PolicyForge
All posts
6 min

How to write an access control policy

What an access control policy must cover to pass an ISO 27001 or SOC 2 audit — least privilege, joiner-mover-leaver, access reviews — with a ready-to-use template.

Why access control is audited so closely

Access control is where most breaches begin and where most audit findings land. The policy proves you decide who gets access to what, on what basis, and how you remove it. It is the backbone of ISO 27001 Annex A and the SOC 2 logical access criteria.

What to include

  1. Principles — least privilege and need-to-know as the default posture.
  2. Access model — role-based access control (RBAC): access follows roles, not individuals.
  3. Joiner-mover-leaver — how access is granted on hire, changed on role change, and revoked on departure (ideally same-day).
  4. Authentication — links to your password and MFA requirements.
  5. Privileged access — stricter controls, separation of duties, and just-in-time elevation where possible.
  6. Access reviews — periodic recertification (e.g. quarterly for privileged, annually for standard), with evidence retained.
  7. Third-party and service accounts — ownership, expiry and review.

Common mistakes

  • No leaver process — orphaned accounts are an auditor magnet.
  • Access reviews with no evidence; if it isn't recorded, it didn't happen.
  • Confusing the policy (the rules) with the procedure (the steps). You usually need both.

Framework alignment

Maps to ISO 27001:2022 Annex A 5.15–5.18, the SOC 2 logical access criteria, and NIST CSF Protect (PR.AA).

Generate it in minutes

See a sample access control policy or generate yours free.