Access certification

What access certification means, how it relates to access reviews and attestation, the campaign model, and what continuous certification changes.

3 min read · Last updated July 2026

Access certification is the formal process of confirming that each user's access is still appropriate, with a reviewer signing off per entitlement and revocations executed for anything rejected. It is the compliance term for a user access review, usually run as scheduled campaigns and required by frameworks like SOC 2 and ISO 27001.

Also known as: Access certification, Certification campaign, Recertification, Entitlement certification

Access certification is the formal act of confirming that the access people hold is still the access they should hold. A reviewer signs off, entitlement by entitlement, and anything they reject gets removed. It is the same control as a user access review, seen from the compliance side, where the emphasis lands on the sign-off and the paper trail.

If there is any distinction between the two terms, it is one of emphasis. Certification stresses the attestation, the formal statement that the access is correct. Review stresses the examination, the act of looking. Auditors and legacy IGA vendors say certification. Practitioners say review. They are talking about the same thing.

The campaign model

Certification has traditionally been run as campaigns. A campaign is a scheduled batch: pick a scope (a set of apps, a department, a class of entitlements), pull all the access in it, push it to reviewers, and give them a deadline to clear it.

This is how legacy IGA works, and the model has a built-in flaw. Batching a quarter's worth of access into a single deadline creates a wall of work that arrives all at once. Reviewers facing hundreds of unfamiliar entitlements with a Friday deadline do the rational thing and approve in bulk. The campaign completes, the evidence is generated, and the actual access barely changes. It is efficient to administer and hollow in effect.

Continuous certification

The alternative is to stop batching. Continuous certification evaluates access as it changes: a new grant, an unusual entitlement, a role change that adds permissions, each reviewed close to when it happens. The heavy quarterly campaign shrinks, because most access has already been confirmed in the flow of work. What is left for the scheduled run is exceptions, not the entire population.

The benefit is not only lighter campaigns. Access stays current in between, rather than drifting for three months and getting corrected in a rush.

What certification has to prove

The evidence bar is the same as any review, and it has five parts. Scope: what was covered. Reviewers: who signed off, and whether they had the standing to. Decisions: keep or remove, recorded per item. Timing: when the certification opened and closed. Enforcement: proof that rejected access was actually revoked.

The fifth is where certifications most often fall short. A campaign can produce a complete set of decisions and still leave the rejected access in place because nobody wired the removal to the sign-off. The certification then says one thing and the system says another. Real certification closes that loop: the sign-off drives the revocation, and the evidence reflects actions taken, not intentions logged.

Related terms

  • User access review. The everyday term for the same control.
  • Attestation. The reviewer's formal statement that access is correct.
  • Certification campaign. A scheduled, scoped certification run.
  • Identity Governance and Administration (IGA). The discipline certification is part of.

Frequently asked questions

Is access certification different from a user access review?

They describe the same control. Access certification is the formal term, common in compliance language and legacy IGA products, and it emphasizes the sign-off. User access review is the everyday term and emphasizes the reviewing. If there is a shade of difference, certification points at the attestation step; review points at the examination step. Most teams treat them as one thing.

What is a certification campaign?

A campaign is a scheduled certification run scoped to a set of users, apps, or entitlements, with a deadline. Legacy IGA is built around campaigns: quarterly, a large batch of access is pushed to reviewers who must clear it by a date. The batch model is efficient to schedule and brutal to complete, which is why campaigns get rubber-stamped.

What is continuous certification?

Instead of batching everything into a quarterly campaign, continuous certification evaluates access changes as they occur. New or unusual access is reviewed close to when it happens, so the quarterly run shrinks to exceptions rather than the entire population. It spreads the work out and keeps access current between campaigns.

What does a certification need to satisfy an auditor?

Scope (what was covered), reviewers (who signed off), decisions (keep or remove per item), timing (when it ran and closed), and enforcement (proof rejected access was removed). A certification that records decisions without proving the removals is incomplete evidence.

Which frameworks require access certification?

SOC 2 references it under CC6 access controls. ISO 27001:2022 covers it under A.5.18 (access rights). It also appears in HIPAA, PCI DSS, NIST 800-53, NERC CIP, and ITAR expectations. The specifics vary, but the shared requirement is periodic review of access with evidence.