Back to all documents
    Annex A & Operational Policies
    policy
    technical
    access-management

    Access Control Policy

    Logical and physical access management (Annex A 5.15).

    Failed to load preview.

    About this Access Control Policy

    The Access Control Policy is a ready-to-use ISO 27001:2022 template designed to help organizations document and operate the controls expected by certification auditors. It directly supports Annex A 5.15 of the ISO 27001 Annex A control set.

    Logical and physical access management (Annex A 5.15). Use it as the baseline for your ISMS documentation, tailor it to your scope and risk appetite, then maintain it through your normal document-control process.

    What's inside

    • - Pre-written purpose, scope and policy statements
    • - Roles and responsibilities aligned with ISO 27001:2022
    • - Control requirements mapped to Annex A 5.15
    • - Review, approval and version-control sections
    • - Editable Word (.docx) version in the Document Pack

    Who is this for

    • - Companies pursuing ISO 27001:2022 certification
    • - ISMS managers and information security leads
    • - Consultants delivering ISO 27001 implementations
    • - Auditors preparing evidence packs for Stage 1 / Stage 2
    • - SaaS and tech teams formalizing security policies

    ISO 27001:2022 relevance

    • Annex A 5.15 - Access control
    • Annex A 5.16 - Identity management
    • Annex A 5.17 - Authentication information
    • Annex A 5.18 - Access rights
    • Annex A 8.2 - Privileged access rights
    • Annex A 8.3 - Information access restriction

    How to customise

    • - Insert your organisation name, scope, and policy owner.
    • - Reference the systems and data classifications in your environment.
    • - Align approval roles with your joiner/mover/leaver procedure.
    • - Set review frequency (typically quarterly for privileged access).
    • - Approve, version, and publish through your document control process.

    Evidence auditors may expect

    • - Signed and dated policy approved by management
    • - User access review records with reviewer and date
    • - Joiner / mover / leaver tickets or HR records
    • - Privileged access list with named owners and justification
    • - Authentication standard (MFA, password rules) referenced from the policy

    Auditor may ask

    Q.How are users approved before access is granted?
    Q.How often is access reviewed, and who signs it off?
    Q.How are leavers removed from systems, and within what timeframe?
    Q.How is privileged access controlled, monitored, and reviewed?
    Q.What evidence shows this process happens consistently?

    These are realistic questions an external auditor may use to test the control. Your answer must be supported by the evidence listed above.

    Frequently asked questions

    What ISO 27001:2022 controls does an access control policy cover?

    Primarily Annex A 5.15 (Access control), 5.16 (Identity management), 5.17 (Authentication information), 5.18 (Access rights), 8.2 (Privileged access) and 8.3 (Information access restriction).

    Does an access control policy need to cover MFA?

    Yes. Multi-factor authentication should be specified for privileged accounts and remote access at minimum, with the password and authentication standard referenced from the policy.

    How often should user access be reviewed?

    Standard practice is quarterly for privileged access and at least annually for standard user access, with sign-off recorded and retained as evidence.

    What evidence will an auditor ask to see?

    An approved policy, joiner / mover / leaver tickets, periodic access review records with reviewer and date, and a privileged access list with named owners and justification.

    Get the editable Access Control Policy

    Buy this template on its own for $34, or unlock the full Document Pack for $99 (one-time).