What is Access Control?

Access Control is the set of policies and technical mechanisms that determine who can access which systems, data, and resources, and what they are permitted to do with them. It enforces authentication (verifying identity) and authorization (granting appropriate permissions), and is a foundational control in ISO 27001, SOC 2, HIPAA, and NIST CSF.

Access control matters because most data breaches involve someone — an attacker or an insider — reaching information they should not have. Limiting and monitoring access is one of the highest-impact ways to reduce that risk, which is why every major framework requires it and auditors scrutinize it closely.

For example, a healthcare practice grants clinical staff access to patient records but blocks billing staff from clinical notes, requires MFA for remote logins, and reviews access quarterly to remove leavers — a layered access-control program rather than a single switch.

The administrative half of access control is documentation: an access-control policy, a joiner/mover/leaver procedure, and access-review records. A template gives you that policy set and the review logs auditors ask for, so your effort goes into configuring systems and running the reviews. The documents speed audit-readiness; provisioning, reviewing, and revoking access correctly is what protects the data.

Related terms: Principle of Least Privilege · Multi-Factor Authentication (MFA) · Security Control · Data Classification

Frequently asked questions

What is the difference between authentication and authorization?
Authentication verifies who a user is (for example, a password plus an MFA code). Authorization determines what an authenticated user is allowed to do (which files or systems they may access). Both are core parts of access control.
How does access control relate to least privilege?
Least privilege is a principle that guides access control: it says each user should receive only the minimum access needed for their role. Access control is the broader set of mechanisms that enforce that principle and other access rules.

Toolkits that cover Access Control

ISO/IEC 27001:2022

ISO 27001 Complete Toolkit

All 24 policies and procedures plus the risk register, 93-control Statement of Applicability and audit evidence checklist — audit-ready from day one.

$9930% off with codeView toolkit
SOC 2 Trust Services Criteria

SOC 2 Complete Toolkit

22 policies plus the risk register, full Trust Services Criteria mapping and audit evidence checklist — built for startups facing their first SOC 2.

$9930% off with codeView toolkit
NIST CSF 2.0

NIST CSF 2.0 Complete Toolkit

15 editable policies and plans covering all six CSF 2.0 functions, plus a Profile & Assessment workbook with every one of the 106 subcategories, a risk register, and an audit evidence checklist.

$7930% off with codeView toolkit

Learn more in our ISO/IEC 27001 guide, explore the editable policy templates, or browse the full compliance glossary.

← Back to the compliance glossary

Professional editable templates — general information only, not legal, audit, tax, or certification advice, and no professional or advisory relationship is created. No purchase makes an organization compliant or certified. Review each document with qualified counsel, your compliance professional, or your auditor before relying on it. ISO, IEC, SOC 2, AICPA, HIPAA, NIST, GDPR, the EU AI Act, IRS and FTC are referenced descriptively only; ComplianceDocs (ExpertEngine LLC) is independent and is not affiliated with, endorsed by, or certified by any standards body, regulator, or audit firm.