If access rules are unclear or happen ad-hoc (like the owner just telling someone to 'give him access'), you'll eventually have ex-employees or wrong people viewing sensitive customer data, financial records, or GST filings. A real scenario: a data entry person leaves your manufacturing firm, but no one removes their access to the production costing spreadsheet; three months later you discover they've been downloading your pricing data to sell to a competitor. You face customer trust loss, potential regulatory action under DPDP Act, and audit failures when compliance teams ask 'who has access to what and why?'
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You find that access is given out informally—the boss tells someone 'add him to the shared folder,' passwords are shared over WhatsApp, and when someone leaves nobody remembers to remove them. There's no list of who has access to what.
Initial
You have an informal written list (maybe a spreadsheet) of who should have access to which systems, but it's rarely updated and removal happens only when someone complains they still have access. No one owns responsibility for maintaining it.
Developing
You have a documented process document (3-4 pages) covering how to request access, who approves it, and how to remove it; the IT person or manager follows it most of the time and keeps a quarterly list of active users, but there's no formal review of whether access is still appropriate.
Defined
Your access process is documented, communicated to all staff, and followed consistently; you do a quarterly review of all active access and update the list; removed access is logged and spot-checked. New joiners and leavers are processed within 1 week.
Managed
Access requests go through a formal approval system (even if just email with sign-off); every change is logged with date, who approved it, and why; you do quarterly access reviews with department heads signing off that access is still needed; access removal happens same-day or next-day when someone leaves.
Optimised
Access is managed through a system (even a simple one like Azure AD or Google Workspace built-in controls); all requests, approvals, and removals are automated and logged with timestamps; monthly automated reports show who has what access and flagged orphaned accounts; access is re-certified every 6 months with manager sign-off.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Create a simple one-page process document: 1) How to request access (email to IT/manager with business reason), 2) Who approves (owner or IT lead), 3) How access is removed (notify IT when person leaves). Share it with all staff. | IT person or Operations Manager | 1 day |
| 1 → 2 | Expand the process to 3-4 pages with step-by-step details, approval forms, and timelines (e.g., 'approval must happen within 2 days'). Create and maintain a quarterly updated spreadsheet listing all users and their system access. Assign one person ownership. | IT person | 1 week |
| 2 → 3 | Formalize the process as a company policy; communicate it to all staff in writing and in orientation; start a quarterly access review meeting where department heads confirm access is still needed; log all access additions/removals with dates and approver names. | HR Manager and IT person | 2-4 weeks |
| 3 → 4 | Implement a simple request workflow (email template, approval sign-off requirement, no verbal requests accepted); create an access log (even a spreadsheet with columns: Date, User, System, Action—Add/Remove/Change, Approver, Reason); set removal deadline to same-day when exit notification arrives. | IT person and Operations Manager | 1-2 months |
| 4 → 5 | Move to a centralized identity system (Google Workspace, Microsoft 365, or lightweight open-source option); automate access logging; set up monthly reports showing active users, access changes, and dormant accounts; implement annual or semi-annual access recertification where all managers re-approve their team's access. | IT Lead (may need external consultant for 2-3 days) | Ongoing (monthly reporting and 6-month recertification) |
Documents and records that prove your maturity level.
- Written process document (1+ pages) describing how to request, approve, and remove access
- Access request form or template (email, Google Form, or paper form) with dates and approver signatures
- Current access list or spreadsheet (updated at least quarterly) showing user name, systems they can access, start date, and approver
- Log or record of access changes (additions, removals, modifications) with dates, who made the change, and who approved it
- Evidence of periodic access review (meeting notes, signed-off approval list, or manager emails confirming access is still needed) done at least twice per year
Prepare for these questions from customers or third-party reviewers.
- "Show me your documented process for granting, changing, and revoking access. Is it communicated to staff?"
- "Who is responsible for maintaining the access list, and how often is it reviewed? Show me the current list."
- "When someone leaves the company, what's your process to remove their access? Can you show me examples from the last 6 months?"
- "Do you have approval documentation for each access grant? Show me 3 recent examples with dates and approver names."
- "How do you ensure access is still appropriate over time? When and how do you review whether people still need the access they have?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Create and maintain access request forms and approval workflows | Google Forms + Google Sheets (no cost if you have Google Workspace); Microsoft Forms + Excel (included in Microsoft 365) | Jira Service Management (starting ₹5,000/month); ManageEngine ServiceDesk Plus Cloud (starting ₹5,000/month) |
| Centralized user and access management system | Google Workspace (includes basic user management; ₹4,000/user/year if buying separately) or Nextcloud (open-source, self-hosted) | Microsoft Azure AD (₹2,500-7,000/user/year); Okta (starting ₹15,000/month); JumpCloud (starting ₹10,000/month) |
| Track and log all access changes and create audit reports | Google Sheets or LibreOffice Calc with data validation and filter views | Splunk (starting ₹50,000/month); ELK Stack (self-hosted, minimal cost); Freshservice (starting ₹5,000/month) |
- Relying on verbal or WhatsApp requests for access instead of documented requests—creates no audit trail and leads to forgotten removals when people leave.
- Using shared login credentials (e.g., 'office password' used by 5 people) instead of individual accounts—you can't tell who accessed what or removed something, violating audit requirements.
- Not removing access when someone leaves or changes roles because 'we forgot' or 'IT person was sick'—results in ex-employees having live access, a major security and compliance breach in Indian audits.
- Treating IT person as a bottleneck and not documenting who approves what—when that person is on leave, access decisions get delayed or skipped entirely.
- Creating a process document but never communicating it to staff—people continue requesting access verbally or via informal channels, so the process isn't actually followed.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (data principal rights and consent), Section 6 (purpose limitation and data minimization—access should be only what's needed) |
| CERT-In 2022 | Direction 4.1: 'Implement access control, including user identification and authentication' and periodic review of access rights |
| ISO 27001:2022 | Annex A 5.3 (segregation of duties), A.8.1 (user registration and de-registration), A.8.2 (user access provisioning) |
| NIST CSF 2.0 | Govern (GV) function: GV.RO-3 (roles and responsibilities defined), Protect (PR) function: PR.AC-1 (identities managed), PR.AC-2 (access authorized and removed) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →