee's manager signs off that the access is still needed.
Optimised
You review access rights continuously through automated monitoring. Your system alerts you when access is added, checks it against job roles automatically each month, and generates reports that managers review and sign off on. You track exactly who reviewed each access decision and when.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Create a simple spreadsheet listing all user accounts, systems they can access, and the date they were added. Have your IT person or admin spend one afternoon documenting current access. | IT person or system admin | 1 day |
| 1 → 2 | Set a calendar reminder to review the access list every 12 months. Compare it against current employees and their roles from HR. Remove access for people who left or moved teams. Keep a signed record of who reviewed it and when. | IT person with HR manager confirmation | 1 week per year |
| 2 → 3 | Move to quarterly reviews (every 3 months). Create a formal template where each department manager confirms whether their team members still need their access. Document what was reviewed, what was removed, and who signed off. Keep these records for 2 years. | IT person coordinating with department managers | 2-4 weeks to set up, then 3-4 hours per quarter |
| 3 → 4 | Set up basic monitoring in your systems (or use a tool like Freshservice or even a Google Sheet with formulas) to flag access that has not been used in 90 days. When flagged, investigate why it exists and document the decision to keep or remove it. Track this in your quarterly review. | IT person with approvals from data owner or manager | 1-2 months to configure and test |
| 4 → 5 | Move to monthly automated checks using your IT system or a lightweight tool. Automatically scan access rights against job roles in HR records. Generate monthly reports that managers review and sign. Set up alerts for high-risk access (financial systems, customer databases). Archive and audit all historical decisions. | IT person maintaining automation; managers reviewing monthly | Ongoing - approximately 1-2 hours per month after setup |
Documents and records that prove your maturity level.
- A documented list or spreadsheet showing all user accounts, systems they can access, and the date access was granted
- Records of at least one formal access review (email, signed document, or meeting note) dated within the last 12 months
- A log or record showing which access rights were removed in the past year, with dates and reasons
- A document or email from a manager or data owner confirming that access is still needed (even if just for renewal)
- An HR record cross-reference showing that access matches current job roles (or a note explaining any differences)
Prepare for these questions from customers or third-party reviewers.
- "Show me your process for reviewing who has access to your systems. How often do you do this review?"
- "Can you provide evidence that access reviews happened in the past 12 months? Who performed them and who approved the findings?"
- "I see user X is no longer listed in your HR system. When was their system access removed and what was the last date they logged in?"
- "How do you ensure that when someone moves from Sales to Accounts, their old Sales system access is removed? Show me an example from the past year."
- "Do you have a formal process where someone confirms that access is still needed? Who is responsible for that decision?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Create and maintain a simple access review log | Google Sheets or LibreOffice Calc with a template (no cost, but requires manual upkeep) | Microsoft Excel with OneDrive (₹0 if you have Microsoft 365 subscription already, otherwise ₹6,000/year per user) |
| Track user access across multiple systems and flag unused access | Manual audit using built-in system reports from Windows Active Directory or your applications | Freshservice (₹8,000–15,000/month depending on users); Saviynt (₹25,000+/month); Azure AD access reviews (₹0–5,000/month if already using Azure) |
| Monitor and log when access is added, modified, or removed | Windows Event Viewer or native system logs (if you have IT expertise to review them) | Splunk (₹50,000+/year); Datadog (₹30,000–100,000/year); Rapid7 InsightIDR (₹15,000–40,000/year) |
- Assuming that if someone leaves the company, IT automatically removes all their access. In reality, some systems are forgotten (email forwards, VPN, old project management tools), and without a checklist, old access remains active for years.
- Reviewing access only when an audit happens or a security incident occurs. Many Indian SMEs skip regular reviews to save time, then face surprise audit findings or discover unauthorized data access retroactively.
- Not coordinating between HR and IT. HR knows someone resigned, but IT does not find out for weeks because HR forgets to notify them or there is no formal handoff process, leaving access active during the gap.
- Keeping access removal requests in email threads instead of a formal log. When auditors ask to see what access was removed and when, you cannot find the evidence, so you cannot prove you did the review.
- Giving access to group accounts or shared logins instead of individual accounts. This makes it impossible to track who accessed what, so you cannot audit individual access rights.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (Purpose Limitation and Collection Limitation) and Section 9 (Storage Limitation) - require that access to personal data is limited to what is necessary and for the stated purpose |
| CERT-In 2022 | Direction 4.1 (Access Control) - mandates periodic review of user access and removal of unnecessary privileges |
| ISO 27001:2022 | Annex A 5.3 (Segregation of Duties) and A 5.15 (Access Control) - requires periodic review of access rights and removal based on least privilege principle |
| NIST CSF 2.0 | Govern (GV.AM-01) and Protect (PR.AC-01) - emphasizes access management and periodic review to ensure access is still appropriate |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →