GRCWatch
Sign inStart free trial

CIS Control 6.7: Centralize Access Control

Fragmented access control across enterprise assets creates security blind spots and compliance gaps. CIS Control 6.7 requires organizations to consolidate access management through a centralized directory service or single sign-on (SSO) provider. This foundation eliminates redundant credentials, enforces consistent policies, and provides auditable access trails—critical for SOC 2, ISO 27001, and regulatory compliance.

What this means

Centralized access control consolidates user authentication and authorization management into a single system—typically a directory service (Active Directory, LDAP) or SSO provider (Okta, Azure AD, Google Workspace). Instead of managing credentials separately across applications and assets, users authenticate once and gain role-based access across approved systems. This approach reduces password sprawl, enforces uniform access policies, enables rapid offboarding, and creates comprehensive audit logs for compliance reviews.

How to comply

  1. 1.Select and deploy a directory service or SSO solution compatible with your enterprise assets and applications
  2. 2.Integrate all critical systems, applications, and cloud services into the centralized access control platform
  3. 3.Define role-based access control (RBAC) policies that align with job functions and least-privilege principles
  4. 4.Configure multi-factor authentication (MFA) at the centralized authentication point for enhanced security
  5. 5.Establish automated user provisioning and deprovisioning workflows to ensure access reflects current organizational structure
  6. 6.Document access control policies, including approval workflows and periodic access reviews
  7. 7.Audit and monitor authentication logs to detect unauthorized access attempts and policy violations
  8. 8.Conduct quarterly access reviews to validate that users retain only necessary permissions

Evidence auditors look for

  • Active Directory or LDAP directory service deployment documentation with user population and group policies
  • SSO platform configuration (Okta, Azure AD, Ping Identity) showing integrated applications and authentication rules
  • Role-based access control (RBAC) matrix defining job titles, roles, and associated permissions
  • Multi-factor authentication (MFA) enablement report showing percentage of users with MFA active
  • User provisioning and deprovisioning logs demonstrating automated onboarding/offboarding workflows
  • Access approval workflow documentation including manager sign-offs and approval timelines
  • Authentication audit logs with timestamps, user IDs, success/failure status, and accessed resources
  • Quarterly access review reports signed by department managers confirming permission appropriateness

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates user access reviews and generates audit-ready access control reports by pulling authentication logs directly from your directory service or SSO provider, eliminating manual spreadsheet tracking and ensuring quarterly compliance reviews stay on schedule.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS Control 5.3: Configure Data Access Control ListsCIS Control 6.1: Establish an Access Control ProcessCIS Control 6.2: Account ManagementCIS Control 6.6: Promptly Deactivate User AccessNIST 800-53 AC-2: Account ManagementNIST 800-53 AC-3: Access EnforcementISO 27001 A.9.2: User Access Management