psjenkins/ISMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
draft
ISMS/03-procedures/access-review-procedure.md
Paul Jenkins 5eade2d99b Initial commit
2026-03-26 09:35:22 +00:00

2.8 KiB
Raw Permalink Blame History

Title: Access Review Procedure Document ID: [PROC-ACCESS-REVIEW-001] Version: 0.1 Draft Status: Draft Owner: CISO (Paul Jenkins) Approver: CISO (Paul Jenkins) Classification: Internal Effective date: [DD Month YYYY] Review date: [DD Month YYYY]

Access Review Procedure

Purpose

This procedure defines how BlackDice should review user, privileged, and service access to ensure it remains appropriate.

Scope

This procedure applies to in-scope systems, services, cloud platforms, repositories, administrative functions, and other controlled access points.

Trigger / When Used

Use this procedure:

  • at planned review intervals
  • after significant role or organisational changes
  • after incidents, audit findings, or suspected misuse
  • when required for high-risk or privileged environments

Procedure Steps

  1. Define the scope of the review, including the systems, accounts, and review period.
  2. Extract or compile the current access listing from the relevant systems or authoritative source.
  3. Identify account types requiring review, including user accounts, privileged accounts, service accounts, temporary accounts, and shared accounts where they exist.
  4. Send the review to the appropriate manager, asset owner, or system owner for validation.
  5. Confirm whether each access right remains required, appropriate, and proportionate to the current role or system purpose.
  6. Record required changes, including removals, privilege reductions, account disablement, or further investigation.
  7. Complete the approved changes and confirm closure of review actions.
  8. Retain review evidence and track overdue or incomplete reviews to resolution.

Inputs

  • current access listing
  • system ownership information
  • personnel role information
  • previous review results where relevant

Outputs / Records

  • completed access review record
  • required remediation actions
  • evidence of changed or removed access
  • escalation record for unresolved items

Roles and Responsibilities

  • [Role] must coordinate the access review process.
  • Managers and system owners must validate access under their responsibility.
  • Administrators must implement approved changes.
  • Internal reviewers may sample evidence for assurance purposes.

Escalation / Exceptions

Escalate when:

  • reviewers do not complete reviews within the required timeframe
  • privileged access cannot be validated
  • unexplained accounts or excessive permissions are identified
  • technical limitations prevent evidence collection

Exceptions must be documented and approved through the defined process.

Related Documents

  • Access Control Policy
  • Identity and Authentication Standard
  • Joiner Mover Leaver Procedure
  • Corrective Action Procedure

Version Control

Version Date Description of Change Author
0.1 Draft [DD Month YYYY] Initial draft. [Name or Role]
Reference in New Issue View Git Blame Copy Permalink