ISO 27001 • Access Reviews • Professional Services • Certification Readiness • Internal Audit

Case Study: How a Professional Services Firm Fixed Access Review Gaps Before Certification

Access review gaps are one of the most common issues found before ISO 27001 certification. Professional services firms often have strong client delivery teams, but access records may be scattered across Microsoft 365, SharePoint, document systems, finance tools, CRM platforms, project folders, and vendor portals.

Canadian Cyber ISO 27001 Certification Readiness

Fix Access Review Gaps Before They Become Certification Findings

Canadian Cyber helps professional services firms prepare for ISO 27001 certification with access review testing, privileged access review, leaver testing, SharePoint and Microsoft 365 permission reviews, remediation trackers, internal audit support, and SharePoint ISMS evidence workspaces.

Quick Snapshot

Case Study Area What Improved
Business Context Professional services firm preparing for ISO 27001 certification.
Main Challenge Access reviews were informal, inconsistent, and not supported by complete evidence.
Biggest Risk Former staff, over-permissioned users, privileged accounts, and client workspace access gaps.
Solution Role-based access review process, evidence tracker, owner sign-off, remediation log, and SharePoint ISMS workspace.
Outcome Cleaner audit evidence, reduced access risk, stronger control ownership, and improved certification readiness.

Introduction

The professional services firm was close to ISO 27001 certification.

The major pieces were already moving:

Policies drafted
Risk assessment completed
Management review scheduled
Internal audit underway
Security awareness completed
Vendor reviews improving
Incident response documents ready

Then the access review testing started.

The firm discovered several gaps. Some user access lists were outdated. Some former employees still appeared in systems. Some project folders had broad access. Some privileged accounts had not been reviewed recently. Some client workspace owners were unclear. Some access approvals were missing. Some remediation actions were not tracked.

The firm had controls in place, but the evidence was weak. That created certification risk.

This fictional case study shows how a professional services firm fixed access review gaps before ISO 27001 certification and built a stronger access governance process.

Need Help Fixing Access Review Gaps Before ISO 27001 Certification?

Canadian Cyber helps professional services firms prepare for ISO 27001 certification with access review testing, SharePoint ISMS evidence workspaces, internal audit support, corrective action tracking, risk registers, and certification readiness reviews.

Meet the Professional Services Firm

Let’s call the firm Northpoint Advisory Group.

Northpoint provided consulting, accounting, legal support, technology advisory, and project-based services to corporate clients.

The firm handled sensitive information, including:

Client contracts
Financial records
Strategy documents
Project files
Personal information
Audit evidence
Legal correspondence
Business plans
HR records
Vendor records
Confidential reports

Because clients were asking stronger security questions, Northpoint decided to pursue ISO 27001 certification. The firm wanted to prove it could protect client information through a formal information security management system.

The Starting Problem

Northpoint had access controls, but the review process was not mature enough for certification.

What the Internal Audit Found

Gap Why It Mattered
User access reviews were not consistently scheduled No proof that access was reviewed regularly.
Review evidence was stored in emails and spreadsheets Hard to show a complete audit trail.
Some system owners were unclear Accountability was weak.
Privileged access was not reviewed separately Admin access risk was higher.
Leaver access removal evidence was incomplete Offboarding control could not be fully proven.
Client workspace permissions were too broad Confidential client files could be overexposed.
Remediation actions were not tracked to closure Findings could repeat during certification audit.

Practical rule: For ISO 27001, having access controls is not enough. You must prove access is reviewed, approved, corrected, and documented.

Why Access Reviews Matter for ISO 27001

Access reviews help confirm that users only have the access they need. For professional services firms, this is especially important because employees may move between clients, projects, departments, and systems.

Access Review Objective Why It Matters
Confirm active users Removes former employees and inactive accounts.
Confirm role-appropriate access Reduces excessive permissions.
Review privileged users Controls administrator risk.
Review client workspace access Protects confidential client information.
Review third-party access Controls vendor and contractor risk.
Document decisions Creates certification evidence.
Track remediation Shows access issues are corrected.

Step 1: Defining the Access Review Scope

The first step was to define what needed review. Northpoint avoided a vague process like “review all access.” Instead, it created a clear scope.

System Area Why It Was Included
Microsoft 365 Email, Teams, SharePoint, and OneDrive.
Client SharePoint Sites Client files and project evidence.
Document Management System Client deliverables and confidential records.
CRM Client contacts and commercial data.
Finance System Billing, invoices, and payment data.
HR System Employee records.
Project Management Tool Client project plans and deliverables.
Password Vault Privileged credentials.
Vendor Portals Third-party service access.

Review categories included:

Standard user access
Privileged access
Client workspace access
External guest access
Vendor access
Service accounts
Inactive accounts
Leaver samples

Practical rule: A good access review begins with a clear list of systems and access types.

Step 2: Assigning Access Review Owners

The firm assigned owners for each system. This was important because IT could not approve every business access decision alone.

Access Area Review Owner
Microsoft 365 users IT Manager
SharePoint client sites Client Partner / Project Owner
Document management system Records Manager
CRM Sales Operations Lead
Finance system Finance Director
HR system HR Manager
Password vault IT Security Lead
External guests Workspace Owner

Practical rule: Access reviews should be owned by people who understand whether access is still needed.

Need a Clear Access Review Owner Matrix?

Canadian Cyber helps professional services firms define access review ownership across IT, finance, HR, client workspaces, vendors, privileged systems, and Microsoft 365 environments.

Step 3: Creating a Standard Access Review Template

Before the fix, each owner reviewed access differently. Some used screenshots. Some used emails. Some used spreadsheets. Some gave verbal confirmation.

The firm created one standard access review template.

Access Review Template Field Purpose
System Name Defines what was reviewed.
Review Period Shows review timing.
Reviewer Name Shows accountability.
User Name Identifies the account.
User Role Shows business role.
Access Level Shows permissions.
Active / Inactive Confirms employment status.
Access Still Required Confirms business need.
Change Required Remove, reduce, approve, or investigate.
Remediation Ticket Tracks changes.
Evidence Link Links export or screenshot.

Step 4: Reviewing Privileged Access Separately

Privileged access needed special attention, so the firm separated admin access from normal user access.

Privileged access reviewed included:

Microsoft 365 global admins
SharePoint admins
DMS administrators
Finance system administrators
HR system administrators
Password vault admins
Backup platform admins
Security tool admins
Privileged Access Question Yes / No
Is the admin account still required?
Is the admin account assigned to a named person?
Is MFA enforced?
Is the role appropriate?
Is emergency access documented?
Are shared admin accounts avoided?
Are privileged actions logged?

Practical rule: Privileged access should be reviewed more carefully than standard access.

Step 5: Testing Leaver Access Removal

The firm then tested whether former employees were removed from systems promptly.

Leaver Testing Steps

  1. Select recent departed employees.
  2. Confirm termination date from HR.
  3. Confirm access removal request date.
  4. Confirm account disablement date.
  5. Check Microsoft 365 access.
  6. Check client workspace access.
  7. Check DMS access.
  8. Check project management access.
  9. Check privileged access, if applicable.
  10. Document results and exceptions.

Evidence reviewed:

HR termination notice
Offboarding checklist
IT ticket
Account disablement timestamp
Group removal evidence
DMS removal evidence
Vendor portal removal evidence

Gap found: One former contractor had been removed from Microsoft 365 but remained active in a vendor portal.

Action taken: The vendor portal account was removed, and vendor access was added to the offboarding checklist.

Test Leaver Access Before the Certification Auditor Does

Canadian Cyber helps firms test offboarding evidence across Microsoft 365, SharePoint, DMS platforms, vendor portals, privileged tools, and client workspaces before ISO 27001 certification.

Step 6: Reviewing Client Workspace Access

Client workspace access was a major issue. Professional services firms often create project folders, Teams channels, SharePoint sites, and document libraries quickly. Over time, access can become too broad.

Client Workspace Review Question Yes / No
Is the workspace owner identified?
Are only assigned project team members included?
Are former project members removed?
Are external guests reviewed?
Are sharing links reviewed?
Are restricted client folders separated?
Is access review sign-off documented?

Evidence reviewed:

SharePoint permission export
Teams membership list
External guest report
Sharing link report
Project team list
Client owner confirmation
Exception register

Gap found: Some project sites had large department groups added by default.

Action taken: The firm replaced broad groups with project-specific access groups.

Step 7: Reviewing External Guest Access

External guest access was another area of focus. The firm worked with clients, contractors, auditors, consultants, and vendors.

Guest Access Question Yes / No
Is each guest linked to a business purpose?
Is each guest assigned to a workspace owner?
Are guest users reviewed periodically?
Are inactive guests removed?
Are sharing links reviewed?
Are guest exceptions approved?

Practical rule: Guest access should be temporary, justified, and reviewed.

Step 8: Creating a Remediation Tracker

The firm needed to prove that review findings were fixed, so it created a remediation tracker.

Remediation Tracker Field Purpose
Finding ID Unique issue.
System Where the issue was found.
Issue Description What was wrong.
Risk Level High, medium, or low.
Owner Person responsible.
Required Action Remove, reduce, approve, or investigate.
Evidence of Closure Proof action was completed.
Verification Confirms closure was checked.

Example remediation actions included:

  • remove inactive guest users
  • remove old admin role
  • disable former contractor account
  • replace department group with project group
  • remove expired vendor account
  • document access exception
  • create missing access approval record
  • update offboarding checklist

Practical rule: An access review is incomplete until findings are remediated or risk-accepted.

Step 9: Storing Evidence in a SharePoint ISMS Workspace

Before the fix, access review evidence was scattered. The firm centralized evidence in SharePoint.

SharePoint ISMS Section Evidence Stored
Access Review Evidence Exports, sign-offs, and review templates.
Privileged Access Reviews Admin access reviews.
Leaver Testing Offboarding samples.
Client Workspace Reviews SharePoint and Teams access evidence.
Guest Access Reviews External user reports.
Vendor Access Reviews Vendor portal access evidence.
Remediation Tracker Findings and closure records.
Management Review Access review summary and decisions.

Organize Access Review Evidence in SharePoint ISMS

Canadian Cyber’s ISMS SharePoint solution helps professional services firms organize access reviews, ISO 27001 evidence, remediation trackers, audit requests, risk registers, and management review records in one Microsoft 365 workspace.

Step 10: Preparing the Certification Evidence Pack

After remediation, the firm prepared a certification-ready evidence pack.

Evidence pack contents included:

  • access review procedure
  • access review schedule
  • system owner matrix
  • completed access review templates
  • MFA evidence
  • privileged access review
  • leaver test samples
  • client workspace review evidence
  • guest access review evidence
  • vendor access review evidence
  • remediation tracker
  • closure evidence
  • management review summary

A strong evidence pack shows both the review and the response.

Results Before Certification

Northpoint improved its access governance before certification.

Before After
Access reviews were inconsistent Standard template created.
Owners were unclear Owner matrix assigned.
Privileged access was mixed with normal access Separate admin review completed.
Leaver evidence was incomplete Leaver testing performed.
Client workspace access was too broad Project-specific groups created.
External guests were not consistently reviewed Guest review process added.
Evidence was scattered SharePoint ISMS workspace created.

Business impact:

  • reduced access risk
  • audit evidence became easier to find
  • control owners understood responsibilities
  • client workspace confidentiality improved
  • management had better visibility
  • certification readiness improved

Lessons for Professional Services Firms

1. Access Reviews Need Owners

IT can export access lists, but business owners must validate business need.

2. Privileged Access Needs Separate Testing

Admin permissions create higher risk and need a focused review.

3. Client Workspaces Are High-Risk

Broad project access can expose confidential client files.

4. Findings Need Closure Evidence

Auditors want to see corrective action, not only identification.

Access Review Readiness Checklist

Use this checklist before ISO 27001 certification.

Planning

Question Yes / No
Are access review systems defined?
Are review owners assigned?
Is there an access review schedule?
Is there a standard review template?

User Access

Question Yes / No
Are active users reviewed?
Are inactive users removed?
Are role changes reflected in access?
Are client workspace permissions reviewed?
Are external guests reviewed?

Privileged Access

Question Yes / No
Are admin accounts reviewed separately?
Is MFA enforced for privileged users?
Are shared admin accounts avoided?
Are excessive admin rights removed?

Remediation

Question Yes / No
Are findings tracked?
Are owners assigned?
Are due dates set?
Is closure evidence stored?
Are unresolved issues risk-accepted?

If several answers are “no,” access review gaps may create certification risk.

Common Mistakes to Avoid

  • Reviewing only Microsoft 365. Professional services firms often use many client and business systems.
  • Treating access review as an IT-only task. Business owners must validate whether access is appropriate.
  • Ignoring privileged access. Admin access needs special review.
  • Forgetting external guests. Guest users and shared links are common access risks.
  • No leaver testing. Offboarding evidence is a frequent audit focus.
  • No remediation evidence. Finding an issue is not enough. You must show that it was fixed or accepted.
  • Evidence stored in email. Audit evidence should be centralized.

What Good Looks Like

A strong access review program before ISO 27001 certification can show:

  • access review procedure
  • system scope
  • review schedule
  • owner matrix
  • completed access reviews
  • MFA evidence
  • privileged access review
  • client workspace access review
  • guest user review
  • vendor access review
  • leaver testing
  • remediation tracker
  • closure evidence
  • exception register
  • management review summary
  • SharePoint ISMS evidence workspace

This gives auditors confidence. It also helps protect client confidentiality.

Canadian Cyber’s Take

At Canadian Cyber, we often see professional services firms find access review gaps late in ISO 27001 readiness. The firm may have strong security tools, but access governance is often less mature than expected.

The fix is not complicated, but it must be structured:

  • define scope
  • assign owners
  • use a standard template
  • review privileged access separately
  • test leavers
  • review client workspaces
  • track remediation
  • store evidence centrally

Access reviews are not just an audit requirement. They protect client trust.

Takeaway

Professional services firms should test and fix access review gaps before ISO 27001 certification.

Focus on:

  • system scope
  • review ownership
  • privileged access
  • client workspaces
  • external guests
  • leaver testing
  • vendor access
  • remediation tracking
  • evidence storage
  • management review

When access reviews are clear, documented, and complete, certification readiness becomes much stronger.

How Canadian Cyber Can Help

Canadian Cyber helps professional services firms prepare for ISO 27001 certification and fix access review gaps before audit.

  • ISO 27001 readiness assessments
  • access review gap analysis
  • privileged access review testing
  • client workspace permission reviews
  • SharePoint and Microsoft 365 access reviews
  • leaver testing
  • vendor access review
  • remediation tracker setup
  • risk register updates
  • internal audit support
  • management review preparation
  • SharePoint ISMS evidence workspace setup
  • certification readiness support

Stay Connected With Canadian Cyber

Follow Canadian Cyber for practical guidance on ISO 27001, access reviews, professional services cybersecurity, internal audits, client confidentiality, SharePoint ISMS, SOC 2, ISO 42001, and vCISO support.