Skip to main content

← Back to glossary

Term · 5. Audit & Monitoring

Certification Cert

IDM/IGA Domain
Identity Security PCI DSS SOC 2 SOX

Definition

Periodic review process where designated reviewers attest that access remains appropriate. Outputs: approve, revoke, modify decisions. Required by SOX (annual), SOC 2 (typically quarterly), PCI DSS. Modern IGA uses risk-based certification — high-risk access certified more frequently than routine.

Application
MidPoint: Access Certification campaigns

SailPoint: Certification — periodic access review campaigns (manager / app owner / role owner)
Standards & regulations
  • ISO/IEC 27001:2022 «The organization shall review users’ access rights at regular intervals using a formal process.»
  • ISO/IEC 27002:2022 «Users’ access rights should be reviewed at regular intervals and after any changes, such as promotion, demotion, transfer or termination, using a formal process that involves the relevant asset owners»
  • ISO/IEC 27014:2020 «Management should ensure that periodic reviews of access rights are conducted to confirm that access remains appropriate for the assigned roles and responsibilities, and that any exceptions or changes»
  • ISO/IEC 29146:2016 «Access control policy should require periodic review of access authorizations by designated authorities to verify that granted access remains appropriate, leading to confirmation, modification or revo»
  • ISO/IEC 20000-1:2018 «The organization shall review access rights at planned intervals and in response to changes, and shall approve, revoke or amend access in accordance with documented procedures.»
  • ISO/IEC 24760-1:2019 «identity management includes processes for the periodic review and revocation of authorizations and privileges associated with identities to ensure that they remain appropriate for current relationshi»
  • NIST SP 800-53 Rev. 5 «The organization reviews accounts for compliance with account management requirements at least [Assignment: organization-defined frequency] and when accounts are no longer required, users are terminat»
  • NIST SP 800-53A Rev. 5 «Assessors determine if the organization reviews information system accounts at an organization-defined frequency to ensure that access is still required and in accordance with organizational policies,»
  • NIST SP 800-63-3 «Periodic reproofing or revalidation of subscriber accounts may be performed by organizations to ensure that access to digital services remains appropriate and that proofing requirements are still sati»
  • PCI DSS v4.0 «Access for users and administrators to system components and cardholder data is reviewed at least once every six months to ensure that access remains appropriate, with access revoked or changed as nee»
  • SOC 2 Trust Services Criteria 2017 (AICPA TSC) «The entity reviews user access rights on a periodic basis and after personnel changes to determine whether they are appropriate based on job responsibilities; access is removed or modified when no lon»
  • SOX Section 404 (as implemented via PCAOB AS 2201) «Management’s assessment of the effectiveness of internal control over financial reporting includes controls over information technology, such as periodic review of user access rights and the timely re»
Sources

Related terms

← Back to glossary  ·  Open in main list