Permissions review ( a.k.a. recertification )

Permissions review ( a.k.a. recertification )

What is recertification?

Access recertification is an IT control that involves auditing user access privileges to determine if they are correct and adhere to the organization’s internal policies and compliance regulations.

Access recertification is typically the responsibility of the organization’s Chief Information Security Officer (CISO) or Chief Compliance Officer (CCO) and may also be known as access attestation or entitlements review.

Below are the two most relevant standards related to the information security with worldwide recognition that will help your business to be stronger and more secure. Both have recertification in its specification.

Take your business up to date

Whether your business already have Soffid IAM or implemented the ISO 27001 and PCI-DSS, or you are yet analysing a solution for these potential risks, Soffid IAM with our Recertification process will help you and go along you in this process to ensure the right access of all your users.

Soffid IAM with the Recertification Addon is the best choice to take your business up to date related to the data information security.

Benefits of recertification in Soffid IAM

Soffid IAM manages the complete access Recertification workflow to generate new certificates for certain applications and certain users, all completely integrated in the Soffid IAM core and workflow engines. Therefore, a complicated process has been made simple and fully transparent to the end user.

Definitely, the advantages of applying Recertification to your company gives you multiple advantages, as we can see below:

  • Allow to the CISO to manage together with the manager of the resources and the users that every person has the correct permissions during the correct period of time.
  • Comply with legal requirements and to certificate the ISO 27000 and PCI-DSS. Every time there are more laws, regulations and contractual requirements that must be met.
  • Improving the organization. Defining processes, procedures and policies improves the organization’s base and helps you to achieve sustainable and controlled growth.
  • Get lower costs due to avoiding security incidents. The costs of prevention are lower than the cost of the problems and their solutions once they have been produced.
  • Provides a competitive advantage. Customers are confident that their data will be secure and therefore will rely more on your company.


Simple install and configure

With our Recertification Addon you could make possible that your organization to be reviewed and validated easily, and make sure that all users have the correct permissions.

Once you have Soffid IAM in your company, you could add the recertification process functionality in a easy way. You only have to do the next steps:

Step 1. Upload the addon

In order to install it is needed to upload the Recertification Addon.

You can download it from hour Download Page.

Step 2. Upload the workflows

Now you have to upload the following workflows:

Recertification process (The starter workflow)

Recertification group process (Authorized users review)

Recertification user process (Users permissions review)

You can download them from your Download Page.

Step 3. Configure the managers

Configure correctly the user managers and the role owners and finally the users with the authority to start a Recertification process.

Step 4. Enjoy

And that’s all! Now you could execute or schedule Recertification processes in your company.

How it works in Soffid IAM

Access recertification can be carried out manually or programmatically.

The first step in a recertification process is to extract and collate the information from the organization’s IT and business systems and distribute it in a format that will allow each manager to easily see what privileges each of his or her employees has been granted.

Managers are then given a deadline for reviewing the information to flag inappropriate access and verify appropriate access.

In large organizations, access governance software (Soffid IAM) can be used to automate the recertification process (Recertification Addon) and ensure that audits occur on a regular basis.

Once the information has been extracted and normalized, the software uses a message template to issue recertification requests.

If the recipient of the recertification request fails to respond within a specified time period, the software can handle the situation in different ways: it could delegate the review to another manager or to his boss or it could freeze all the entitlements not reviewed for a long time.

During all this process, authorized users can look up the recertification process status and its information in Soffid IAM.

About ISO 27000

ISO 27001 is an international standard that describes how to manage information security in a company. Its main mission is to protect the confidentiality, integrity and availability of information in a company.

Recertification is described in the ISO 27002 (annex of the ISO 27001) in the Activity 11.2.4: «Review of user access rights. Management should review users’ access rights at regular intervals using a formal process.».


PCI-DSS is a standard of data security for the credit card industry, and applies only to companies that process, store, or transmit credit card data. For these companies, compliance with the standard is obligatory, though depending on the volume of cards processed, different requirements or obligations may apply.

Recertification is described in Requirement 7.2: «Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed.».