Xcavate Access Recertification Checklist

Export user access list from IAM system

Identify all in-scope systems (critical/sensitive applications)

Define recertification scope (e.g., departments, access level)

Notify managers of upcoming access review

Include deadline for response

Confirm review responsibilities (line manager, data/system owner)

Review if access aligns with current job role

Verify if access follows the principle of least privilege

Identify and remove stale/inactive accounts

Confirm all privileged/admin accounts are still required

Cross-check against recent org chart or HR data

Log approvals from line managers and/or system owners

Submit list of access revocations to IAM administrators

Confirm removal of unapproved access rights

Include timestamp/log ID

Update IAM register or audit logs

Notify affected users of any access changes

Record business-justified exceptions

With approval from risk owner

Document timeframe for exception access

Include review/expiry date

Add flagged exceptions to quarterly risk log

For internal/external audit

Archive completed recertification checklist

Store in secure location

Generate summary report for audit/regulatory purposes

Include percentage of removals

Submit report to Risk/Compliance lead and DPO