Frameworks & standards
Access reviews are the floor.
Whocan evidences what they can't see.
Every major framework expects you to review who has access. Whocan answers that — then keeps going: privilege-escalation paths, cross-account trust, data-perimeter breaches, and separation-of-duties conflicts the periodic review never surfaces.
What each framework expects — and where Whocan goes further
The access-review requirement is the common floor. The right-hand column is what Whocan adds on top of it.
| Framework / standard | What the text requires on access review | Typical cadence | How Whocan goes further |
|---|---|---|---|
| ISO/IEC 27001:2022 & 27002:2022 | Annex A 5.18 (access rights) and 27002 8.2 (privileged access rights): provision and regularly review access; review privileged rights more often. | Quarterly to annual; privileged more frequent | Access-review inventory + privileged-role escalation paths |
| SOC 2 (Trust Services Criteria) | CC6.2/CC6.3: access is authorized, modified or removed as roles change, and periodically reviewed for appropriateness. | At least annual; quarterly for key systems | Who-can inventory + change ledger as audit evidence |
| NIST SP 800-53 Rev. 5 | AC-2(j): review accounts at an organization-defined frequency. AC-2(7): manage and monitor privileged roles. | Org-defined; quarterly common | Account & entitlement review + privileged-role monitoring |
| NIST CSF 2.0 | PR.AA-05: permissions, entitlements, and authorizations are defined, enforced, and reviewed — including least privilege and separation of duties. | Org-defined; routine evidence expected | Least-privilege & SoD analysis across the full chain |
| CIS Controls v8 | Control 6.8: define, maintain, and review role-based access to validate privileges, at minimum annually. | Annual minimum; more for high risk | Recurring access reviews saved as monitors |
| GDPR | Articles 5 and 32: data minimization and appropriate security. Periodic access review is a recognized means to meet them. | Risk-based; document the rationale | Who can reach personal-data stores, end to end |
| HIPAA Security Rule | 164.308(a)(4): authorize access by role; 164.308(a)(8): periodically evaluate it. | Org-defined; at least annual commonly seen | Access-to-ePHI inventory + periodic evidence |
| NIS2 | Article 21(2)(i): access-control policies; 21(2)(j): multi-factor authentication. Frequency is risk-based per national guidance. | Risk-based, aligned to sectoral guidance | Access-control inventory + MFA-condition gaps |
| DORA (EU) 2022/2554 | Article 9(4)(c): limit access to ICT assets to what legitimate functions require. Article 28: manage ICT third-party risk across the arrangement lifecycle, with a register of information. | Risk-based; in application since Jan 2025 | Article-mapped evidence — critical-data access, third-party reach, SoD, backup tampering |
| PCI DSS v4.0 | 7.2.4: review all user accounts and access every 6 months. 7.2.5.1: review system/service accounts at a risk-defined frequency. | 6 months (users); risk-based (system) | User & service-account review, scoped to the CDE |
Beyond the access review
What the periodic review can't see
A quarterly export tells you who has access today. It can't tell you who can get access — across accounts, through a chain nobody designed. That's the gap Whocan closes, and it closes it continuously.
Privilege-escalation chains
Multi-hop paths — user to role to role to admin — that no single-policy review reveals.
Cross-account & third-party trust
Every role assumable from another account or a vendor, with the trust statement that allows it.
Data-perimeter validation
Identity, resource, and network at once — only trusted identities, from expected networks, reach sensitive data.
Separation of duties & least privilege
Toxic-combination and over-privilege detection expressed as your own rules, not a fixed vendor list.
Continuous evidence
Saved queries re-run on every refresh; a snapshot diff becomes an auditor-grade change ledger — point-in-time or continuous.
Scope of this mapping
Whocan provides analysis and evidence to support your compliance program. It is not a certification, attestation, or legal advice, and using it does not by itself make an organization compliant. Control selection, review cadence, and scope remain yours to define with your auditor or assessor. Framework and standard names are the property of their respective owners; references here are for interoperability and do not imply endorsement.
Know your real posture.
Not what your policies say on paper.
15 minutes to deploy. No agents. Read-only access. See your real IAM posture immediately.