GRCWatch
Sign inStart free trial

CIS Control 6.1: Establish an Access Granting Process

Manual access provisioning creates compliance gaps and security risks. CIS Control 6.1 requires you to establish a formal, preferably automated process for granting access when users are hired, promoted, or change roles. This control is foundational to preventing unauthorized access and maintaining audit trails.

What this means

You need a documented procedure that automatically or systematically grants appropriate access rights to enterprise assets when a user enters your organization, receives a promotion, or transitions to a new role. The process should define who approves access requests, which systems are involved, and how access is provisioned—with automation reducing manual errors and delays. This ensures users get the right permissions at the right time while maintaining a complete audit record.

How to comply

  1. 1.Document your access granting workflow, including triggers (new hire, promotion, role change) and required approvals
  2. 2.Identify all enterprise assets that require access controls and map them to job roles
  3. 3.Define the approval authority for each asset and access level
  4. 4.Automate the provisioning process where possible to reduce manual errors and turnaround time
  5. 5.Log all access grants with user, asset, date, approver, and justification for audit purposes
  6. 6.Test the process quarterly with sample new hires or role changes to verify it functions end-to-end
  7. 7.Review and update the process annually or when organizational structure changes

Evidence auditors look for

  • Access request form or ticketing system showing new hire access provisioning
  • Automated provisioning logs from IAM or onboarding platform
  • Manager approval emails or sign-offs for access grants
  • Role-to-asset mapping documentation
  • Access review reports showing audit trails of who granted what access and when
  • Process documentation with approval workflows and responsibilities
  • Test results demonstrating end-to-end provisioning process validation

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates access request workflows with built-in approval routing and provisioning logs, turning manual access grants into auditable, automated processes that satisfy CIS 6.1 in minutes.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS Control 6.2 — Ensure Access is RevokedCIS Control 5.3 — Configure Data Access ControlCIS Control 2.2 — Address Unauthorized Software