CIS Control 6.2: Establish an Access Revoking Process
Terminating employee access promptly is critical to security, but manual revocation processes create gaps and compliance risks. CIS Control 6.2 requires you to disable accounts immediately upon termination, role change, or rights revocation—preferably through automation. This control protects your enterprise assets while maintaining audit trails for regulatory proof.
What this means
This control mandates a formal, preferably automated process to revoke access whenever a user leaves, changes roles, or no longer needs specific rights. The key requirement is disabling accounts rather than deleting them, since disabled accounts preserve audit logs for compliance investigations and historical records. The process should trigger immediately upon any access-triggering event to minimize the window of unauthorized access.
How to comply
- 1.Document your access revoking process in a written policy covering all termination and role-change scenarios
- 2.Implement or configure automated account disabling in your identity and access management (IAM) system to trigger on termination events
- 3.Set a timeline for immediate revocation—ideally within hours of notification, not days
- 4.Disable accounts rather than deleting them to preserve audit logs and forensic evidence
- 5.Create checklists for manual reviews covering all systems (email, VPN, applications, cloud services) if full automation isn't available
- 6.Test the revoking process quarterly to ensure accounts are actually disabled and access is removed across all systems
- 7.Document all revocation actions with timestamps and approvers for audit compliance
Evidence auditors look for
- Access revocation policy document with defined timelines and responsible parties
- IAM system configuration showing automated account disabling rules
- Termination checklist completed and signed by HR and IT for recent employee exits
- Access revocation log showing disabled accounts, dates, and systems affected
- Audit trail from identity provider proving accounts were disabled (not deleted)
- Test results from quarterly revocation process validation
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates access revocation workflows by integrating with your HR and IAM systems to instantly disable accounts on termination events, generating compliant audit trails for CIS 6.2 verification.
See how GRCWatch handles this control automatically
Start free trial