Article 1: What is an Access Review?
Overview
An access review (also called a certification) is a structured process where your organisation periodically checks that every employee's app access is still appropriate — and formally records that decision.
The core question an access review answers is: does this person still need this access, and is their level of access still correct?
Why organisations do access reviews
Access creeps. Over time, employees accumulate access to tools they no longer use, inherit permissions from previous roles, or retain access after moving teams or leaving the company entirely.
Left unchecked, this creates real risk — both security risk (unnecessary access is a breach vector) and compliance risk (most security frameworks, including ISO 27001 and SOC 2, require you to prove you review access regularly).
Access reviews give you a defensible, documented answer to the question auditors and security teams ask: how do you know that only the right people have access to your systems?
How Ploy's access review process works
Ploy structures access reviews around five stages:
Campaign — you define what should be reviewed, who should review it, and how often. Think of a campaign as a standing instruction: "every quarter, review all admin access to our finance tools."
Cycle — when a review is due, Ploy generates a cycle from the campaign. A cycle is the live instance of the review: it has a specific start date, due date, and a snapshot of all the access that needs to be certified.
Review — within a cycle, each application being reviewed gets its own review. Reviewers are assigned to specific accounts and work through their list, making a decision on each one.
Outcome — for each account, the reviewer records a decision: the access is appropriate, it should be removed, it needs adjustment, or it's out of scope. Decisions requiring action trigger a remediation step.
Approval & attestation — once reviewer decisions are in, an approver certifies the review. This creates a formal attestation record — capturing who approved, when, and from which IP address — which is what auditors will inspect.
Key terminology
Term | What it means |
|---|---|
Campaign | A reusable template that defines scope, schedule, and reviewer assignment for a recurring review |
Cycle | A single run of a campaign — the live review with a due date and assigned reviewers |
Review | The per-application or per-resource review within a cycle |
Account | An individual employee's account in a specific application, being reviewed |
Account set | A group of accounts assigned to a specific reviewer within a review |
Attestation | The formal approval step where a certified record is created |
Remediation | The follow-up action when access is marked as inappropriate — removing or adjusting it |
Luna | Ploy's AI layer that generates recommendations to help reviewers decide faster |
Who is involved
Admins (your IT or security team) configure campaigns, oversee cycles, and approve completed reviews. They work in the Ploy admin dashboard.
Reviewers (typically managers, team leads, or resource owners) make decisions on the accounts assigned to them. They work in the Ploy employee portal — a separate, dedicated interface.
Approvers (often IT admins or a security lead) formally certify that a completed review is accurate before it's closed. This step creates the audit record.
What Ploy captures for compliance
Every completed access review in Ploy produces:
A full decision record for every account reviewed (who decided, what they decided, when, and any notes)
Immutable snapshots of the employee's department, job title, MFA status, and access details at the time of the review
Evidence files attached by reviewers
An attestation record capturing the approver's identity, timestamp, and IP address
A downloadable compliance certificate (PDF) with a cryptographic hash for tamper verification
A complete audit trail of every change made during the cycle
This is the evidence package you hand to an auditor.