Home / ISO 27001 Templates / ISO 27001 Access Control Policy Beginner’s Guide

ISO 27001 Access Control Policy Beginner’s Guide

Last updated Aug 18, 2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

Introduction

In this article I will show you what the access control policy is, how to write it and give you a template you can download and use right away.

I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit and this is everything you need to know about the ISO27001:2022 Access Control Policy.

Introduction
ISO 27001 Access Control Policy
Key Takeaways
Access Control Principles
Access Control Methods
Access Control Considerations
Access Management Lifecycle
ISO 27001 Access Control Policy Template
ISO 27001 Access Control Policy Example
How to write an ISO 27001 Access Control Policy
Why is the ISO 27001 Access Control Policy Important?
Access Control in Practice
Benefits of implementing an ISO 27001 Access Control Policy
ISO 27001 Access Control Policy FAQ
Related ISO 27001 Controls

ISO 27001 Access Control Policy

The ISO 27001 access control policy outlines how to manage and control access to organisational resources including data and systems. The policy covers the entire user access lifecycle and it ensures the correct access to the correct information and resources by the correct people. The objective is to limit access to information and systems based on need, the principle of least privilege and need to know.

In ISO 27001 this is a requirement of ISO27001:2022 Annex A 5.15 Access Control which is one of the 93 ISO 27001 Annex A controls.

Key Takeaways

Access control is the most important control you will implement to protect the confidentiality of information
Access control is based on legal, regulatory and contracutal requirements as well as the information classification policy
Access control is a combination of technical controls and user education

Access Control Principles

Access control is based on 4 simple principles:

1. Need to Know

Users are only provided access to the information and systems they require to perform their tasks and role.

2. Least Privilege

The level of access provided to users is the minimum they need to be able to perform their tasks and role. This minimises the potential impact of a compromised account.

3. Segregation of Duty

Processes and functions should be separated to prevent any one person form having unchecked access and control. Segregation of duties involves dividing critical tasks among different individuals to prevent a single person from having too much control or the ability to compromise a process without detection. For example, the person who approves payments should not be the one who executes them.

4. Role Based Access (RBAC)

RBAC is a method of restricting system access based on the roles of individual users within an organisation. It’s important because it simplifies access management, improves security, and helps enforce the principle of least privilege.

Access Control Methods

There are 3 primary methods to control access. They are

1. Authentication

Allowing access based on something a person is, something a person knows or something a person. Or combination of these is called multi factor authentication (MFA). Examples include biometrics, passwords and security tokens.

2. Authorisation

The process of granting access based on a persons identity and role by the system or information owner.

3. Physical Access Control

The physical security controls, measures and barriers that restrict or prevent access to locations and systems. Examples include locks, gates, fences, walls.

Access Control Considerations

When defining the policy and processes of access control the following considerations should be taken into account:

Business Requirements

Ensure that access control is in line with the requirements of the organisation and the information security obkectives.

Compliance

Ensure that access control fully meets the requirements of the law, regulation and customer contractual requirements.

Information Classification

Access control should be implemented based on the Information Classification Policy.

Remote Access

The policy should define secure methods for remote access, including the use of Virtual Private Networks (VPNs), strong authentication, and secure remote desktop protocols as well as specifying approved devices.

Cloud and Third Party Services

The policy should extend to cover access controls for third-party services, cloud platforms, and outsourced systems, ensuring that contractual agreements reflect the organisation’s security requirements.

Access Management Lifecycle

The lifecycle of user access is

1. Requesting Access

Someone requires access to systems or data and requests that access either for themselves or a member of their team.

2. Approving Access Requests

Access requests cannot be approved by the person requesting the access. This is known as segregation of duty. The person responsible for approving the access request is usually the system or data owner.

3. Implementing Access

Once approved the access will be granted and technically implemented. This is usually the responsibility of a trained IT professional. Great care should be taken if using the technique of copying or cloning access rights based on an existing user. This can introduce unintended consequences and result in unexpected unauthorised access. A better method is to base the access rights on role based access. Access that is defined by role and the role applied to the individual requiring access.

4. Managing Changes to Access

As a person changes role over time their access will be revisited and revised. To do this the process starts again at step 1 – requesting access.

5. Review Access

Access is reviewed on a regular basis. The main requirement is to conduct and evidence access reviews. Access reviews are usually performed by the system or data owner to ensure that the people with access are still required and relevant. Common practice is to conduct this on a monthly basis. It is a great way to catch when a person has left and their access has not been removed or to catch when a person has changed role and their access needs to be modified.

6. Access is Logged

Logging and monitoring access attempts (both successful and failed) are vital for detecting unauthorised activity, investigating security incidents, and providing an audit trail. Logs should be kept and reviewed at least monthly with incidents passed to the incident management team and managed via the incident management process.

7. Revoking Access

Revoking access can take place during a change in role or when a person leaves the organisation. It is best practice to revoke that access at the earliest opportunity. For audit trail the process of requesting the access be revoked, that request being approved and then actioned would be followed.

ISO 27001 Access Control Policy Template

The ISO 27001 Access Control Policy template is pre written and ready to go. It is one of the required ISO 27001 policies that sets out the organisations approach to access control.

ISO 27001 Access Control Policy Example

This is an example ISO 27001 Access Control Policy:

ISO 27001 Access Control Policy Template Example 1

ISO 27001 Access Control Policy Template Example 2

ISO 27001 Access Control Policy Template Example 3

ISO 27001 Access Control Policy Template Example 4

ISO 27001 Access Control Policy Template Example 5

ISO 27001 Access Control Policy Template Example 6

How to write an ISO 27001 Access Control Policy

The ISO 27001 Access Control Policy is required to be presented in a certain way. What we mean by that is that the policy is expected to have certain document markup. Document mark up is just a fancy words for having certain information on the policy. It will need version control, a version number, an owner, an information security classification.

Time needed: 1 hour and 30 minutes

How to write an ISO 27001 Access Control Policy with example content

Write the ISO 27001 Access Control Policy contents
An example ISO 27001 Access Control Policy table of contents would look something like this:
Document Version Control
Document Contents Page
Purpose
Scope
People
Systems
Physical Access
Access Control Policy
Principle
Confidentiality Agreements
Role Based Access
Unique Identifier
Access Authentication
Access Rights Review
Privilege Accounts / Administrator Accounts
Passwords
User Account Provisioning
Leavers
Authentication
Remote Access
Third Party Remote Access
Monitoring and Reporting
Policy Compliance
Compliance Measurement
Exceptions
Non-Compliance
Continual Improvement
Write the ISO 27001 Access Control Policy purpose
The purpose of the policy is to ensure the correct access to the correct information and resources by the correct people.
Write the ISO 27001 Access Control Policy principle
Access control is granted on the principle of least privilege. Users are only provided access to the information they require to perform their tasks and role.
Write the ISO 27001 Access Control Policy scope
All employees and third-party users.
All systems and applications deemed in scope by the ISO 27001 scope statement.
Physical access is defined in the Physical and Environmental Policy.
Describe your use of confidentiality agreements
All employees and contractors who are given access to confidential information should sign a confidentiality or non-disclosure agreement prior to being given access to information processing facilities
Explain role based access
Access to systems is based on role. Access is granted by the business owner, system owner or data owner and formally approved.
Define the use of unique identifiers
Users are assigned a unique username or identifier on the principle of one user one ID to ensure individual accountability. Usernames and identifiers are not shared between users.
Define the use of access authentication
Users are positively identified and authenticated before gaining access to systems, services, or information.
Explain the approach to access rights reviews
User access to systems is reviewed at least annually to ensure it is still appropriate and relevant.
Inactive and dormant accounts are investigated, and appropriate action taken including the updating of required documentation.
The main user access system is reviewed every 90 days to ensure it is still appropriate and relevant.
Describe the use of privilege accounts and administrator accounts
Administrator accounts are not provided to users, including but not limited to laptops and mobile technology.
Where feasible privilege and administrator users are assigned specific privilege and administrator accounts in addition to their normal account for the specific use on the completion of privilege and administrator tasks.
Privilege and administrator accounts are not shared accounts, not generic accounts and do not share passwords.
Privilege and administrator accounts are clearly identifiable.
A register of privilege and administrator accounts is maintained.
Privilege and administrator accounts are logged and monitored.
Privilege and administrator accounts are provided for a set period of time.
Define the policy for passwords
Access to systems and information is authenticated by passwords.
Initial passwords provided to users must be changed on first use.
Vendor supplied and default passwords are changed immediately upon installation.
Passwords are not generic, shared or set at a group level.
Passwords are to be kept confidential and not written down.
Passwords are not displayed when entered.
Passwords are not coded or included in any scripts or code or macros.
Passwords are encrypted when transmitted over networks.
Systems lock out users after 6 failed access attempts.
Passwords have a minimum length and format of 8 characters and a mix of alphanumeric characters.
System sessions that are idle for 15 minutes require passwords to be entered to regain access.
A password history file is maintained to prevent the reuse of passwords for at least four cycles.
Passwords are changed every 90 days.
Explain user account provisioning
Account creation, modification and deletion is performed by authorised personnel and is fully documented.
Individual line managers approve account creation, modification, and deletion.
Business, system, or information owners approve access to systems and information. A form is used to clearly indicate the required access and an authorisation email or signature is provided.
All users requesting password resets or changes to authentication credentials have their identity verified.
Document how you treat leavers
Line managers and HR inform the account provisioning team a user’s leave date.
When a user leaves the company, all access is revoked, as a minimum to the main authentication technology, and to all systems and data recorded in the role-based access list.
User IDs, passwords and authentication credentials of leavers are not reused.
Set the rules for the authentication system
The main access authentication system
Does not display system or application identifiers until the log-on process has been successfully completed
Display a general notice warning that the computer should only be accessed by authorized users
Not provide help messages during the log-on procedure that would aid an unauthorized user
Validate the log-on information only on completion of all input data. If an error condition arises, the system should not indicate which part of the data is correct or incorrect
Protect against brute force log-on attempts
Log unsuccessful and successful attempts
Raise a security event if a potential attempted or successful breach of log-on controls is detected
Not display a password being entered
Not transmit passwords in clear text over a network
Terminate inactive sessions after a defined period of inactivity, especially in high-risk locations such as public or external areas outside the organisation’s security management or on mobile devices
Restrict connection times to provide additional security for high-risk applications
Explain your approach to remote access
Remote access to company networks and cloud-based services follows the same rules previously covered by this policy with the addition of the requirement for two factor authentications where available.
Remote connections are set to disconnect after a set period of time.
A list of users with remote access to internal network systems is maintained.
Explain your approach to third party remote access
Access is only granted to third parties under current contract with an applicable non-disclosure agreement in place.
Access is granted for a specific time, to a specific system, to a specific individual and provided on receipt of a formal, valid, authorised access request.
Access is removed immediately on completion of the requirement.
A list of third parties and individuals with access is maintained.
Describe monitoring and reporting
Access to systems is monitored and reported and actions that directly or indirectly affect or could affect the confidentiality, integrity or availability of data are managed via the Incident Management process.
Document data masking
We mask data in line with our legal and regulatory obligations.

Get the ISO 27001 Certification Kit >

Why is the ISO 27001 Access Control Policy Important?

A cornerstone of information security is confidentiality and providing the right access to the right people at the right time. We want to ensure that people have access to do their job but no more. We want to protect the information and data that we have.

People will talk about preventing unauthorised access which is a fancy way of saying getting access to data they should not have. By protecting the access to the data we can reduce the risk of information security incidents and data breaches.

The ISO 27001 Access Control Policy is important as it sets out clearly and in written form what you expect to happen. If you don’t tell people what you expect of them then how can you expect them to do it? Communicating what is expected is a key step in any HR disciplinary process with many not being enforceable or actionable if you have not told people what to do and got them to accept that they understand what is being asked.

The ISO 27001 standard wants you to have the access control policy in place, communicated, and accepted by staff as part of your ISO 27001 certification. It actually forms part of a wider set of required information security policies that are all included in the ISO 27001 toolkit.

Access Control in Practice

The ISO 27001 Access Control Policy is all about access to systems and data. When looking at access we are looking at the different types of access. We differentiate between normal users and administrators.

First things first we want to ensure that we have confidentiality agreements in place and being required to access systems. This may form part of employment contracts. It makes sense to grant access to systems based on roles where the role defines the level of access that is allowed. We want to ensure that we can track actions back to individuals so the concept of one user and one ID is introduced. If we have shared accounts it can be nearly impossible to track back who exactly did what. This can become critical if incidents occur and we need to conduct investigations. Users of systems are responsible for their actions.

System access is not a one time deal. We will have a start, leaver, mover process that covers the provision of access, the changes to access as roles change and the removal of access when someone leaves. To ensure that all is working as planned we are going to conduct regular access reviews. An access review is as simple as seeing who has access to systems, what level of access they have and confirming that they still need it. If they don’t, or they have changed role, or they have left and the normal processes hasn’t caught it then we handle it at that point.

Our most powerful users are administrators. They hold the keys to the kingdom. There are special considerations when it comes these administrative accounts. How they are allocated, when they are allocated, how they are used, how they are monitored is addressed.

We all use passwords and the rules for passwords are set. How passwords are created, how complex do they need to be, how often if at all are they changed, how are they communicated to users. Passwords are the keys to the doors of our systems and data so we are clear on their management and use.

Often times we rely on third parties or suppliers to help support and run our systems. We want to grant them the access that they need, when they need it to help us. We set out the policy and rules for their access. We also address remote access of all users.

Benefits of implementing an ISO 27001 Access Control Policy

The main benefit is that it allows you to mitigate the risk of access to systems and data. Access poses unique challenges as it is the primary way people gain entry to systems and data to perform their role so the risks need to be assessed and appropriate controls implemented. The benefits of implementing an ISO 27001 Access Control Policy include:

Access to data will be granted only to those that require it and have been approved reducing the risk of unauthorised access and data breaches.
Improved compliance and meet the needs of laws and regulations that require access controls to be place
Protection of confidential information
Building trust with employees and third parties
Reputation Protection because in the event of a breach having effective remote working controls in place will reduce the potential for fines and reduce the PR impact of an event.

ISO 27001 Certification Strategy Session

ISO 27001 Access Control Policy FAQ

Where can I get an ISO 27001 Access Control Policy?

The ISO 27001 Access Control Policy can be downloaded at High Table: The ISO 27001 Company.

What is the Purpose of the ISO 27001 Access Control Policy?

The purpose of the ISO 27001 Access Control Policy is to ensure the correct access to the correct information and resources by the correct people.

What is the ISO 27001 Access Control Policy Principle?

Access control is granted on the principle of least privilege. Users are only provided access to the information they require to perform their tasks and role.

What are the access control steps?

1. Requesting Access
2. Approving Access Requests
3. Implementing Access
4. Managing Changes to Access
5. Monitoring Access
6. Revoking Access

Who is responsible for the ISO 27001 Access Control Policy?

Access is the responsibility of the data and system owners. The ISO 27001 Access Control Policy is the responsibility of the senior leadership team. This can also be the senior operational leadership team.

What clauses of ISO 27001 apply to the access control policy?

ISO 27001 Clause 5 Leadership
ISO 27001 Clause 5.1 Leadership and commitment
ISO 27001 Clause 5.2 Policy
ISO 27001 Clause 6.2 Information security objectives and planning to achieve them
ISO 27001 Clause 7.5.3 Control of documented information
ISO 27001 Clause 7.3 Awareness

What classes of ISO 27001 Annex A apply to the access control policy?

ISO27001 Annex A 5.15 Access Control
ISO 27001 Annex A 5.16 Identity Management
ISO 27001 Annex A 5.17 Authentication Information
ISO 27001 Annex A 5.18 Access Rights

What are examples of a violation of the ISO 27001 Access Control Policy?

Unauthorised access: accessing data without authorisation or approval.
Unauthorised disclosure of data: sharing data or information with people that are not authorised to access it.
Sharing passwords: allowing others to use your password to access data to which they are not authorised.
Unauthorised destruction or modification of data: Changing or modifying data you have access to but are not granted to permission to delete or modify.

What are the consequences of violating the ISO 27001 Access Control Policy?

Not managing access to systems can have severe consequences. This is a simple, effective protection against cyber attack and data breach. Like giving a key to your door to everyone and anyone that asks, you are inviting attackers into your systems. The consequences could be legal and regulatory fines and / or enforcement, loss of data, loss of revenue and in the most extreme cases risk to life and closure of your organisation.

How do you monitor the effectiveness of the ISO 27001 Access Control Policy?

The approaches to monitoring the effectives of access control include:
Monthly access reviews by the system and data owners
Internal audit of the access control process
External audit of the access control process
Review of system logs and alerts for anomalies in operation

Where does Access Control fit within the ISO 27001 framework?

Access control is primarily addressed in Annex A.9 (Access Control) of ISO 27001. This section contains a set of specific controls related to managing access to information and information processing facilities.

Is an Access Control Policy mandatory for ISO 27001 certification?

Yes, it is essential. ISO 27001 requires organizations to establish and implement an Access Control Policy as part of their Information Security Management System (ISMS) to meet the requirements of ISO27001:2022 Annex A 5.15 Access Control

What key elements should an ISO 27001 Access Control Policy include?

It should include principles for access control, user access management, system and application access control, mobile device access, remote access, privileged access management, and segregation of duties.

What role do strong authentication mechanisms play?

Strong authentication, such as multi-factor authentication (MFA), is crucial for verifying user identities and is often a key requirement of an ISO 27001 Access Control Policy.

What is the importance of logging and monitoring access attempts?

Logging and monitoring access attempts (both successful and failed) are vital for detecting unauthorised activity, investigating security incidents, and providing an audit trail.

How does the Access Control Policy support incident response?

A robust Access Control Policy contributes to effective incident response by ensuring that unauthorised access is minimised, and in the event of a breach, access logs provide crucial information for investigation and containment.

The ISO 27001 Access Control Policy satisfies the following clauses in ISO 27001:2022

ISO 27001 Annex A 5.15 Access Control

ISO 27001 Annex A 5.16 Identity Management

ISO 27001 Annex A 5.17 Authentication Information

ISO 27001 Annex A 5.18 Access Rights

ISO 27001 Annex A 8.4 Access to source code

ISO 27001 Annex A 8.5 Secure authentication

ISO 27001 Annex A 8.11 Data Masking

Tags: ISO 27001 Policy Templates

Stuart Barker
ISO 27001 Expert and Thought Leader

ISO 27001 Jumpstart Kit

ISO 27001 Consultant Toolkit

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

ISO 27001 Access Control Policy Beginner’s Guide

Introduction

Table of contents

ISO 27001 Access Control Policy

Key Takeaways