This standard ensures access control is reviewed whenever system boundaries change, maintaining secure-by-design principles as systems evolve. It helps teams proactively manage risk and uphold least-privilege access.
Aligned to our "Zero Trust Architecture" policy, this standard reduces the likelihood of unauthorised access and strengthens system resilience. Without it, access models drift, vulnerabilities grow, and trust is compromised.
Level 1 – Initial: Access controls are rarely reviewed during system changes. Boundary shifts often result in overly broad or outdated permissions, introducing significant risk.
Level 2 – Managed: Some teams review access controls during major system changes, but it’s inconsistent and not part of formal change management or governance.
Level 3 – Defined: Access reviews are triggered as part of a defined process whenever system boundaries change. Teams apply least-privilege principles and document access decisions.
Level 4 – Quantitatively Managed: Reviews are audited and tracked for completion and coverage. Metrics on access scope, orphaned accounts, or permission drift inform remediation efforts.
Level 5 – Optimising: Access reviews are integrated into continuous compliance and architectural workflows. Automated tools surface violations, and feedback loops strengthen Zero Trust maturity across environments.