SOC 2 access control: provisioning, least privilege, and access reviews
Access control is one of the most heavily tested areas in a SOC 2 Type 2 audit. This is how provisioning, least privilege, deprovisioning, and periodic reviews are evaluated, and where stale accounts quietly become exceptions.
How access control maps to the Common Criteria
Logical access controls sit in the CC6 family of the Trust Services Criteria, and within it several criteria work together. CC6.1 covers restricting access to authorized users and protecting information assets. CC6.2 addresses registering and authorizing new users before granting access, and removing access when it is no longer appropriate, which is the lifecycle dimension. CC6.3 covers authorizing, modifying, and revoking access based on roles and least privilege, and the periodic review that keeps entitlements honest. None of these prescribes a specific tool; they describe outcomes the auditor will test. For a Type 2 report the central question is not whether you had a good policy on day one, but whether the control operated consistently across the entire audit window, typically six to twelve months.
Least privilege and role-based access
Least privilege means each person, service, and system holds only the access genuinely needed for their function, and nothing more. In practice most organizations operationalize this through role-based access control, where entitlements attach to defined roles rather than being granted ad hoc per individual, which makes access both easier to reason about and easier to evidence. Auditors look for a documented model that ties roles to job functions, plus evidence that privileged access (cloud admin, database superuser, production deploy rights) is genuinely restricted to a small, justified population. A recurring weakness is privilege creep, where employees accumulate access as they change teams but never lose the old grants; the periodic review is the control meant to catch this, so its quality directly affects how much credibility your least-privilege claim carries.
Joiner-mover-leaver: provisioning tied to HR
The strongest access-control programs anchor the user lifecycle to an authoritative source, almost always the HR system, so that joining, changing roles, and leaving each trigger a corresponding access action. For provisioning, auditors want to see that access was requested and approved before it was granted, not retroactively, which means an approval record (a ticket, a signed request, or a workflow log) that predates the grant. For deprovisioning, the high-stakes event, they verify that access was revoked promptly after termination, and they will cross-reference HR termination dates against revocation timestamps in the IdP and key systems. Defining a revocation SLA and meeting it is what gets tested; a common arrangement is same-day or within a defined number of hours. The cleanest evidence is a sampled offboarding showing the HR record, the offboarding ticket, and the access-removal logs lining up.
Periodic access reviews and what they must show
Periodic user access reviews are where CC6.3 is operationalized, and they are among the most frequently sampled controls in a Type 2 engagement. On a defined cadence (quarterly and semi-annual are both common, with the right interval depending on your risk and what you committed to in your own policy), system owners certify that each user's access remains appropriate and that any access no longer needed is removed. The review must be documented in a way an auditor can test: who reviewed, what they reviewed, when, the decisions made, and the follow-through on any access flagged for removal. An access review that identifies stale accounts but shows no evidence they were actually revoked is weaker than one with fewer findings but clear remediation, because the auditor is testing the loop, not just the inspection. Exports from a compliance platform, signed spreadsheets with dates and reviewer names, and ticketed remediation all qualify.
The pitfalls that become exceptions
The exceptions auditors write up in this area are remarkably consistent. Stale accounts top the list: former employees or contractors whose access survived past their departure, which is both a finding and a genuine security risk. Access granted before approval is another, where the provisioning happened first and the paperwork followed, breaking the authorization control. Reviews performed annually when the policy promised quarterly, or reviews completed but never remediated, both surface as operating-effectiveness gaps. Orphaned and shared accounts, and overly broad service-account permissions, round out the usual list. The unifying lesson is that access control is judged on consistency over time, not on a strong snapshot, so the durable fix is tight integration between HR and identity systems, a realistic and honored review cadence, and dated evidence captured as events happen rather than assembled in the final week before fieldwork.