CIS Control 6.1: Establish an Access Granting Process
Manual access provisioning creates compliance gaps and security risks. CIS Control 6.1 requires you to establish a formal, preferably automated process for granting access when users are hired, promoted, or change roles. This control is foundational to preventing unauthorized access and maintaining audit trails.
What this means
You need a documented procedure that automatically or systematically grants appropriate access rights to enterprise assets when a user enters your organization, receives a promotion, or transitions to a new role. The process should define who approves access requests, which systems are involved, and how access is provisioned—with automation reducing manual errors and delays. This ensures users get the right permissions at the right time while maintaining a complete audit record.
How to comply
- 1.Document your access granting workflow, including triggers (new hire, promotion, role change) and required approvals
- 2.Identify all enterprise assets that require access controls and map them to job roles
- 3.Define the approval authority for each asset and access level
- 4.Automate the provisioning process where possible to reduce manual errors and turnaround time
- 5.Log all access grants with user, asset, date, approver, and justification for audit purposes
- 6.Test the process quarterly with sample new hires or role changes to verify it functions end-to-end
- 7.Review and update the process annually or when organizational structure changes
Evidence auditors look for
- Access request form or ticketing system showing new hire access provisioning
- Automated provisioning logs from IAM or onboarding platform
- Manager approval emails or sign-offs for access grants
- Role-to-asset mapping documentation
- Access review reports showing audit trails of who granted what access and when
- Process documentation with approval workflows and responsibilities
- Test results demonstrating end-to-end provisioning process validation
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates access request workflows with built-in approval routing and provisioning logs, turning manual access grants into auditable, automated processes that satisfy CIS 6.1 in minutes.
See how GRCWatch handles this control automatically
Start free trial