Skip to main content

Governance intelligence for access, cloud, and SaaS. Now in early access

Nuxari
Compliance & Readiness

Access reviews

Access review types, the review workflow, how overdue reviews block compliance readiness, and evidence export from completed reviews.

Last updated: June 2026

Why access reviews matter

Access reviews are periodic, documented evaluations of who has access to what — and whether that access remains appropriate. They are required by SOC 2 (CC6.2, CC6.3) and ISO 27001 (A.8.2, A.8.3) and are among the first items external auditors check. An access review is not just a report — it requires a human decision-maker to confirm or revoke each access item and document the outcome.

Access review types

Quarterly user access review

A full review of all user accounts and their assigned roles and permissions. Typically run every 90 days to satisfy SOC 2 CC6.2 and ISO 27001 A.8.2.

Frequency: Quarterly

Privileged access review

A focused review of accounts with elevated permissions — Client Owners, Client Admins, Client Security Admins, and any PIM-eligible roles. Required to demonstrate that privileged access is periodically revalidated.

Frequency: Quarterly or semi-annually

PIM eligible role review

A review of which users have PIM-eligible (Just-in-Time) roles configured, and whether those eligibilities remain appropriate.

Frequency: Quarterly or semi-annually

Service account and connector review

A review of non-human accounts, API tokens, and connector credentials to confirm they are still in use and scoped appropriately.

Frequency: Annually or after significant changes

How to complete an access review

  1. 1

    Start the review campaign

    Go to Compliance > Access Reviews > New Review. Select the review type, scope (all users, privileged only, etc.), and review period. Assign a reviewer or accept the default (Client Security Admin).

  2. 2

    Review each access item

    For each user and access assignment in scope, the reviewer marks it as Confirmed, Revoked, or Flagged for follow-up. Confirmed items remain unchanged. Revoked items trigger an access removal workflow.

  3. 3

    Document findings

    Any access items revoked or flagged during the review should have a brief note explaining the reason. This note becomes part of the evidence record.

  4. 4

    Complete the review

    When all items are reviewed, mark the campaign as Complete. Nuxari generates a review completion record with reviewer, date, scope, and outcomes.

  5. 5

    Review evidence is accepted

    Completed reviews automatically generate accepted evidence for the linked access control controls. The evidence is valid for the configured period (typically 90 days).

How overdue reviews block compliance readiness

Access control controls require periodic review evidence. When a review campaign is overdue — past its due date with no completion record — the linked controls enter a blocked state. Start and complete the overdue campaign to unblock them.

Overdue access reviews are among the most common blockers for compliance readiness. Set up scheduled campaigns in advance of your audit observation period to ensure continuous coverage.

Evidence export from completed reviews

Completed access reviews can be exported as part of an audit package. The export includes the review scope, reviewer identity, review date, and a summary of all decisions made. This export is signed with the completion timestamp and included as evidence in the relevant control records.

Related docs

Control library

How access review evidence advances controls

Evidence collection

Evidence lifecycle and expiration

Audit packages

Export access review evidence

Compliance troubleshooting

Resolve overdue access review blockers

Was this page helpful?