← All templates
Access · Policy template

Access Control Policy

Access control is one of the most-tested areas in every audit. This template covers provisioning, least privilege, reviews and de-provisioning.

FreeGet the "Access Control Policy" template

We'll email you a copy and occasional practical compliance guidance. No spam — unsubscribe anytime.

[Organisation] · Access Control Policy
Version 1.0 · Owner: [Role] · Approved: [Date] · Classification: Internal

Purpose

To ensure access to [Organisation] systems and data is granted only to authorised individuals, limited to what their role requires, and removed promptly when no longer needed.

Scope

Applies to all user, administrator, service and third-party accounts across all systems and applications.

Policy statements

  • Access is granted based on defined roles (RBAC) and the principle of least privilege.
  • Every user has a unique account; shared accounts are prohibited except where explicitly approved and monitored.
  • Multi-factor authentication is required for remote access and all privileged accounts.
  • Access rights are reviewed at least quarterly and re-certified by the resource owner.
  • Access is revoked within [X hours] of an employee’s exit or role change.
  • Privileged access is logged and monitored.

Roles & responsibilities

  • System owners: approve and periodically certify access to their systems.
  • IT/IAM: provision, modify and revoke access per approved requests.
  • Managers: initiate access changes for their team members.

Review

Reviewed annually and after any material change to systems or organisational structure.

Template provided by CyberSigma for adaptation. Replace bracketed placeholders and tailor to your environment before adopting. This is guidance, not legal advice.

Want this tailored and audit-ready?

Our CERT-In empanelled auditors can build your full policy set and align it to PCI DSS, ISO 27001, SOC 2 or DPDP.

Talk to our team →