PROCEDURE TEMPLATE

Access Review Procedure

Create a documented access review procedure meeting cyber insurance carrier requirements for Coalition, Hartford, Beazley, and Travelers.

📋 What this cyber insurance requirement is

Cyber carriers expect documented proof that you regularly audit who has access to what. Compromised credentials are in nearly 80% of breaches. Access reviews prevent privilege creep and enforce least-privilege principles. This template guides you through creating a procedure that identifies review frequency, deprovisioning timelines, role-based access control implementation, and approval workflows that satisfy major carriers.

What carriers are looking for

Each carrier asks slightly different questions. Here are some named artifacts by carrier.

Coalition

Review frequency, inactive account identification, least-privilege principles, role-based access control (RBAC) implementation
Access review procedure documentation
RBAC implementation status

Hartford

Provisioning documentation, employee deprovisioning procedures, account disable SLAs, approver sign-offs
Provisioning policy and deprovisioning checklist

Beazley

RBAC implementation status, access review frequency, privileged account management, exception documentation
Privileged account management controls

Travelers

Documented and signed access reviews, deprovisioning timelines, system owner certification of access necessity
Signed reviews and deprovisioning timeline evidence

What to collect

Evidence artifacts your broker will need during the renewal process.

📊

Access Review Reports

Identity provider reports (Entra ID, Okta, Google Workspace, JumpCloud) showing access lists and approval dates

📋

Audit Logs

Terminated user audit logs showing disable timestamps and enforcement within your stated SLA

🔐

RBAC Configuration

Screenshots or documentation showing role definitions, group membership, and permission assignments

✅

Offboarding Checklists

Completed offboarding templates for 2-3 recent employee terminations showing account disable steps

📝

Exception Documentation

Logs of access exceptions with compensating controls and approver authorization

🖊️

Signed Reviews

Evidence of approver sign-off on quarterly or semi-annual access reviews with dates and names

Important: What this doesn't prove

Be upfront about these gaps. Carriers appreciate honesty over overstatement.

Reviews Actually Happen: A documented procedure doesn't prove that reviews actually occur on schedule or are thorough

Accounts Actually Disable: Even with an SLA, accounts may not disable within the stated timeframe consistently

RBAC is Correct: Role definitions may not actually enforce least-privilege or prevent privilege escalation

Access is Still Necessary: Reviews validate against policy, not whether every approved access was truly required for the job

Exceptions Have Controls: Documentation of exceptions doesn't verify that compensating controls are actually working

Technical Enforcement: Carriers increasingly ask for technical evidence alongside policy documents

Who owns what

🏢Insured

Owns the policy governance and approval workflow. Responsible for ensuring business owners/managers sign off on quarterly access reviews and certify access necessity. Approves exceptions and compensating controls.

🔧MSP / IT Department

Configures and maintains identity provider (Entra ID, Okta, etc.). Executes quarterly access reviews, maintains deprovisioning checklists, disables accounts within SLA, and provides evidence reports for carriers.

🤝Broker

Gathers review evidence from IT/MSP, submits reports to carriers, explains technical implementation details, and addresses carrier questions about access controls and deprovisioning timelines.

Frequently Asked Questions

How often should we conduct access reviews?

Industry standard: Quarterly (every 3 months). Acceptable for smaller orgs: Semi-annual (twice yearly). Annual reviews are increasingly difficult to justify to carriers. More frequent reviews reduce undetected privilege creep.

What's a reasonable account disable SLA?

Recommended: 4 hours from termination notification. Acceptable: Within business hours same day (8 hours). Concerning: Longer than 24 hours. Carriers want to see rapid deprovisioning to prevent ex-employee access abuse.

Should we use RBAC or individual access assignments?

RBAC is strongly preferred. Role-based access simplifies reviews, prevents privilege creep, and scales better than individual assignments. Carriers expect RBAC as a baseline control. Individual exceptions should be documented.

Who should approve access reviews?

Best practice: System owners certify access is appropriate, IT conducts the review, and leadership (manager, department head) approves. This distributes accountability and prevents single-person approval bias.

What do we do with access exceptions?

Document the business reason, approver, and compensating controls (monitoring, time limits, etc.). Review exceptions each quarter and remove when no longer needed. Carriers expect to see that exceptions are temporary and controlled, not permanent backdoors.

How do we document proof of reviews for carriers?

Export access review reports from your identity provider showing dates, users, and approvals. Include sign-off emails or attestations from managers. Create a simple tracking sheet showing completion dates for each review cycle. Carriers want to see consistency over time.

Sources (March 2026)

Coalition Underwriting Standards — Access review frequency and RBAC implementation requirements
Hartford Cyber Security Questionnaire — Provisioning, deprovisioning, and SLA documentation
Beazley Security Assessment — Privileged account management and exception controls
Travelers Cyber Risk Assessment — Access review sign-off and deprovisioning timelines
NIST Cybersecurity Framework (SC-7) — Access control and least-privilege principles
CIS Controls v8 — Access control and user provisioning/deprovisioning procedures

Get your policies in order

← Browse all templates Start a renewal readiness check →Decode a carrier form