Skip to content

What are access reviews (recertification), and why do they matter?

Short answer

Access reviews (recertification) are periodic checks where an accountable owner confirms each person's access is still justified, and revokes what isn't. They're the backstop that catches privilege creep, orphaned accounts, and entitlements granted for a project that ended. The control only works if a knowledgeable owner — usually the manager or resource owner — actually scrutinizes access rather than rubber-stamping it, and if revocations are enforced.

Provisioning gets a lot of attention, but access tends to accumulate silently over time. Access reviews — also called recertification or attestation — are the governance control that periodically asks, "should this person still have this?"

What a review actually is

On a schedule (quarterly for sensitive systems, at least annually elsewhere) or triggered by events like a transfer, an accountable owner is presented with a list of who has access to a resource or role and must attest to each: keep it, or revoke it. The revocations are then enforced. It maps directly to NIST 800-53 AC-2 account management and is a recurring audit expectation (SOX, ISO 27001, SOC 2).

Why it matters

  • Privilege creep. As people change roles, they keep old access and gain new — accumulating far more than their current job needs. Provisioning automation handles the clean cases; reviews catch the residue and restore least privilege.
  • Orphaned and dormant accounts. Contractors, service accounts, and movers whose access was never cleaned up surface here.
  • Segregation of duties. Reviews can flag toxic combinations (e.g. someone who can both create and approve a payment).

The failure mode: rubber-stamping

The control is only as good as the scrutiny behind it. The classic failure is the reviewer clicking "approve all" without thinking — which produces compliance evidence but zero security. Mitigations:

  • Route to the right reviewer — the manager or resource owner who actually knows the person's job, not generic IT.
  • Give context — show last-used dates, risky/privileged flags, and what each entitlement grants.
  • Make removal the easy default for unused or unrecognized access, and reconcile against HR for departed staff.

What interviewers look for: you define recertification as owner attestation that drives revocation, you tie it to privilege creep / orphaned accounts / SoD, and you name rubber-stamping as the central weakness with concrete fixes.

Likely follow-ups

  • What is privilege creep and how do reviews surface it?
  • Who is the right person to attest — the manager, the resource owner, or IT?
  • Why is rubber-stamping the main failure mode, and how do you reduce it?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.