Home Compliance & Certification Access Request Process Guide

Access Request Process Guide

Last updated on Sep 23, 2025

1. Purpose of this Guide

This artefact shows that your company has a clear and controlled way to grant, change, and revoke access to systems. Cyber Essentials (and most other standards) want proof that you don’t just hand out accounts like free samples at a mall — every access change is requested, approved, recorded, and revoked properly. This reduces the risk of ex-staff or unauthorised users slipping through the gates.

2. What You Will Submit

You will need:

  • Your Access Request Process document (usually a short policy or procedure doc).

  • It should outline the steps for:

    • Requesting new access or role changes

    • Getting approval

    • Recording the change

    • Revoking access when no longer needed

  • (Optional) A short description, e.g. “This is our company’s official access request procedure, last updated 1 Jul 2025.”

3. How to Collect / Obtain / Generate This Evidence

  • Use StrongKeep's provided template, which can be found in the document library.

  • If you don’t have one yet or want to create your own template:

    1. Draft a simple 1–2 page document.

    2. Include the four key stages: Request → Approval → Recording → Revocation.

    3. Make sure to state who is responsible at each stage (manager, approving authority, IT).

4. Evidence Format

  • Accepted file types: PDF, DOCX, or JPG/PNG screenshot (if your process is in a tool).

  • Suggested naming format:
    YourCompanyName_AccessRequestProcess_YYYY-MM-DD.pdf

5. What “Good” Looks Like

A strong submission will show:

  • Clear steps for requesting, approving, recording, and revoking access.

  • Defined roles (e.g. “Manager requests, HR approves, IT updates inventory”).

  • Specific details captured (staff name, department, system, role, dates).

  • Revocation process (important! shows that accounts don’t stay open forever).

Why this matters: Auditors want to see that your process isn’t just “ask IT nicely.” It proves you’ve thought about who should have access — and who shouldn’t.

6. Tips

  • Keep it short and readable — one or two pages is plenty.

  • Redact personal details if you use a real example (e.g. don’t show actual staff names).