During the certification audit, the auditor might look for the following evidence regarding control A.5.18 Access rights: if access of users is granted and revoked according to the defined access control policy.

The auditor might check if access rights are managed as defined by looking for the following evidence:
- Access control policy review: The auditor will review the company's Access Control Policy to ensure it clearly defines the rules for granting, modifying, and revoking access rights.
- Personnel changes: The auditor may ask to see records of the latest hired personnel, personnel who have changed jobs, and the latest dismissed personnel. This is to verify if access rights were granted and revoked according to the policy.
- Access rights management process: The auditor will check if there is a documented process for provisioning, reviewing, modifying, and removing access rights. This includes verifying if these processes are followed consistently.
- Technology and tools: The auditor might look at the technology used to manage access rights, such as user management systems, logging and monitoring tools, and other relevant software or hardware.
- Training and awareness: The auditor may assess whether employees are aware of the importance of managing access rights and if IT staff are trained on how to manage them effectively. Tell me more
- Access reviews: The auditor might check if regular reviews of access rights are conducted to ensure they are still appropriate for the user's role and responsibilities.

Examples:
A company has defined in its Access Control Policy the rules to grant and revoke accesses rights — The auditor may ask to see the latest hired personnel, personnel that has changed jobs, and latest dismissed personnel, to see if granted and revoked access were implemented as required.