Leavers and Joiners: The IT Checklist That Prevents Security Gaps
Organisations often treat onboarding and offboarding as administrative processes, but in practice they are closely tied to security. Every new account, permission and device introduces risk, and every access point that remains active after someone leaves can create a gap that may go unnoticed until it is exploited.
In the UK, this risk is well established. The Cyber Security Breaches Survey 2025 reported that 43% of businesses experienced a cyber breach or attack in the previous year, with phishing remaining the most common entry point. In many cases, the root cause is not a sophisticated technical failure, but weaknesses in user access management, where accounts, permissions and access rights are not reviewed or removed in a timely manner.
This is particularly relevant across sectors such as the NHS, schools, and local authorities, where staff regularly move between roles, systems are shared across departments and access to sensitive data must be controlled carefully. Within these environments, a consistent user access review process becomes essential to maintaining control.
At ICTn, managing user access forms part of a wider approach to Cloud Managed Services. Rather than treating joiners, movers and leavers as isolated events, the focus is on embedding regular user access reviews into day-to-day operations so that access remains aligned with actual responsibilities over time.
Why Leavers and Joiners Create Security Gaps
Security issues linked to user access rarely begin with deliberate misuse. More often, they arise from routine activity. A new employee may be granted broader access permissions than required to avoid delays. Someone changing roles may retain access rights from their previous position. Third party vendors may continue to have access long after a project ends. Former employees may still have active user accounts or residual access through connected systems.
Guidance from both the NCSC and the ICO makes it clear that organisations should define and enforce an access management policy, regularly review user access rights and remove access when it is no longer needed. The principle of least privilege remains central, ensuring that users are given only the access required for their job responsibilities and nothing more.
Where regular user access reviews are not carried out, access tends to accumulate. Over time this leads to privilege creep, where individuals gradually gain access to more systems and data than necessary. In complex environments with multiple systems and cloud applications, this becomes difficult to track and increases exposure to insider threats and unauthorised access.
A structured user access review checklist provides a way to bring consistency to this process, helping organisations review access systematically rather than relying on ad hoc checks.
Building an Effective User Access Review Checklist
An effective user access review checklist should reflect how the organisation actually operates rather than existing as a theoretical document. The purpose of the checklist is to support a repeatable review process that can be applied consistently across departments, systems and user types.
At its core, the user access review process involves identifying who has access to which systems and data, assessing whether that access is still appropriate, and taking action where it is not. This includes reviewing user permissions, identifying inactive accounts, validating access privileges against current roles and ensuring that privileged accounts are properly controlled.
A well-structured user access review template supports this by standardising how information is collected and reviewed. It also ensures that decisions are documented, creating an audit trail that can be used for compliance and internal accountability. Maintaining this level of visibility is particularly important in environments where access is distributed across multiple systems and applications.
Managing Access Before the First Day
The user access review process begins before a new account is created. At this stage, decisions made about access permissions can have a long-term impact on security.
Organisations should define the individual’s role, the systems they need to access and whether any elevated access is required. Applying role based access control at this point helps ensure that access privileges are assigned consistently based on predefined roles rather than informal requests. This approach simplifies managing user access and makes it easier to review access later.
Where possible, access should also be centralised through single sign-on. This improves visibility and allows access to be revoked more effectively when the user leaves or changes roles. Without this, user credentials may be spread across multiple systems, increasing the likelihood of incomplete access removal.
Ensuring Appropriate Access on the First Day
On the first day, the focus should be on confirming that access is appropriate rather than extensive. This involves verifying identity, enabling multi-factor authentication and ensuring that access permissions match the individual’s role.
Granting excessive access at this stage introduces unnecessary risk. Temporary access, if required, should be time-limited and subject to review. Without defined expiry dates, temporary permissions often become permanent, contributing to unnecessary access and weakening overall access control.
At the same time, users should understand their responsibilities in relation to data protection and security. While training alone cannot prevent all security incidents, it supports a broader approach where user behaviour, technical controls and processes work together.
Reviewing Access When Roles Change
Changes in role are one of the most common points at which user access becomes misaligned. New access rights are often added without removing previous permissions, leading to privilege creep and, in some cases, conflicting access privileges.
A structured review process should be triggered whenever an individual’s responsibilities change. This involves reviewing user access rights across all systems, including indirect access through groups or applications, and ensuring that permissions align with current job responsibilities.
This stage is often overlooked, but it is critical for maintaining appropriate access levels over time. Without it, organisations risk creating complex and inconsistent access structures that are difficult to manage and audit.
Managing Access for Leavers
Effective offboarding begins before the final day of employment. Organisations should identify all user accounts, systems, devices and third-party access linked to the individual. This includes application and system accounts, shared access and any credentials stored across platforms.
On the final day, access should be removed in a coordinated and timely manner. This includes disabling accounts, revoking access across systems, logging out active sessions and securing or retrieving devices. The aim is to ensure that access is fully removed without delay.
However, the process should not end there. In the following 24 to 72 hours, organisations should confirm that access has been removed across all systems and review logs for unusual access patterns. This helps identify any remaining access or unexpected activity and ensures that the offboarding process has been completed successfully.
Where User Access Reviews Often Fall Short
Many organisations rely on manual access reviews carried out through spreadsheets or email requests. While this may work in smaller environments, it becomes increasingly unreliable as systems and user numbers grow.
Common issues include a lack of visibility across multiple systems, inconsistent ownership of access management tasks and failure to remove temporary access. In practice, these gaps contribute to many data breaches, where access that should have been removed remains active.
Regular user access reviews are important not only for reducing security risks but also for maintaining an accurate understanding of who has access to what. Without this visibility, it becomes difficult to manage access effectively or respond to potential security incidents.
The Role of Automation and Ongoing Reviews
Automating parts of the user access review process can help streamline user access reviews and reduce manual workload. Automation tools can assist in collecting access data, identifying anomalies and supporting consistent execution of the review process.
At the same time, user access reviews should not be treated as a one-off activity. Periodic access reviews, supported by continuous monitoring, help organisations detect unusual access patterns and respond to potential issues more quickly.
Involving key stakeholders, including IT and security teams as well as department managers, improves the accuracy of reviews and ensures that access decisions reflect real operational needs.
Compliance and Security Requirements
User access reviews are closely linked to compliance requirements, including GDPR and other security standards. Organisations are expected to demonstrate that they have appropriate access control measures in place, that access rights are reviewed regularly and that decisions are documented.
Failing to conduct regular user access reviews can result in audit findings, compliance issues and increased exposure to data breaches. More importantly, it weakens the organisation’s overall security posture by allowing unnecessary access to persist.
How ICTn Supports User Access Management
ICTn supports organisations across education, healthcare and the public sector in managing user access as part of a structured cloud and security service.
This includes implementing access management policies, applying role based access control, enforcing multi factor authentication and supporting ongoing user access reviews across Microsoft 365 and Azure environments. By integrating these controls into day-to-day operations, ICTn helps organisations maintain visibility, reduce reliance on manual processes and ensure that access is managed consistently across systems.
The focus is on maintaining control throughout the user lifecycle, from onboarding through to offboarding, so that access remains aligned with operational requirements and security risks are reduced over time.
Summary
Joiners, movers and leavers represent key points of risk within any organisation. Without a structured user access review process, access can quickly become misaligned with job responsibilities, leading to unnecessary access, privilege creep and increased exposure to security risks.
A clear user access review checklist, supported by regular user access reviews and strong access control, helps organisations ensure that access remains appropriate and that only authorised individuals can access systems and data. This approach aligns with guidance from the NCSC and ICO and provides a practical foundation for reducing risk in modern cloud environments.