When to use this
Use this checklist during periodic reviews of privileged users, privileged roles, emergency access, and stale access.
Related controls
Review checklist
- Privileged users still need access.
- Privilege scope is limited to business need.
- Separate privileged identities are used where feasible.
- Shared admin accounts are identified and risk-treated.
- Emergency access is reviewed.
- Privileges for leavers/movers are removed.
- Excess privilege is revoked or reduced.
Review record
| User/role | System | Keep/reduce/remove | Reason | Reviewer | Action owner | Due date |
|---|---|---|---|---|---|---|
| TBD | TBD | Keep/reduce/remove | TBD | TBD | TBD | TBD |
- Template
- Iso27001
- Technological controls
- Privileged access
Note Metadata
Aliases: Admin Access Review Checklist
Source: 90 Templates/Privileged Access Review Checklist.md
Related Notes
- A.8.2 Audit Evidence Pack
- ISO 27001 A.8.2 - Privileged Access Rights
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Guide
- A.8 Technological Controls Audit Guide
- A.8 Technological Controls Implementation Audit Risk Mapping
- A.8.2 Audit Checklist
- Privileged Access Register
- Templates MOC