← Back to Access Control Policy Template
Free preview: Access Control Policy
These are the genuine opening sections of one document from the Access Control Policy Template (1 documents total). The amber [placeholders] are what you customize — everything else is ready to use.
Access Control Policy
Purpose. This policy defines how [Company Name] grants, manages, reviews, and revokes access to information systems and data so that only authorized people have the access they need, for only as long as they need it. It establishes the account lifecycle for joiners, movers, and leavers, authentication standards including multi-factor authentication, rules for privileged access, and a recurring access review process that produces evidence an external auditor can verify.
Policy Statement and Principles
Access to [Company Name] systems and data must be controlled according to the following principles. These principles apply to every access decision and take precedence over convenience or speed of provisioning.
- Deny by default: no access exists until it is explicitly requested, approved, and provisioned.
- Least privilege: each account receives the minimum permissions required for the holder's current job duties, as informed by the Risk Assessment and Treatment Procedure.
- Need to know: access to information classified as Confidential or Restricted under the Asset Management and Information Classification Policy requires a documented business need.
- Individual accountability: every account must be attributable to a single named person or a documented service purpose; credential sharing is prohibited.
- Segregation of duties: where practical, the person who requests access must not be the same person who approves it, and approvers must not approve their own access.
- Auditability: all grants, changes, and revocations must be recorded in [System name, e.g. IT ticketing system] and retained for at least [3] years.
Roles and Responsibilities
Broader security duties are defined in Information Security Roles and Responsibilities. The access-specific duties are summarized below.
Account Lifecycle Management
Every account follows a defined lifecycle: request, approval, provisioning, periodic review, modification on role change, and revocation on departure. The [Role, e.g. IT Administrator] must maintain a current inventory of all systems holding company data and the accounts on each, reconciled against the asset inventory in the Asset Management and Information Classification Policy at least quarterly. The joiner, mover, and leaver workflows below are mandatory and must be evidenced by tickets or checklists in [System name].
Joiners: Granting Access
— Preview ends. The full document continues with 0 more documents in the toolkit. —
More free previews
See real opening sections from our other compliance toolkits before you buy:
- AI Governance Policy Pack — free preview
- ISO 27001 + SOC 2 Dual Toolkit — free preview
- GDPR Compliance Pack for Small Business — free preview
- HIPAA Compliance Toolkit — Dental Practices — free preview
- HIPAA Compliance Toolkit — Medical Practices — free preview
- HIPAA Compliance Toolkit — Mental Health Practices — free preview
- ISO 27001 Policy Pack — Core — free preview
- ISO 27001 Toolkit for E-commerce — free preview
- ISO 27001 Complete Toolkit — free preview
- ISO 27001 Toolkit for Law Firms — free preview
- ISO 27001 Toolkit for MSPs — free preview
- ISO 27001 Toolkit for SaaS Companies — free preview
- ISO 42001 AI Management System Toolkit — free preview
- NIST CSF 2.0 Complete Toolkit — free preview
- SOC 2 Policy Pack — Core — free preview
- SOC 2 Complete Toolkit — free preview
- Startup Trust Pack — SOC 2 Core + AI Governance — free preview
- WISP Toolkit for Tax Professionals — free preview
- AI Acceptable Use Policy Template — free preview
- Acceptable Use Policy Template — free preview
- GDPR Privacy Notice Template — free preview
- HIPAA Privacy Policy Template — free preview
- Incident Response Plan Template — free preview
- Information Security Policy Template — free preview
