• i-confidential

Our Access Recert Capability Model

By Chris Harragan, Security Analyst at i-confidential


Recertifying access is foundational to managing risk.

Though it may seem like a simple process to implement, many organisations get it wrong.

At i-confidential, we have developed an Access Recert Capability Model that focuses on all aspects of recertification. This has helped our industry-leading clients achieve their goals.

Its four core components can be used to help organisations at any stage of their recertification journey.

Below, we’ll provide a few insights into their importance and how they can help you.


Without these essential building blocks, the recertification process stalls before it even starts:

Available Resource – access recertification is a potentially costly and time-consuming, periodic activity that can pull key people away from their normal roles. This makes it difficult to assign to staff as a BAU activity.

Business Buy-In – this is fundamental to recertification’s success. The process requires application owners to provide the required data, and managers to be on board for reviewing access.


What goes into your recertification process determines the level of risk reduction:

Coverage & Prioritisation - determining which applications are recertified and when that happens is important for reducing risk. Recertifying your highest-risk applications first ensures you are best protected.

Clean Data - garbage in, garbage out. The quality of your data underpins the success of your recertification activity. Most organisations struggle with this due to the inherent complexity of large numbers of systems and types of access.


Effective access recertification grows to meet increasing demands:

Integrated Process - recertification needs to be consistent and repeatable so that the activity can scale to increase your coverage.

Automation - recertification deals with a large amount of data. Managing this manually is labour intensive and introduces too much potential for human error. That’s why automation is the key.


How well you manage recertification impacts how much it improves your security position:

Risk Reduction - inappropriate access to critical systems is a risk to your organisation. Recertification helps identify such instances so the risk can be rectified.

Performance Reporting - understanding the performance of your recertification process can also give insights into other organisational processes, such as joiners, movers, and leavers (JML).


Doing all of this is challenging, but we have helped a number of industry-leading clients implement an effective access recertification process.

Some organisations opt for software alone to take care of it. We strongly believe this approach has some fundamental limitations, so make any strategic decisions carefully before committing.

However you choose to implement your recertification process, keep in mind what we’ve outlined above. That way, you can avoid the biggest potential pitfalls and stay focused on what matters.

And please feel free to contact us if you would like to find out more about how we can help you.