When to use this
Practical use
Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.
Use this for periodic reviews of logical or physical access to systems, repositories, applications, networks, cloud platforms, and sensitive locations.
Review record
| System/asset | Reviewer | Review date | Scope | Exceptions found | Removals/corrections | Completion evidence |
|---|---|---|---|---|---|---|
| TBD | TBD | TBD | TBD | TBD | TBD | TBD |
Checklist
- User still has a business need.
- Access level matches current role.
- Access aligns with classification and handling requirements.
- Privileged access is justified.
- Shared/group access is appropriate.
- Leavers are removed.
- Movers have old access removed.
- Contractors and third-party users still require access.
- Exceptions are documented and approved.
- Required removals are completed and evidenced.
Related notes
- Template
- Iso27001
- A5 15
- Access review
Note Metadata
Aliases: User Access Review Checklist
Source: 90 Templates/Access Review Checklist.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- Access Control
- ISO 27001 A.5.15 - Access Control
- ISO 27001 A.5.16 - Identity Management
- ISO 27001 A.5.17 - Authentication Information
- ISO 27001 A.5.18 - Access Rights
- A.5.15 Audit Evidence Pack
- A.5.18 Audit Evidence Pack
- ISO 27001 A.8.3 - Information Access Restriction
- A.5.15 Audit Checklist
- A.5.16 Audit Checklist
- A.5.18 Audit Checklist
- Access Rights Request and Review Register
- Information Access Restriction Review Checklist
- Templates MOC