Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
Periodic re-validation that users' access rights remain justified, a core access-review control in least privilege, SOX, and ISO 27001 audits.
Recertification Process Definition: Periodic re-validation that users' access rights remain justified, a core access-review control in least privilege, SOX, and ISO 27001 audits.
A recertification process is the periodic, formal review that confirms users, systems, or access rights still meet security requirements and remain justified. Most commonly applied to access reviews, it requires owners to re-attest that each person's permissions are still appropriate for their current role, removing entitlements that are no longer needed and preventing the silent accumulation of privilege.
The process runs on a defined cadence, often quarterly, semi-annual, or annual, driven by identity governance and administration (IGA) tooling. The system generates a list of users and their entitlements, routes it to managers or resource owners (the reviewers), and asks them to approve, revoke, or modify each grant. Revocations feed back into provisioning systems to actually remove access, and the full review is logged with timestamps and approver identities to produce auditable evidence. High-risk access such as privileged and administrative accounts is typically recertified more frequently.
Recertification matters because access rights drift over time. As people change roles, join projects, and leave teams, permissions tend to persist, creating privilege creep that violates least privilege and expands the attack surface. Orphaned and excessive accounts are prime targets for attackers and insider misuse. Recertification directly counters this, enforcing least privilege, catching dormant accounts, and demonstrating control to auditors under frameworks like SOX, PCI DSS, ISO 27001, and SOC 2. Without it, an organization cannot credibly assert who should have access to what.
For example, an employee moves from finance to marketing but keeps access to the financial reporting system. During the quarterly access recertification, the marketing manager reviews the employee's entitlements, sees the finance application has no business justification, and revokes it. The IGA platform removes the access automatically and records the decision, closing a segregation-of-duties gap before it can be exploited or flagged in an audit.
Turn knowledge into credentials with our instructor-led cybersecurity boot camps.
View All Courses →