AC
Gastmodus

<> 5.15 Access Control

Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.

3 notes 2 findings 2 evidence
<> Findings (2)
FINDING · OPPORTUNITY FOR IMPROVEMENT
JD
14:35

OFI zur Richtlinienpflege

Consider implementing automated access review process to reduce manual effort and improve accuracy.

Current manual process covers ~200 accounts quarterly. Automation could improve coverage and reduce review cycle from 2 weeks to 2 days.
FINDING · NONCONFORMITY
JS
14:36

Minor NC bei der Rollenrezertifizierung

Quarterly privilege recertification exists, but two legacy systems are still excluded from the review population.

Scope gap documented during the walkthrough. Customer promised migration in Q3 2026, but the current review process is still incomplete.
<> Evidence (2)
EVIDENCE
<>

Access Control Policy v3.2

version: v3.2 · source: Customer provided
EVIDENCE
<>

Access Review Log Q1 2026

Sample of quarterly privileged-access recertifications with confirmed approvals.

period: Q1 2026 · entries: 47 reviews · result: All confirmed
<> Notes (3)
JD
John Doe Lead Auditor
14:23

Started interview with CISO regarding access control implementation. Policy was last reviewed in Q4 2025 and is scheduled for an update in Q2 2026.

JS
Jane Smith Auditor
14:32

Access control matrix reviewed – covers all critical systems (ERP, CRM, AD). Legacy systems (2 remaining) not yet migrated.

TK
Tim Klein Trainee
14:33

Quarterly review cycle observed for privileged accounts. Last review completed March 2026.

Quick: