CIS Control 5.3: Disable Dormant Accounts
Dormant accounts pose a significant security risk—inactive credentials can be compromised without detection. CIS Control 5.3 requires disabling or deleting any account inactive for 45+ days to reduce your attack surface. This control is foundational to account lifecycle management and a key requirement for SOC 2, ISO 27001, and security audits.
What this means
CIS Control 5.3 mandates that organizations establish and enforce a policy to automatically disable or delete user accounts that remain inactive for 45 consecutive days. This prevents unauthorized access through forgotten, abandoned, or compromised credentials that attackers could exploit. The control applies across all systems and applications where supported by platform capabilities.
How to comply
- 1.Define 'inactivity' clearly (login attempts, password changes, or system access events) and document your 45-day threshold in your account management policy
- 2.Audit all active accounts in your systems (identity providers, applications, databases, cloud platforms) to establish baseline dormancy status
- 3.Configure automated monitoring to track user activity and flag accounts approaching the 45-day inactivity threshold
- 4.Implement automated account disabling at the 45-day mark, or establish a manual review process where automation is unsupported
- 5.Document all disabled accounts and maintain records for audit purposes (reason, date, authorized by)
- 6.Communicate the policy to users so they understand account will be disabled due to inactivity
- 7.Test the disabling process on non-critical accounts first to ensure no unintended service disruptions
- 8.Review and adjust the inactivity period based on your risk tolerance and business requirements (e.g., 30 days for high-sensitivity roles)
Evidence auditors look for
- Account lifecycle management policy specifying 45-day inactivity threshold
- Automated reports showing disabled accounts with disable dates and inactivity durations
- Identity provider (Active Directory, Okta, Azure AD) audit logs showing account disablement events
- Application-level access logs showing last login timestamps for all accounts
- Disable/deprovisioning workflow documentation with approval chains
- Screenshots of monitoring tools configured with 45-day inactivity alerts
- User communication (email, policy announcement) about account disablement policy
- Quarterly or annual account cleanup reports showing dormant accounts removed
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates the 45-day inactivity detection across all your cloud and on-prem systems, generates disable/notification workflows, and tracks evidence—eliminating manual account audits and accelerating your CIS Control 5.3 audit.
See how GRCWatch handles this control automatically
Start free trial