Squarum-Logo
Squarum
Watch Demo
Login
Get Started for Free

Which Laws and Certifications Require User Access Reviews (UAR)

Conducting regular User Access Reviews (UAR) has become a key element of IT and data security in many laws and standards. Below we examine three major frameworks: the EU General Data Protection Regulation (GDPR), ISO 27001, and the Health Insurance Portability and Accountability Act (HIPAA).
Legal requirements for user access reviews

GDPR

 

The GDPR itself does not explicitly use the term “User Access Review”. However, it requires that personal data be protected through “appropriate technical and organizational measures”.

 

Article 32 (1) states:

“The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.” Click for more info here.

And paragraph 4 adds:

“The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller…” Click for more info here.

From a practical perspective, experts interpret this as requiring regular checks to ensure that only authorized persons have access to personal data. A UAR is therefore a “logical and often necessary measure” to comply with GDPR Article 32.

Conclusion: The GDPR does not explicitly mandate User Access Reviews, but their implementation is effectively required to meet the security obligations.

 

ISO 27001

 

ISO 27001 is much more specific. Annex A, Control A.9 “Access Control”, explicitly contains requirement “A.9.2.5 – Review of user access rights”:

“Access rights of users should be reviewed at regular intervals by asset owners.” Click for more info here.

This makes the periodic review of user access rights a clear and mandatory requirement of the standard.

In addition, Control A.9.2.6 covers the “Removal or adjustment of access rights” when roles or employment change.

 

Conclusion: For organizations certified or seeking certification under ISO 27001, User Access Reviews are therefore a mandatory component of the Information Security Management System (ISMS).

 

HIPAA

 

The U.S. HIPAA Security Rule also includes requirements that directly imply UAR.
Under Administrative Safeguards § 164.308(a)(3)(ii)(B):

“Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.” Click for more info here.

And § 164.308(a)(4)(ii)(C) states:

“Implement policies and procedures … to establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.” Click for more info here.

This means that HIPAA-covered entities and business associates must have processes to document, review, and adjust access rights.

 

Conclusion: While the term “User Access Review” is not explicitly used, the requirement itself is clearly embedded in the rule.

 

Summary

Your assumption is correct:

  • ISO 27001 and HIPAA explicitly require periodic User Access Reviews.
  • GDPR implies them through its general obligation to maintain appropriate technical and organizational security measures.

Therefore, organizations handling personal or sensitive information should:

  1. Establish a formal, recurring process for reviewing user access rights (e.g., annually or upon role changes).
  2. Define responsibilities (who reviews, approves, and removes access).
  3. Link access reviews to a defined role and privilege model (*least privilege principle*).
  4. Keep documented evidence (audit trails) to demonstrate compliance during audits or inspections.