Overview

Access reviews are periodic campaigns that verify employees have appropriate access to your organization’s critical systems. LowerPlane’s access review module helps you define critical systems, launch review campaigns, and track the certification of individual access grants — a core requirement across ISO 27001, SOC 2, HIPAA, and PCI-DSS.

Key Concepts

Critical Systems

The applications, databases, and infrastructure components that require formal access certification. You define which systems are critical and track their users.

Review Campaigns

Time-bound campaigns where designated reviewers certify or revoke access for employees across one or more critical systems.

Review Items

Individual access grants within a campaign. Each item represents one employee’s access to one system, requiring an approve or revoke decision.

Reviewers

The people responsible for certifying access. Typically system owners, managers, or security team members assigned by role.

Critical Systems

Before launching access reviews, you must define the critical systems in your organization.

Adding a Critical System

1

Navigate to Critical Systems

Go to Personnel > Access Reviews and select the Critical Systems tab.
2

Click Add System

Click Add Critical System and fill in the details.
3

Define System Properties

Provide the following information:
FieldDescription
NameName of the system (e.g., “AWS Production”, “Salesforce”)
DescriptionBrief description of the system’s purpose
CategoryType of system: database, cloud-service, application, infrastructure, network, security-tool, or other
Risk LevelCritical or High — determines review priority
OwnerThe person responsible for this system
4

Add Users

Add employees who have access to the system. For each user, specify their access level and grant date.

System Categories

CategoryExamples
DatabasePostgreSQL production, MongoDB Atlas, Redis
Cloud ServiceAWS, Azure, GCP console access
ApplicationSalesforce, Jira, GitHub, Slack admin
InfrastructureKubernetes, Docker registry, CI/CD pipelines
NetworkVPN, firewall management, DNS
Security ToolSIEM, vulnerability scanner, EDR console
OtherCustom or specialized systems

Access Review Campaigns

Creating a Campaign

1

Navigate to Campaigns

Go to Personnel > Access Reviews and select the Campaigns tab.
2

Create New Campaign

Click Create Campaign and configure:
FieldDescription
NameDescriptive name for the campaign
DescriptionPurpose and scope of the review
TypePeriodic, on-demand, termination, role-change, or emergency
Start DateWhen the review period begins
Due DateDeadline for completing all reviews
ReviewerPerson or security role responsible for certifying access
FrequencyFor recurring campaigns: weekly, monthly, quarterly, semi-annually, or annually
Scope SystemsWhich critical systems to include
Scope DepartmentsWhich departments to include
3

Launch Campaign

Save the campaign to generate review items for all in-scope employees and systems. The campaign enters Active status.

Campaign Types

TypeWhen to Use
PeriodicRegularly scheduled reviews (quarterly, annually)
On-DemandAd-hoc reviews triggered by audit findings or policy changes
TerminationVerify access revocation when an employee leaves
Role ChangeReview access when an employee changes roles or departments
EmergencyUrgent reviews after a security incident

Campaign Statuses

StatusDescription
DraftCampaign created but not yet launched
ActiveCampaign is in progress, reviewers are certifying access
CompletedAll review items have been decided
CancelledCampaign was cancelled before completion

Review Items

Each review item represents one employee’s access to one system within a campaign.

Review Item Fields

FieldDescription
EmployeeName and department of the employee
SystemThe critical system being reviewed
Access LevelCurrent access level (admin, read-write, read-only, etc.)
Granted DateWhen access was originally granted
Last UsedMost recent activity timestamp
StatusPending, Approved, Revoked, or Escalated

Making Decisions

For each review item, the reviewer has three options:
  • Approve — confirm that the access is appropriate and should continue
  • Revoke — flag the access for removal (triggers the access revocation process)
  • Escalate — flag for further investigation by a senior reviewer
Pay special attention to access that has not been used recently. If an employee has not accessed a system in over 90 days, consider whether they still need that access.

Campaign Metrics

Each campaign tracks completion metrics:
MetricDescription
Total ReviewsNumber of access grants to be certified
CompletedNumber of decisions made (approved + revoked)
ApprovedAccess grants confirmed as appropriate
RevokedAccess grants flagged for removal
PendingAccess grants still awaiting a decision

MFA and SSO Status

Access reviews track multi-factor authentication (MFA) and single sign-on (SSO) status for employees:
  • MFA Enabled — whether the employee has MFA configured for the system
  • SSO Enrolled — whether the employee accesses the system through SSO
Employees with access to critical systems who do not have MFA enabled should be flagged for immediate remediation. MFA is a baseline control required by all major compliance frameworks.

Compliance Mapping

Access reviews satisfy controls across multiple frameworks:
FrameworkControlRequirement
ISO 27001A.9.2.5Review of user access rights
SOC 2CC6.2Logical access controls
SOC 2CC6.3Access removal and modification
HIPAA164.312(a)(1)Access control
PCI-DSS7.1Limit access by business need
PCI-DSS8.1.4Review user accounts quarterly

Best Practices

  • Run access reviews at least quarterly for critical systems and annually for all systems
  • Assign system owners as reviewers — they have the best understanding of who needs access
  • Track revocation follow-through — a revoke decision in the review must be followed by actual access removal in the system
  • Use termination campaigns immediately when an employee departs to verify access is fully revoked
  • Document review decisions with notes explaining the rationale, especially for unusual access patterns
  • Automate recurring campaigns by setting a frequency on the campaign to auto-generate the next review cycle