A user access review is a periodic evaluation process to verify that user permissions and access rights remain appropriate for each individual's current role and responsibilities. It typically involves comparing assigned permissions against job requirements, identifying excessive or orphaned accounts, and revoking access that is no longer justified. Access reviews are a key control in frameworks such as ISO 27001, SOC 2 and GDPR, and are often required on a quarterly or annual basis.
Regular access reviews are essential for maintaining the principle of least privilege and preventing privilege creep as employees change roles or leave the organisation. Automating the review process where possible reduces administrative burden and improves accuracy. Documenting review outcomes and remediation actions provides an audit trail that demonstrates ongoing compliance with access control policies.