Access Control Policy
Logical and physical access management (Annex A 5.15).
Failed to load preview.
About this Access Control Policy
The Access Control Policy is a ready-to-use ISO 27001:2022 template designed to help organizations document and operate the controls expected by certification auditors. It directly supports Annex A 5.15 of the ISO 27001 Annex A control set.
Logical and physical access management (Annex A 5.15). Use it as the baseline for your ISMS documentation, tailor it to your scope and risk appetite, then maintain it through your normal document-control process.
What's inside
- - Pre-written purpose, scope and policy statements
- - Roles and responsibilities aligned with ISO 27001:2022
- - Control requirements mapped to Annex A 5.15
- - Review, approval and version-control sections
- - Editable Word (.docx) version in the Document Pack
Who is this for
- - Companies pursuing ISO 27001:2022 certification
- - ISMS managers and information security leads
- - Consultants delivering ISO 27001 implementations
- - Auditors preparing evidence packs for Stage 1 / Stage 2
- - SaaS and tech teams formalizing security policies
ISO 27001:2022 relevance
- Annex A 5.15 - Access control
- Annex A 5.16 - Identity management
- Annex A 5.17 - Authentication information
- Annex A 5.18 - Access rights
- Annex A 8.2 - Privileged access rights
- Annex A 8.3 - Information access restriction
How to customise
- - Insert your organisation name, scope, and policy owner.
- - Reference the systems and data classifications in your environment.
- - Align approval roles with your joiner/mover/leaver procedure.
- - Set review frequency (typically quarterly for privileged access).
- - Approve, version, and publish through your document control process.
Evidence auditors may expect
- - Signed and dated policy approved by management
- - User access review records with reviewer and date
- - Joiner / mover / leaver tickets or HR records
- - Privileged access list with named owners and justification
- - Authentication standard (MFA, password rules) referenced from the policy
Auditor may ask
These are realistic questions an external auditor may use to test the control. Your answer must be supported by the evidence listed above.
Frequently asked questions
What ISO 27001:2022 controls does an access control policy cover?
Primarily Annex A 5.15 (Access control), 5.16 (Identity management), 5.17 (Authentication information), 5.18 (Access rights), 8.2 (Privileged access) and 8.3 (Information access restriction).
Does an access control policy need to cover MFA?
Yes. Multi-factor authentication should be specified for privileged accounts and remote access at minimum, with the password and authentication standard referenced from the policy.
How often should user access be reviewed?
Standard practice is quarterly for privileged access and at least annually for standard user access, with sign-off recorded and retained as evidence.
What evidence will an auditor ask to see?
An approved policy, joiner / mover / leaver tickets, periodic access review records with reviewer and date, and a privileged access list with named owners and justification.
Related ISO 27001 documents
Password Policy
Authentication credential rules (Annex A 5.17).
Human Resources Security Policy
Pre-employment, during, and post-employment security (Annex A 6.1-6.6).
Remote Access Policy
VPN and remote access requirements (Annex A 6.7).
Statement of Applicability (SoA)
Lists all Annex A controls with applicability and justification. Mandatory under clause 6.1.3 d).
Risk Assessment & Treatment Policy
Defines the risk methodology, scoring and treatment approach. Mandatory under clauses 6.1.2/6.1.3.
Acceptable Use Policy
Rules for acceptable use of information and assets (Annex A 5.10).
Get the editable Access Control Policy
Buy this template on its own for $34, or unlock the full Document Pack for $99 (one-time).
