When you don't review access regularly, former employees still have login credentials to your systems, people have permissions they no longer need, and you lose track of who can see sensitive customer or financial data. A real Indian scenario: a contract employee leaves your accounting team, but their login still works in your GST filing system; six months later, they sell customer tax data to a competitor, and you face regulatory penalties plus reputation damage. Without annual reviews, you also fail compliance audits from banks or large customer organizations, and cannot prove to insurance companies that you protected data properly when something goes wrong.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no list of who has access to what systems, and access is managed ad-hoc (people ask the IT person and get added whenever needed). Nobody knows if departed employees still have active accounts, and there is no record of when or why access was given.
Initial
You have a basic list of employee names and systems they use, but it is not updated regularly and may be months out of date. You remove access only when someone complains or when the IT person remembers during a crisis.
Developing
You have a documented list of who has access to each system (a spreadsheet), updated at least once a year, usually after someone leaves or complains about access. The list exists, but is often incomplete and tracks only major systems, not all applications.
Defined
You conduct a formal access review meeting once a year with managers and IT, comparing the current list to active employees and checking for any access that should be removed. The review is documented with dates and sign-offs, and you follow up on findings within a month or two.
Managed
You perform a documented access review twice per year, with managers certifying access for their teams, and you automatically disable accounts within 2 weeks of employees leaving. You also review role changes and adjust permissions within a week, with documented evidence of each review and action taken.
Optimised
You conduct quarterly or event-driven access reviews with manager sign-offs, have a ticketed system tracking every access grant and removal, automatically disable accounts the day an employee leaves, and run monthly reports comparing actual system access to approved lists with zero tolerance for exceptions.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Create a simple spreadsheet listing all employees, their job roles, and which systems they need (email, accounting software, file server, etc.). Ask your IT person or manager to fill it in. Save it in a locked folder. | Business owner or IT person | 1 day |
| 1 → 2 | Set a calendar reminder for one specific date each year (e.g., 31 March). On that date, print or review the access list, mark it with today's date, and ask your IT person to confirm which accounts are actually active and which employees are still with the company. Save this marked-up copy as evidence. | Business owner or manager | Half day |
| 2 → 3 | Schedule a 1-hour meeting each year with department heads (accounts, sales, operations). Provide them with a list of their team's access and ask them to sign off that it is correct. Document who attended, the date, and any changes needed. Follow up within 30 days and disable any unnecessary access. Keep the signed approval. | Manager or business owner | 2-4 weeks (including follow-up) |
| 3 → 4 | Automate the process: create a repeating task in your IT system or use a simple ticketed tool (Jira, or even Google Forms) to send access certification requests to managers. Set a rule that IT disables accounts within 2 weeks of exit or role change. Document all requests, approvals, and actions. Do this twice per year. | IT person or admin | 1-2 months |
| 4 → 5 | Integrate access reviews into your change management process: whenever someone is hired, transferred, or leaves, a ticket is automatically created and tracked. Generate monthly compliance reports comparing approved access to actual system logs, flag discrepancies same-day, and archive all evidence. Review quarterly instead of annually. | IT person with process ownership | Ongoing |
Documents and records that prove your maturity level.
- Signed or dated access review certificate or email from managers confirming they reviewed their team's access (dated within last 12 months)
- Spreadsheet or document showing the list of employees, their roles, and systems they can access, with the review date marked on it
- Records or tickets showing when access was removed (disabled accounts, revoked logins) for employees who left or changed roles
- Meeting notes or attendance sheet from an annual access review meeting with managers and IT, including date and any decisions made
- Before-and-after documentation showing what access was approved and what was removed or changed as a result of the review
Prepare for these questions from customers or third-party reviewers.
- "Show me evidence that you reviewed who has access to your systems in the last 12 months. What is the date of this review and who signed off on it?"
- "How do you know that former employees no longer have access? Show me a list of accounts you have disabled in the past year and when they were disabled."
- "Which systems did you include in your access review? Did you review email, file servers, accounting software, and customer databases, or only some of these?"
- "If an employee changes roles (e.g., from sales to finance), how long does it take to update their access? Can you show me an example where this happened and how you changed their permissions?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Track and document access reviews, store signed approvals, and maintain audit trail | Google Forms + Google Sheets (collect manager responses, tally results, save as evidence) | Microsoft Teams + SharePoint (₹500-2000/user/year if already licensed) or Okta Identity Governance (₹3-5 lakhs/year) |
| List and report on who has access to which systems, generate compliance reports | LibreOffice Calc or Google Sheets (manual but effective for small teams) | Sailpoint (₹10+ lakhs/year) or Deloitte's identity management tools (custom pricing) |
| Automate the removal of access when employees leave or change roles | No fully free option; use HR system exit checklists + manual IT follow-up | Microsoft Entra ID (Azure AD) with automatic provisioning (₹1500-3000/user/year if Microsoft 365 licensed) or Okta (₹1-3 lakhs/year for SME) |
- Reviewing access only on paper but not actually removing or updating permissions in the systems—managers sign off but IT never implements the changes, so unauthorised access remains active
- Reviewing only employees but forgetting contractors, consultants, and vendors who also have system access (e.g., a CA who files GST returns still has access to your accounting software after engagement ends)
- Delaying the actual disabling of accounts: after a review, someone is identified as needing access removal, but IT gets busy and the account remains active for weeks or months, creating a security gap
- Including only obvious systems (email, file server) but missing critical applications (GST portal, banking software, customer database, ERP) where access is also growing stale
- Not documenting the review itself: even if you do review access, you have no signed approval or dated record to show an auditor or customer, so the work is invisible and proves nothing
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (data protection principles) and Section 10 (security safeguards); requires organizations to implement reasonable security and review access to personal data |
| CERT-In 2022 | Direction 4 (access control) and Direction 5 (audit and accountability); requires periodic review of user access and maintenance of audit logs |
| ISO 27001:2022 | Annex A 5.3 (segregation of duties), Annex A 6.2 (user access provisioning), and Annex A 8.2 (user access review) require documented and periodic access reviews |
| NIST CSF 2.0 | Govern (GV) and Manage (GM) functions, specifically GV.PO-01 (policies and processes for access control) and GM.AC-01 (access provisioning and deprovisioning) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →