ISO27001 Access Control Policy Ultimate Guide

In this article we lay bare the ISO27001 Access Control Policy. Exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO27001 certification. We show you exactly what changed in the ISO27001:2022 update. I am Stuart Barker the ISO27001 Ninja and this is the ISO27001 Access Control Policy

What is the Access Control Policy?

The access control policy ensures the correct access to the correct information and resources by the correct people. The objective is to limit access to information and systems based on need rather than have a Wild West free for all. The policy sets out what you do for Access Control.

ISO27001 Access Control Policy-Black

Access Control Policy Template

The access control policy template is a simple yet effective policy that covers access to information and systems including the management and lifecycle.

What should the Access Control Policy cover?

The access control policy is all about access to systems and data. When looking at access we are looking at the different types of access. We differentiate between normal users and administrators. First things first we want to ensure that we have confidentiality agreements in place and being required to access systems. This may form part of employment contracts. It makes sense to grant access to systems based on roles where the role defines the level of access that is allowed. We want to ensure that we can track actions back to individuals so the concept of one user and one ID is introduced. If we have shared accounts it can be nearly impossible to track back who exactly did what. This can become critical if incidents occur and we need to conduct investigations. Users of systems are responsible for their actions.

System access is not a one time deal. We will have a start, leaver, mover process that covers the provision of access, the changes to access as roles change and the removal of access when someone leaves. To ensure that all is working as planned we are going to conduct regular access reviews. An access review is as simple as seeing who has access to systems, what level of access they have and confirming that they still need it. If they don’t, or they have changed role, or they have left and the normal processes hasn’t caught it then we handle it at that point.

Our most powerful users are administrators. They hold the keys to the kingdom. There are special considerations when it comes these administrative accounts. How they are allocated, when they are allocated, how they are used, how they are monitored is addressed.

We all use passwords and the rules for passwords are set. How passwords are created, how complex do they need to be, how often if at all are they changed, how are they communicated to users. Passwords are the keys to the doors of our systems and data so we are clear on their management and use.

Often times we rely on third parties or suppliers to help support and run our systems. We want to grant them the access that they need, when they need it to help us. We set out the policy and rules for their access. We also address remote access of all users.

You can write the policy yourself or you can download this trusted Access Control Policy Template to fast track. Packed with what good looks like it should save many hours of research and writing. Doing the research, knowing where to look, working out what to include will take you in excess of 4 hours as a good estimate. Why not fast track?

The policy is part of a suite of required ISO 27001 policies and forms part of the ISO 27001 Templates toolkit.

How to write an Access Control Policy

If you are writing your own access control policy be sure to include the following to content:

  • Document Version Control
  • Document Contents Page
  • Purpose
  • Scope
  • People
  • Systems
  • Physical Access
  • Access Control Policy
  • Principle
  • Confidentiality Agreements
  • Role Based Access
  • Unique Identifier
  • Access Authentication
  • Access Rights Review
  • Privilege Accounts / Administrator Accounts
  • Passwords
  • User Account Provisioning
  • Leavers
  • Authentication
  • Remote Access 1
  • Third Party Remote Access
  • Monitoring and Reporting
  • Policy Compliance
  • Compliance Measurement
  • Exceptions
  • Non-Compliance
  • Continual Improvement
ISO 27001 Templates Toolkit Business Edition Black
ISO27001 Policy Templates Pack Green
Free ISO27001 Strategy Call
Shopping Cart