Free Access Control Policy Template (ISO 27001 & SOC 2)
Access control is one of the most heavily tested areas in any audit. This free Access Control Policy template covers least privilege, MFA, the joiner-mover-leaver lifecycle and access reviews — aligned to ISO 27001 (A.5.15–5.18) and SOC 2 (CC6.1–CC6.3).
Any organization pursuing ISO 27001 or SOC 2, or answering customer security questionnaires. Access control is where many audit findings originate, so getting this right pays off.
Template
Access Control Policy
ISO 27001 A.5.15–5.18 · SOC 2 CC6.1–CC6.3
1. Purpose & Principles
This policy governs access to ✎ Company Name's systems and data. Access is granted on a least-privilege, need-to-know basis, is role-based, and is traceable to a named individual. It applies to all employees, contractors and third parties.
2. User Access Management (Joiner–Mover–Leaver)
- Joiners: access is provisioned from a role-based template after manager approval.
- Movers: access is adjusted when roles change; old access is removed.
- Leavers: all access is revoked within ✎ e.g. 24 hours of departure.
Access requests and approvals are recorded.
3. Authentication & MFA
Multi-factor authentication is required for ✎ remote access, administrative access, and all SaaS holding company data, enforced via ✎ identity provider, e.g. Microsoft Entra ID. Password requirements follow ✎ your standard, e.g. 12+ characters, screened against breach lists.
4. Privileged Access
Privileged (admin) accounts are restricted to those who need them, are individually attributable, and their use is logged and reviewed. Where possible, privileged access is just-in-time and separated from day-to-day accounts.
5. Access Reviews
User access rights are reviewed at least ✎ quarterly and recertified by system owners. Privileged access is reviewed more frequently. Findings are remediated and recorded.
✎ Highlighted items are placeholders — replace them with your organization's details.
Generate a tailored Access Control Policy instantly with CompliWiseAI
Skip the placeholders — get a version written for your company's industry, size, country and risk level, ready to review and export.
How to customize this template
- Name your identity provider and which systems enforce MFA — auditors will ask for the specifics.
- Set a concrete deprovisioning SLA (e.g. 24 hours) and be able to evidence you meet it.
- Run and document access reviews on schedule; a missed review is a classic finding.
- Separate privileged accounts from normal user accounts wherever you can.
- Tie the joiner-mover-leaver steps to your actual HR/IT process so it reflects reality.
What an auditor looks for
- •Is access role-based and least-privilege, with approvals recorded?
- •Is MFA enforced on remote and administrative access?
- •Is leaver access revoked promptly, with evidence?
- •Are periodic access reviews performed and remediated?
Frequently asked questions
Is an access control policy mandatory for ISO 27001?+
Access control is addressed by Annex A controls 5.15–5.18, and a documented access control policy is the standard way to demonstrate them. It's also central to SOC 2's CC6 criteria.
How often should access reviews happen?+
Quarterly is common for general access and monthly for privileged access, but set a frequency proportionate to your risk and — crucially — actually keep to it.
Does MFA need to be on everything?+
Prioritise remote access, administrative access and any system holding sensitive data. Document where it's enforced and your roadmap for anything not yet covered.