When too many people have access to sensitive systems, accidents happen—someone deletes the wrong file, or a frustrated employee steals customer data before leaving. A Bangalore IT services firm lost ₹2 crore when a departing employee copied the entire client database because he had access to everything. Banks and insurance companies (your potential customers) now audit vendors on this—if you fail, you lose contracts. If customer data leaks due to poor access controls, you face DPDP fines and lawsuits.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You walk in and find that everyone who has ever joined the company still has login access to email, files, and systems—nobody ever removes anyone. When someone joins, the boss just tells them the password over the phone or writes it on a post-it note.
Initial
You see that access is somewhat managed—people get removed when they leave—but there's no written rule about who should have what access. The IT person (or owner) decides access by memory or gut feeling, and nothing is documented.
Developing
You find a basic written list of who should have access to what (maybe in Excel), and the IT person refers to it when someone joins or leaves. Access is not reviewed regularly, and some old accounts still exist because nobody checked.
Defined
You discover a documented access policy that lists job roles and what systems/data each role needs. Access is provisioned according to this policy, and there's an annual review where someone checks if people still need their access.
Managed
You find that access is managed through a system (like Active Directory or a simple tool), access requests are tracked and approved by managers before being granted, and reviews happen every 6 months. Departing employees are automatically removed from all systems within a day.
Optimised
You see that access management is fully automated and integrated across all systems. Access is tied to job role and adjusted automatically when roles change. Access reviews happen quarterly, exceptions are logged and justified, and departures trigger instant revocation across all platforms with audit trails kept for 2+ years.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Audit all current active accounts on email, file storage, and main business systems; document which people have which access; remove accounts for anyone no longer working at the company | IT person or Owner | 2-3 days |
| 1 → 2 | Create a simple written document (table in Word or Excel) listing each job role (e.g., Accountant, Sales Rep, Warehouse Staff) and what systems/data each role genuinely needs; use this as a reference when onboarding new people | Owner or HR Manager with IT person | 1 week |
| 2 → 3 | Convert the written list into a formal Access Control Policy; add a process where the manager must approve access requests in writing before IT grants them; do an annual review where you check and sign off that current access is still needed | Owner or Compliance Officer with IT person | 2-3 weeks |
| 3 → 4 | Move to a centralized access management tool (like Microsoft Entra ID if using Microsoft, or a simple alternative); create workflows so access requests go to managers for approval; automatically revoke access when an employee leaves | IT person with external support if needed | 4-8 weeks |
| 4 → 5 | Implement continuous monitoring and quarterly access reviews; ensure all access changes are logged with who approved them; add role-based access controls (RBAC) so that changing a person's job role automatically updates their system access; maintain audit logs for 2+ years | IT person or dedicated Compliance role | Ongoing, 2-4 hours per quarter |
Documents and records that prove your maturity level.
- Written Access Control Policy document that defines roles and what access each role needs
- Access Approval Form or email trail showing that a manager approved access before the IT person granted it
- List of current system user accounts with names, roles, and access permissions (updated at least annually)
- Annual Access Review record signed by owner or manager confirming that all current access is still necessary
- Offboarding checklist or IT ticket showing that departing employee accounts were disabled and removed from all systems
Prepare for these questions from customers or third-party reviewers.
- "Show me your written policy on who is allowed to access which systems and data. How did you decide which roles need which access?"
- "If I pick three random employees, can you prove that their access was approved by their manager before they got it?"
- "How often do you review who has access? Show me records of the last review—how did you verify that people still need their access?"
- "If someone gets promoted or leaves, what is your process to change or remove their access? How long does it typically take?"
- "Walk me through the access that a new accountant would receive on day one. Who approves it, and how do you document it?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Manage user accounts and passwords centrally across company systems | Bitwarden (open-source password manager) or Microsoft Entra ID (free tier for basic authentication, if using Microsoft 365) | Microsoft Entra ID Premium (₹2,500–5,000/user/year); Okta (₹5,000–15,000/user/year) |
| Track and approve access requests with audit trail | Google Forms + Sheets to create a simple approval workflow; or Zoho Flow (free tier limited) | Zoho One (includes access management, ₹5,000–10,000/user/year); ServiceNow (₹15,000+/user/year) |
| Review who has access and generate audit reports | Manual spreadsheet review; or export user lists from your systems and compare | Delinea (formerly Thycotic) Privilege Manager (₹3,00,000+/year); Microsoft Defender for Identity (₹5,000–8,000/user/year if already on Azure) |
- Giving everyone admin or 'superuser' access 'just in case'—this negates all access controls; instead, give people the minimum access they need for their specific job
- Forgetting to remove access when someone leaves or changes roles—ex-employees and people in old roles often still have passwords months later; use a departing employee checklist every single time
- Creating a policy but not actually using it when hiring—the policy sits in a folder while the IT person continues granting access by memory; treat the policy as a checklist, not decoration
- Not documenting why someone has access—when someone leaves and their access gets blocked, nobody remembers if that production database access was really needed; always document the business reason for each access grant
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (Principles): Data should only be processed by those with a legitimate need; Section 4 (Reasonable Security): Access controls are a key part of reasonable security measures |
| CERT-In Guidelines 2022 | Direction 5: Implement role-based access control; implement principle of least privilege; Direction 6: Monitor and log access to critical data |
| ISO 27001:2022 | Control A.5.3 (Access Control): Restrict access to information and systems to authorized users only; Control A.9.2 (User Access Management): Implement procedures for granting and revoking access |
| NIST CSF 2.0 | Govern (GV): Establish roles and responsibilities for cybersecurity; Protect (PR.AC-1): Manage access permissions and authentication; Detect (DE): Log and monitor access to identify unauthorized activity |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →