HomeGuidesAsset & Data Management › IAM-12
IAM-12 Asset & Data Management 8% of OML score

Is there a simple process to request, approve, and revoke access?

Do you have a clear, documented way for employees to ask for access to systems or data, get permission from a manager, and have that access removed when they leave or change roles? Right now, if someone just calls IT and asks for a password, or the boss tells IT to 'give them access,' you have no record of who approved it or why.

Why This Matters to Your Business

Without a formal process, you cannot prove who should have access to what—making it impossible to investigate if data goes missing, impossible to comply with audits (GST audits, bank audits, customer security checks), and impossible to quickly lock out a disgruntled employee or detect if someone has access they shouldn't. For example, a mid-sized textile exporter in Tiruppur lost customer payment data because an employee who had been fired still had access to the accounting software—no one knew to revoke it because there was no formal handoff process. Banks and large customers now ask for proof of an access control process before they do business with you.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You have no written process at all. When someone needs access, they ask IT or a manager verbally, and IT gives it without any documentation or approval record.

Level 1
Initial

You have started writing down who has access to what (a basic access list in Excel), but there is no formal request or approval step—access happens informally and approvals are not tracked.

Level 2
Developing

You have a simple one-page form that people fill out to request access, a manager signs it, and IT processes it; revocation is done on a case-by-case basis when someone leaves, with no consistent checklist.

Level 3
Defined

You have a documented request-approve-grant-revoke process in writing; it is followed most of the time; there is a spreadsheet or simple tool tracking who has what access and when it was approved; offboarding includes an access revocation checklist.

Level 4
Managed

Your access request process is fully documented, integrated into your onboarding/offboarding workflow, tracked in a simple database or IT ticketing tool, regularly reviewed (quarterly), and managers sign off on access reviews to confirm employees still need it.

Level 5
Optimised

You have an automated or semi-automated access management system; all requests, approvals, and revocations are logged with timestamps; access reviews happen automatically every quarter; the system alerts you if someone has duplicate or conflicting access; audit trails are kept for at least 2 years.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 Create a one-page Access Request & Approval Form in Word or Google Docs (include: employee name, system/data needed, business reason, manager approval, IT sign-off date). Start using it immediately for all new access requests and keep copies in a folder. IT Person or Office Manager 1 day
1 → 2 Expand the form to include an Approval Step (manager must sign or email approval before IT acts); create a simple Excel spreadsheet listing all employees and their system access (username, which systems, approval date, approver name); establish a basic offboarding checklist requiring IT to revoke access when someone leaves. IT Person with input from HR/Admin 3-5 days
2 → 3 Document the complete process (request → approval → grant → quarterly review → revocation) in a 2-3 page Policy document; assign responsibility (e.g., IT for processing, HR for initiating offboarding, manager for approvals); train all staff; conduct a one-time audit of all existing access and remove any that cannot be justified. IT Person with Management approval 2-3 weeks
3 → 4 Migrate access tracking from Excel to a lightweight ticketing system (Jira, Freshservice, or ServiceNow Free tier) or shared drive with versioning; automate reminders for quarterly access reviews; link access requests to your onboarding/offboarding checklists so revocation is not forgotten. IT Person 4-6 weeks
4 → 5 Implement role-based access control (RBAC) so access is granted based on job title, not individual requests; set up automated access reviews with manager approval workflows; establish audit logging that captures who approved what, when, and why; create monthly or quarterly management reports showing access changes and anomalies. IT Person with consultant support if needed Ongoing (quarterly reviews and continuous monitoring)
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • A written Access Request & Approval Form or template (digital or paper) showing the steps required before access is granted
  • A current spreadsheet, database, or tool output listing all active employees, their user accounts, systems/data they can access, approval date, and approver name
  • At least 3-5 completed and signed access request forms from the last 3 months showing that the process is being followed
  • An Offboarding Checklist or Exit Form that includes 'Revoke IT Access' as a mandatory step, and records showing it was completed for the last 2-3 employees who left
  • A documented policy or procedure document (1-3 pages) describing the request, approval, grant, and revocation steps
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "Walk me through the process: if a new employee joins your finance team today, how do they get access to the accounting system? Show me a completed example from someone hired in the last 6 months."
  • "Who approves access requests and how do you document their approval? Can you show me the approval records for at least 5 active user accounts?"
  • "When an employee leaves, how do you ensure their access is revoked from all systems? Show me the process and evidence for the last 2-3 people who left."
  • "Do you review access periodically to ensure people still need what they have? How often and what evidence do you keep?"
🛠
Tools That Work in India
PurposeFree OptionPaid Option
Create and manage access request forms and track approvals Google Forms + Google Sheets (collect requests via form, responses auto-populate a sheet for tracking) Jira Service Management (INR 50,000–100,000/year) or Freshservice (INR 40,000–80,000/year)
Maintain a central, searchable record of who has access to what Google Sheets or LibreOffice Calc (with conditional formatting to flag expiring or stale access) Microsoft Excel with OneDrive (included in Microsoft 365, INR 6,000–15,000/year per user) or specialist IAM tools like Okta (starts INR 300,000+/year for small businesses)
Automate reminders and approval workflows so nothing falls through the cracks Google Workspace (Gmail with shared calendars and Drive for workflow documents) Zapier (INR 15,000–40,000/year to automate form submissions to your tracking sheet) or ServiceNow (custom-priced, typically INR 100,000+/year for SMEs)
🛡
How This Makes You More Resilient
When you have a clear access process, you know exactly who should have access to sensitive systems, making it much easier to revoke access quickly if an employee leaves on bad terms or is suspected of misuse—reducing the risk of data theft or sabotage. You can also respond to security audits and customer security questionnaires with confidence, protecting your reputation and winning big contracts. In the event of a data breach or audit investigation, you have a complete paper trail showing who approved what access and when, which protects you legally and speeds up incident response.
⚠️
Common Pitfalls in India
  • Verbal access approval: A manager tells IT 'give Rajesh access to the CRM' without any written request or signature—later, no one remembers who approved it or why, and it becomes hard to audit or remove the access. Always require written (email, form, or document) approval before granting access.
  • No offboarding: When someone resigns, HR tells IT 'he's leaving' but there is no formal checklist; IT forgets to revoke their database password, and the person still has access for months after they leave—risking data leaks if they use it maliciously. Link offboarding directly to IT access revocation and require IT to sign off.
  • Orphaned or duplicate access: Over time, employees accumulate access from old projects or role changes, but no one ever reviews or removes the old access. A quarterly review (even a simple one) where managers confirm 'yes, this person still needs this' prevents stale access from piling up and becoming a security risk.
⚖️
Compliance References
StandardRelevant Section
DPDP Act 2023 Section 8 (principles of processing, including necessity and proportionality—access must be justified and documented) and Section 6 (data fiduciary accountability)
CERT-In 2022 Direction 4: User access control and management; requires documented access control policies and periodic reviews
ISO 27001:2022 Annex A 6.2 (User access management), specifically A.6.2.1 (user registration and de-registration) and A.6.2.2 (user access provisioning)
NIST CSF 2.0 Govern: Organizational Context (GV.OC-04 – organizational roles, responsibilities and authorities are managed); Protect: Access Control (PR.AC-01 – identities and credentials are managed and protected)

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →