Standard : Access design is reviewed whenever system boundaries change
Purpose and Strategic Importance
This standard ensures access control is reviewed whenever system boundaries change, maintaining secure-by-design principles as systems evolve. It helps teams proactively manage risk and uphold least-privilege access.
Aligned to our "Zero Trust Architecture" policy, this standard reduces the likelihood of unauthorised access and strengthens system resilience. Without it, access models drift, vulnerabilities grow, and trust is compromised.
Strategic Impact
- Improved consistency and quality across teams
- Reduced operational friction and delivery risks
- Stronger ownership and autonomy in technical decision-making
- More inclusive and sustainable engineering culture
Risks of Not Having This Standard
- Slower time-to-value and increased rework
- Accumulation of inconsistency and process debt
- Reduced trust in engineering data, systems, or ownership
- Loss of agility in the face of change or failure
CMMI Maturity Model
Level 1 – Initial
| Category |
Description |
| People & Culture |
Awareness of access risks is low.
Reviews are reactive or absent. |
| Process & Governance |
No defined process for reviewing access during changes. |
| Technology & Tools |
Permissions evolve organically without structure or oversight. |
| Measurement & Metrics |
No tracking of access scope, risk, or review frequency. |
Level 2 – Managed
| Category |
Description |
| People & Culture |
Some teams initiate access reviews during major changes.
Behaviour is experience-driven. |
| Process & Governance |
Change advisory processes sometimes include access checks. |
| Technology & Tools |
Basic checklists or manual reviews are used. |
| Measurement & Metrics |
Partial tracking of review activities or incidents. |
Level 3 – Defined
| Category |
Description |
| People & Culture |
Teams understand and apply least-privilege principles. |
| Process & Governance |
Access reviews are built into boundary change workflows. |
| Technology & Tools |
Tools or templates support structured access management. |
| Measurement & Metrics |
Completion of access reviews is monitored and reported. |
Level 4 – Quantitatively Managed
| Category |
Description |
| People & Culture |
Teams proactively flag and resolve access issues. |
| Process & Governance |
Access reviews are auditable and enforced by policy. |
| Technology & Tools |
Dashboards show permission drift, unused roles, or violations. |
| Measurement & Metrics |
Trends in access scope, change frequency, and issue resolution are reported. |
Level 5 – Optimising
| Category |
Description |
| People & Culture |
Access awareness is embedded in system ownership and architecture decisions. |
| Process & Governance |
Continuous improvement cycles reduce friction and strengthen compliance. |
| Technology & Tools |
Automated tooling enforces and remediates access misconfigurations. |
| Measurement & Metrics |
Access quality is benchmarked, with continuous feedback driving Zero Trust maturity. |
Key Measures
- % of system changes accompanied by access review
- % of permissions reviewed or adjusted during boundary changes
- Reduction in over-permissioning or access violations
- Time to detect and remediate access drift