Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

09) How many access audits does your organisation conduct each year, for regular employee accounts?

August 30, 2022
IT Operations
Access Review

Please state the number of times access audits are completed for users each year.

Your company Security Policy should determine the frequency for access audits based on your company’s capacity to administer them, and based on the inherent risk of the systems being audited; higher risk systems should be audited more often than lower risk systems.

Depending on the nature and size of your business you may choose to perform the audits monthly, quarterly or bi-annually. As a minimum, it is recommended that audits are performed at least twice a year.

How to implement the control

Your IT team can complete an access audit either using access lists (typically spreadsheets that show a users access to each IT system) or by using a tool.

Access lists should be sent to line managers or system owners for them to review and approve the access to the systems.

Access reviews should be completed regularly and consistently, Risk Ledger would recommend completing 2 access reviews a year for all employees with regular user accounts, and quarterly access reviews for all employees with privileged user accounts.

If you would like to contribute to this article or provide feedback, please email Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.