Periodically, a list of all users in the system is generated along with associated permissions and reviewed. If it is available, all access rights must be in accordance with the authorisation matrix. A documented procedure is available for how the review is performed. Actions taken based on the review are recorded and stored for 2 years. If the authorisations are given based on role, the authorisations within the roles are part of the review as well.
Specification
The frequency of user reviews depends on the classification of the process involved and the number of mutations. The frequency needs to be determined and documented by the process owner. A general guideline for review frequency is as follows:
- Low: annually
- Medium: every quarter
- High: monthly
ISO 27001 & 27002:2022
A5.1,
A5.18,
A8.2
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
ID.05 Periodic review of access rights