Is recertification mandatory?

That depends on the type of certification. For certifications such as ISO 27001, recertification is often required to maintain certification. In the context of our IAM governance, this internal review is not mandatory but helps substantiate compliance with information security standards.

Is there an IAM certificate?

No, there are no specific IAM certificates that a vendor can be certified against. There are relevant standards and norms that indicate the quality of your IAM product and service provider. HelloID, as an IAM provider, is ISO 27001 certified and holds a SOC 2 Type II audit report.

Recertification

Q: What is recertification?

With recertification functionality, you maintain control over granted access rights and ensure that your organization remains compliant with laws and regulations.

What is Recertification?

Recertification is part of the HelloID governance functionality. Recertification helps you maintain control over self-service products. About 80% of all accounts and authorizations are provisioned automatically. The remaining 20% can be requested by users or their managers through a self-service portal. The risk is that once these licenses and access rights are granted, they are never reviewed or revoked. Someone may no longer need a license, better alternatives may be available, or certain software may no longer fit your corporate policy. With recertification, you can schedule regular reviews of such granted rights. The outcome may be that someone can keep the license; an alternative may be offered; or the software may no longer be used. To keep the workload manageable, our recertification functionality provides tools to review and confirm licenses and application rights in bulk wherever possible.

Why Recertification?

With an IAM platform like HelloID, you manage users in your IT environment, the accounts assigned to them, and related products. Examples include application permissions and licenses, access to project folders, and mailboxes. In organizations with hundreds or thousands of employees and sometimes hundreds of applications, a simple Excel list is insufficient; management must be well organized and highly automated. In HelloID, we address this in two complementary ways:

The bulk of accounts and rights are provisioned automatically based on a person’s role in the organization. With RBAC (Role-Based Access Control), users receive the access they need to perform their assigned roles. For example, a sales employee automatically gets access to the CRM system, while a finance administrator must be able to use the financial applications.
Because not all rights are linked to specific roles, and people sometimes need additional access rights, for example, for a temporary project, HelloID also provides Service Automation. This supports requests and the associated workflows for such individual additional access rights.

That is not sufficient, because your IT environment changes continuously. People change roles, move to another department, new employees start, and others leave. An application that was granted earlier may also be obsolete. In short, you want your accounts and access rights to adapt to changing circumstances.

We mentioned two methods for managing accounts and access rights: provisioning and service automation. The rights managed through the Provisioning module are automatically kept up to date. If someone changes roles, their access rights are adjusted automatically. If an alternative is chosen for the CRM system, that change is applied automatically as well.

Individual products managed through Service Automation are more complex. Products are often granted on an ad hoc basis and often for an unlimited period. These granted products are not managed automatically and effectively fall out of sight. That is why recertification functionality is available to review these rights regularly.

How Does Recertification Work?

To explain how recertification works, we first examine how an individual request is organized in Service Automation. For example, an employee requests access to a project mailbox through a self-service portal. The user must be added to a specific Active Directory or Entra ID group. Within Service Automation, we streamline this request with a workflow that requires approval from both the employee’s manager and the mailbox owner. Once both have approved online, HelloID processes the request and automatically sends an update to AD or Entra ID to apply the relevant settings.

These access rights are often granted for an indefinite period. If no one takes action, the employee retains access as long as the mailbox exists, and the right is terminated only when the person leaves the organization. With recertification, we can introduce a regular check to determine whether someone should still have access to this mailbox. Essentially, this repeats the original request process. Both the manager and the mailbox owner receive a new online request that they can approve or reject. Based on that decision, the employee keeps access, or the right is revoked.

This is the core principle of recertification; there are additional options. We explain these below.

How Do We Approach Recertification in HelloID?

Planned recertification execution is organized through campaigns. For each campaign, you can select a defined set of users or self-service products for recertification. HelloID provides multiple types of recertification campaigns:

System Campaigns check, within a defined scope, for products used improperly based on the current product configuration and policy rules. For example, employees may hold multiple versions of the same product unnecessarily. Or people may have moved to a different department or changed roles and are no longer members of the required AD or Entra ID group. It may also be the case that a user has been granted multiple products that have since been determined to conflict.
Custom Campaigns can be assembled using one or more filters. You can select specific user groups by department or role. You can also select specific self-service products or all products with a particular risk classification or price level.

For example, a security officer can create a campaign targeting users with access to high-risk products. After creating the campaign, you can have HelloID execute it. This is called an iteration, and in the campaign insights, you find an overview of all users who hold such high-risk applications. Based on this, the security officer can assess whether all licenses remain necessary and which should be revoked. Similarly, a department manager can gain insight into license costs, an HR manager can determine who has access to sensitive HR data, and an IT manager can focus on users of expensive licenses.

We can use different perspectives to determine whether our products are being used unnecessarily or even undesirably. At the same time, there is a risk that certain user groups or products may be overlooked. Therefore, there is a separate system campaign that includes all remaining users and products not covered in other recertification campaigns.

Purpose of Recertification

Our recertification functionality supports several objectives:

Stay in Control: Issuing individual products carries the risk of once-granted, always-granted. Someone receives a license or access right, often for an indefinite period. With recertification, you can regularly verify whether granted products remain necessary and comply with current guidelines. This gives us better control over the IT assets used across the organization.
Reduce Administrative Overhead: However, recertification introduces additional tasks. Individual rights must be reviewed regularly by managers and product owners. They must determine whether a user still needs a given product. To reduce this administrative burden, our recertification functionality includes tools to review in bulk wherever possible, along with helpful notifications for stakeholders to keep the process simple.
Maintain Compliance: Finally, this improves compliance. Laws and regulations, privacy guidelines, and information security standards require that we know which products are used to process our data. We must also regularly verify that these products still comply with those frameworks and standards. If software is no longer compliant, we must quickly identify its use and discontinue it.

Our goal with recertification tools is to achieve full control over all software and access rights. At any moment, we want to be confident that every user has exactly the software and rights required for their work, no more and no less. For about 80% of all granted rights, we ensure this through automated provisioning and business rules. For the remaining 20% of individually issued products, we can now ensure this with our recertification tools.

Want to Learn More About Our IAM Recertification?

Using recertification functionality, we can further professionalize account and access management and prevent unwanted issuance of licenses and access rights. It is an important part of your HelloID governance functionality. Do you want to learn more about governance in general, or specifically about using recertification to enhance your Service Automation module? View our webinar or our governance page.