Access review and certification in most organizations serve as a detective process and control for validating the appropriateness of user access to applications, systems, and information. Important steps in the process are determining the person responsible for reviewing and certifying the access, routing the access certification request to the appropriate person, conducting the review and certifying appropriate entitlements, and revoking any inappropriate access.

This chapter will examine the people, processes, and technology components of the review and certification process, and provide an overview of control objectives and critical success factors.