Access Review Checklist

Access Inventory

Maintain a system access matrix

List all systems (e.g., Google Workspace, AWS, GitHub, Slack, HR tools, production apps) and user access

Record roles and permissions

Document what type of access (e.g., admin, read-only) each user has

Link access to business justification

Ensure each access entry has a reason (e.g., developer access for production monitoring)

Quarterly Access Review

Schedule quarterly reviews

Set recurring calendar reminders for access reviews (typically every 90 days)

Review user accounts with managers

Team leads should validate access for their direct reports

Verify access for contractors/vendors

Confirm temporary users still need access and are compliant with NDA/security

Document changes made

Track removed, downgraded, or modified access privileges

Joiner-Mover-Leaver (JML) Checks

Confirm onboarding provisioning

New employees should receive access based on role and least privilege

Validate access changes for role changes

If someone transfers roles, access should be updated accordingly

Revoke access immediately upon departure

Offboarding process should trigger revocation of all credentials, accounts, and devices

High-Risk Systems

Review access to production systems

Restrict production or customer data environments to only essential personnel

Monitor admin privileges

Ensure admin rights are not overused and assigned only when required

Audit cloud IAM policies

Periodically check AWS IAM or other cloud identity configurations

Audit & Documentation

Keep signed reviewer attestations

Managers should confirm access review completion with a signed log or email

Store records of each review

Keep time-stamped copies of past access reviews for audit purposes

Track KPIs

Example: % of accounts with unnecessary access revoked during review