Skip to content
AuditFront
CC6.2 SOC 2

SOC 2 CC6.2: Logical and Physical Access - User Registration and Authorization

What This Control Requires

Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.

In Plain Language

Stale accounts belonging to former employees are one of the most common SOC 2 findings - and one of the easiest to prevent. CC6.2 covers the entire lifecycle of user access: from initial registration and authorisation, through modifications, to removal when access is no longer appropriate. You need formal processes for requesting, approving, provisioning, modifying, and revoking access. Every step should be documented with clear accountability. This covers internal users (employees, contractors) and external users (customers, partners, vendors) whose access your organisation manages. This is one of the most frequently tested control areas in any SOC 2 audit. Assessors will check whether your onboarding process is complete and consistent, whether access grants have proper approvals, whether role changes trigger access modifications, and - critically - whether access is revoked promptly when people leave or move roles.

How to Implement

Set up a formal access request and approval process. Every request should go through a documented channel (ticketing system, access management platform, or formal request form), specify what access is needed and why, get approved by both the requester's manager and the system/data owner, and be retained as evidence. Integrate identity lifecycle management with your HR system. New hires trigger account creation and role-appropriate access provisioning. Role changes trigger access reviews and modifications. Terminations trigger immediate account disablement and full access revocation. Automate as much of this as possible - manual handoffs between HR and IT are where things fall through the cracks. Define standard access profiles for common job functions using role-based access control (RBAC). Document what access each role receives and review role definitions regularly. This makes provisioning consistent and simplifies both management and auditing. Set clear SLAs for offboarding. Disable accounts on the same day for voluntary departures, and immediately for involuntary terminations. Revoke remote access, retrieve physical assets, and disable all application-level access. Use a checklist and run a post-termination audit to confirm completeness. Keep records of every access provisioning and deprovisioning action: date, requester, approver, what access was granted or revoked, and when the change was implemented. These records are essential audit evidence and auditors will sample them extensively. Manage external user access with extra rigour. Vendor and partner accounts need defined access scopes, expiration dates, and review schedules. Customer accounts should have self-service registration with appropriate verification and terms acceptance.

Evidence Your Auditor Will Request

  • Access request and approval records showing authorization for granted access
  • User onboarding procedures with evidence of HR-triggered provisioning workflow
  • Termination checklist and evidence of timely access revocation for departed employees
  • Role definitions (RBAC) documenting standard access profiles for each job function
  • Access provisioning and deprovisioning audit trail for the review period

Common Mistakes

  • Access is granted informally without documented requests or approvals
  • Terminated employee accounts remain active for days or weeks after departure
  • No integration between HR systems and access management, requiring manual coordination
  • Generic or shared accounts are used instead of individual user accounts, preventing accountability
  • External user accounts (vendors, partners) have no expiration dates and are not regularly reviewed

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.5.15 Equivalent
ISO 27001 A.5.16 Equivalent
ISO 27001 A.5.18 Related
nist-csf PR.AA-01 Equivalent

Frequently Asked Questions

How quickly should access be revoked upon termination?
For involuntary terminations, immediately - ideally before or at the same moment as the termination notification. For voluntary departures, on the last day of employment. Some organisations disable accounts at the start of the last day and fully remove access at the end. Whatever your approach, document your SLAs and track whether you're actually meeting them.
Can we use shared or service accounts?
Minimise shared accounts wherever possible because they destroy individual accountability. When service accounts are genuinely needed for system integrations, give them strong credentials or certificate-based authentication, assign clear ownership, apply least privilege, and include them in access reviews. For human users, always use individual accounts - no exceptions.
How do we manage access for contractors?
Follow the same lifecycle as employees, but with tighter controls. Require sponsor/manager approval, limit access to the specific project scope, set mandatory expiration dates, run more frequent access reviews, and auto-disable accounts when the contract ends. Keep a current list of all contractors with their access scope and contract end dates. Auditors will ask for it.

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment