Once the Information Security And Compliance Framework is established, it is essential that the access controls are verified. System and application access must be restricted to appropriate individuals, based on their job functions. The Information Security And Compliance Lead must verify that access to privileged IT functions is limited to the appropriate individuals.

Also, a process must be established, at a set frequency (usually monthly) , to verify if all the accesses provided in the system are current. The Information Security And Compliance Lead must ensure that accesses of personnels are revoked in case of a resignation or any changes to the privileges. A periodic report of access status must be circulated to all relevant stakeholders as a part of the access management process.