Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-2-4 – The Implementation of the cybersecurity requirements for identity and access management must be reviewed periodically.
Understanding the Requirement
This control from Essential Cybersecurity Controls (ECC – 2 : 2024) requires organizations to perform scheduled, documented reviews of their identity and access management (IAM) requirements and their implementation. The purpose is to ensure IAM policies, processes, and configurations remain effective and aligned with business needs, changes in technology, and legal or regulatory updates. Reviews must follow an approved plan, involve the cybersecurity function working with relevant departments such as IT, and produce documented, leadership-approved outcomes.
Technical Implementation
- Establish a documented review plan and schedule. Define the review frequency (for most SMBs quarterly or biannually is appropriate), scope (policies, role definitions, provisioning/deprovisioning processes, MFA enforcement, privileged accounts), required participants, and success criteria. Record the plan in your governance documentation and obtain written sign-off from the CEO or their deputy.
- Perform access recertification and role reviews. Quarterly, generate lists of user accounts, group memberships, and privileged roles. Task managers to attest to whether users still require access. Remove or downgrade access immediately when attestations are negative or missing after a follow-up period.
- Automate checks where possible with IAM tooling. Use your directory (Azure AD, Google Workspace, LDAP) or an identity provider (IdP) to create reports, set automated deprovisioning workflows tied to HR events, and enforce conditional access/MFA. Automation reduces manual error and produces auditable logs for each review.
- Include legal and business triggers for ad-hoc reviews. Define triggers that require an out-of-cycle review — for example, changes to data protection laws, mergers/acquisitions, major system deployments, or a compromise incident. Update the review plan and record the rationale for the ad-hoc activity.
- Document findings, corrective actions, and approvals. For each review, produce a short report that lists issues discovered, remediations assigned, target completion dates, and verification steps. Require approval of the updated requirements and significant changes by the head of the organization or a designated deputy, and store the signed record in a compliance repository.
- Measure and improve. Track metrics such as time to revoke access, percentage of stale accounts, completion rate of manager attestations, and open remediation items. Use these metrics to refine the review cadence and focus areas each cycle.
Example in a Small or Medium Business
A local software development firm with 45 employees implements this control by adding an IAM review to its quarterly compliance calendar. The IT manager generates reports from Azure AD listing active accounts, group memberships, and administrative roles and shares them with department heads. Each manager has five business days to confirm whether listed personnel still require their assigned accesses; IT automatically disables accounts for unresolved items after escalation. The cybersecurity lead reviews conditional access policies and MFA enforcement logs during the same quarter and identifies one legacy service account using password-only authentication. They update the documented IAM requirements to retire the account and mandate service principals with certificates for automation. All changes and the quarterly report are packaged and signed off by the COO. The firm stores the signed review and remediation evidence in its compliance folder to satisfy auditors and to inform the next review cycle.
Summary
Periodic reviews of IAM requirements combine clear policy, a documented review plan, cross-functional participation, automation, and formal approvals to keep access safe and aligned with business and regulatory needs. For SMBs, a practical approach is to schedule regular recertification, automate wherever possible, define triggers for ad-hoc reviews, and document all findings and approvals—this delivers measurable control over who has access, reduces risk from stale or excessive privileges, and creates an auditable trail that proves the organization meets the control.
