← Glossary·Controls

User Access Review

SOC 2ISO 27001HIPAAPCI DSS

Periodic review by data owners confirming each user's access remains appropriate; typically quarterly.

User Access Reviews are periodic certifications by system or data owners that each user's access remains aligned with current job function. SOC 2 CC6.3 expects quarterly cadence at minimum; ISO 27001 A.5.18 expects ‘at planned intervals’.

Why it matters
‘No evidence of access review’ is one of the most common SOC 2 Type II exceptions — typically because the review was performed but not signed and dated.

Related terms

RBAC (Role-Based Access Control)
Access control model granting permissions to roles, and assigning users to roles.
Least Privilege (Principle of)
Users and services receive only the minimum access required to perform their function.
Segregation of Duties (SoD)
Splitting critical tasks across multiple individuals so no single person can execute fraud or untraceable error.

Does your program actually cover User Access Review?

Run a free ComplianceIQ audit against SOC 2 and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free SOC 2 auditBack to glossary