HomeGuidesAsset & Data Management › IAM-11
IAM-11 Asset & Data Management 8% of OML score

Are access rights reviewed periodically to ensure they are still appropriate?

Do you regularly check that the people in your company still have the right access to the systems and data they need—no more, no less? When someone changes jobs, gets promoted, or leaves, their old access often stays active by mistake. This question asks whether you're actually cleaning that up on a schedule.

Why This Matters to Your Business

If you don't review access rights, old employees or people in wrong roles keep passwords and system permissions long after they should lose them. A disgruntled finance assistant who was promoted six months ago might still have access to the accounting system even though they now work in HR—they could steal vendor payment details or change invoices. A GST-registered trader in Delhi lost ₹8 lakhs when a former accountant still had access to the Tally database and created fake purchase invoices. An IT audit will fail you immediately if you can't show who has access to what. Worse, if customer data leaks and regulators find you never reviewed permissions, you face fines under DPDP Act and loss of client contracts.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You have no list of who has access to what systems. When asked, you phone the person who 'knows the passwords' and they guess based on memory. Former employees' accounts are still active in your office network or email.

Level 1
Initial

You have a rough list of user accounts somewhere (maybe a Word file or old email), but you've never actually checked it against current staff. You remove access only when someone complains or leaves and their manager remembers to tell you.

Level 2
Developing

You have an up-to-date list of all user accounts and what systems each person can access. You review this list once a year when doing your internal audit, and you remove access within a month of someone leaving or changing roles.

Level 3
Defined

You review access rights every six months with each department manager signing off that the list is correct. You have a simple form that captures role changes and you remove access within one week. You keep a record of every review and sign-off.

Level 4
Managed

You review access every quarter with managers; terminations trigger same-day access removal. You have a documented policy on access review frequency by system type. You can prove access changes happened within 48 hours of role changes. You audit against actual system logs to verify the records match reality.

Level 5
Optimised

Access review is automated monthly with manager approval workflows; high-risk system access is reviewed monthly, standard access quarterly. System logs are compared to your access list automatically to catch 'drift.' You have a documented exception process when access must stay active outside normal rules. Orphaned accounts and suspicious access are caught and removed within 24 hours.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 Make a list right now: open a spreadsheet with columns for Name, System, Access Level, Start Date, and ask each person verbally what they can access. Save it with today's date. Owner or IT person 2–4 hours
1 → 2 Walk through each business system (email, accounting software, server, cloud apps) and pull the actual user list from each one. Match it against your staff list. Delete any accounts for people who have left. Update your master spreadsheet. IT person 1 week
2 → 3 Set a calendar reminder for every 6 months. Create a one-page form asking each manager: 'Does this person still need this access?' Email the form 2 weeks before review date. Document manager sign-off and save in a folder. HR or IT person 2–4 weeks
3 → 4 Write a simple policy: 'Access review happens Q1 and Q3. When someone leaves, their access is removed within 24 hours. When they change roles, access is updated within 1 week. IT logs every change with date and reason.' Train managers on this. Set up a log spreadsheet or document template. Owner + IT person 1–2 months
4 → 5 Use system admin tools or simple scripts to export active user accounts from each system every month and compare against your current staff list. Flag any mismatches for immediate review. Integrate role-change notifications into your HR process so IT is told automatically when someone moves roles. IT person with manager input Ongoing—3–5 hours per month
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • Master access list spreadsheet with columns: Employee Name, System Name, Access Level/Role, Date Granted, Date Last Reviewed, Manager Approval
  • Access review sign-off document or email from department managers confirming access is still appropriate, dated within the last 6 months
  • Termination checklist showing access removal date for at least 3 recently departed employees
  • Access removal log or record showing who had access removed and when (e.g., exports from email, system admin panels, or a simple dated list)
  • Policy document stating the frequency of access reviews and the process for removing access when roles change or staff leave
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "Show me your current list of who has access to what systems. How often is this list reviewed and updated?"
  • "Pick a person who left in the last 6 months. Show me when their access was removed from each system."
  • "Show me evidence that department managers have signed off on access rights for their team members. How recent is this sign-off?"
  • "A person was promoted from Accounts to Sales 3 months ago. Can you prove they no longer have access to the Accounts system?"
  • "What is your documented policy on how quickly access must be removed after someone leaves? Can you show me this is being followed?"
🛠
Tools That Work in India
PurposeFree OptionPaid Option
Spreadsheet to list and track access rights for all staff and systems Google Sheets or LibreOffice Calc (no cost). Use a template with columns for Name, System, Access Level, Date Granted, Review Date, Manager Approval.
Automated export of user lists from your business systems to check against staff list Most systems (Gmail, Windows Server, QuickBooks) allow free export of user accounts. No additional tool needed—just manual monthly exports. Active Directory / Azure AD User Reporting (if using Microsoft): included in Microsoft 365 Business Basic (₹400–600/user/month); Okta (₹100–200/user/month); JumpCloud (₹150–250/user/month)
Simple workflow to notify IT when staff join, leave, or change roles Google Forms + Google Sheets + email notifications (use IFTTT or Zapier free tier to send alerts). Or a simple email template managers fill in and send to IT. BambooHR (₹15,000–30,000/year for small team); Workday (Enterprise pricing, not for MSME)
Document storage and sign-off tracking for access reviews Google Drive + shared folder with dated review documents. Use Google Docs for manager sign-off forms. SharePoint Online (included in Microsoft 365 Business at ₹400–600/user/month); Box (₹400–600/month)
🛡
How This Makes You More Resilient
When you review access regularly, you catch and remove excess permissions before they can be misused—whether by a disgruntled ex-employee, a hacker who compromised an old account, or someone who moved roles and forgot to ask for the old access to be removed. This directly prevents insider theft, fraud, and data breaches, reducing your incident response costs and protecting your customer relationships. It also means you can quickly prove to auditors and customers that your access control is tight, avoiding compliance fines and lost contracts.
⚠️
Common Pitfalls in India
  • Assuming 'no news is good news'—you wait for someone to complain before checking access, but by then damage is already done. In Indian businesses, staff rarely speak up about security until it's too late.
  • Reviewing only active staff, forgetting to check if former employees or contractors still have system access. A software developer in Bangalore who left 2 years ago may still have GitHub or server access if no one checked.
  • Only removing access from email but forgetting the accounting software, file server, or cloud app. Staff can still log in to critical systems even after 'official' termination.
  • Keeping access reviews informal—a mental note or a chat with the IT person—so there's no proof when an auditor asks. Indian regulators and customers now demand documented evidence.
  • Not aligning with HR: IT doesn't know when someone left or changed roles because HR didn't tell them. Conversely, HR removes a person from payroll but IT never gets the message.
⚖️
Compliance References
StandardRelevant Section
DPDP Act 2023 Section 6 (Data Protection Principles) and Section 8 (Lawful Purpose): Organizations must limit access to personal data to those who need it. Periodic review ensures data is accessed only by authorized persons.
CERT-In 2022 Direction 5 (Access Control): Organizations must enforce access control mechanisms and periodically review user access rights to prevent unauthorized access.
ISO 27001:2022 Annex A, Control 5.16 (Access Review): Periodic review of access rights at least annually (or more frequently for sensitive systems). Control 5.15 requires removal of unnecessary access rights.
NIST CSF 2.0 Govern (GV) and Protect (PR) functions: GV.RR-02 (Roles, Responsibilities, and Authorities) and PR.AA-02 (Access Rights and Privileges) require review and management of user access rights.

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →