Access Control Policy Template

Introduction

Purpose and Use

Access control is the practice of ensuring that only authorised individuals can access the systems, data and resources required for their role. This policy template sets out the objectives, responsibilities and rules for managing access rights within an organisation. It is designed to help UK organisations maintain confidentiality, integrity and availability of their information assets, meet the requirements of frameworks like Cyber Essentials, ISO/IEC 27001 and the UK GDPR, and reduce the risk of unauthorised access or data breaches.

Use this template to develop an Access Control Policy that is proportionate to the size and complexity of your organisation. It should be tailored to reflect your business context, system architecture and regulatory obligations.

Who This Template Is For

This template is intended for:

• SMEs and larger organisations in the UK seeking to implement or update an access control policy.
• IT and security managers responsible for information security and compliance.
• Organisations preparing for Cyber Essentials / Cyber Essentials Plus certification or seeking to align with ISO/IEC 27001 and UK GDPR requirements.

Alternative Names You Might See

• Identity and Access Management (IAM) Policy
• User Access Policy
• System Access Policy
• Authorisation Policy

Access Control Policy Template

1. Document Management

• Organisation Name: [Insert organisation name]
• Document Owner: [Role/title responsible for the policy]
• Version: [e.g. 1.0]
• Classification: [e.g. Internal / Public / Confidential]
• Issue Date: [Date of current issue]
• Next Review Date: [Date for next review]
• Supersedes: [If applicable, previous versions]
• Approval: [Senior management approval]
• Change History: Include a table recording version, date, author and summary of changes.

2. Purpose

The purpose of this policy is to:

1. Define how access to organisational systems and data is granted, reviewed, amended and revoked.
2. Protect against unauthorised access and misuse of information assets.
3. Support compliance with relevant legislation and standards, including the UK GDPR, Data Protection Act 2018, Cyber Essentials, ISO/IEC 27001 and other regulatory requirements.
4. Provide a framework for maintaining accountability and traceability in the management of user accounts and access rights.

3. Scope

This policy applies to:

• All employees, contractors, consultants, partners and third parties who access organisational systems and data.
• All IT systems, applications, databases, cloud services and physical areas that store or process sensitive or proprietary information.
• Any device used to access organisational resources, including company‑owned and personal devices (BYOD).

4. Roles and Responsibilities

4.1 Senior Management / Board

• Approve the Access Control Policy and ensure it aligns with organisational objectives and legal obligations.
• Provide necessary resources to implement and maintain the policy.
• Support enforcement of access control measures and disciplinary actions where required.

4.2 Information Security / IT Function

• Develop, implement and maintain procedures for user account provisioning, privilege management and periodic access reviews.
• Maintain an inventory of systems and associated access rights.
• Monitor compliance with access control procedures and report any issues to management.
• Provide training to users on secure access practices and policy requirements.

4.3 Human Resources (HR)

• Ensure prompt communication of joiners, leavers and role changes to the IT function.
• Support enforcement of disciplinary procedures for non‑compliance with the policy.

4.4 Line Managers / System Owners

• Approve access requests and changes within their area of responsibility.
• Ensure that users have the minimum access necessary to perform their duties.
• Review access rights for their team at least annually or when roles change.

4.5 All Users

• Use their access rights responsibly and only for legitimate business purposes.
• Do not share passwords or allow anyone else to use their accounts.
• Report lost devices, unauthorised access or suspected compromise immediately.
• Comply with the terms of this policy and any supporting standards or procedures.

5. Access Provisioning

5.1 New Accounts and Authorisation

• All access requests must be formally documented, including justification, and approved by the relevant line manager or system owner before provisioning.
• The IT function must verify the requester’s identity and ensure the requested access level is appropriate for their role.
• Default access rights should be based on job roles (role‑based access control), but adjusted for individual requirements as necessary.

5.2 User Account Creation

• User accounts are to be created using unique identifiers; generic or shared accounts should be avoided.
• Accounts must be configured to enforce strong password policies in line with organisational requirements (see Section 8).
• Initial passwords should be provided securely and must be changed by the user upon first login.

5.3 Changes and Transfers

• Changes in job role or responsibilities must trigger a review of access rights.
• The user’s line manager must submit an access change request detailing required changes, which the IT function will process following the same approval steps as new access.

5.4 Termination of Employment / Contract

• HR must promptly notify IT when an employee or contractor’s employment terminates or when a contract ends.
• All access rights must be revoked by the termination date (or as soon as feasible) and accounts deactivated or deleted.
• Access to critical systems should be monitored up to the termination date to prevent data exfiltration.

6. Privilege Management

6.1 Principle of Least Privilege

• Users must be granted the minimum level of access necessary to perform their job duties and no more.
• Administrative or privileged access should be limited to authorised personnel and documented in an access register.

6.2 Privileged Accounts

• Privileged accounts must be separately managed from standard user accounts (e.g. separate admin accounts).
• Use multi‑factor authentication (MFA) wherever possible for privileged or remote access.
• Privileged actions should be logged and monitored, with audit trails maintained and reviewed regularly.

6.3 Temporary Access and Emergency Access

• Temporary or emergency access must be strictly controlled, recorded and revoked immediately after the purpose is fulfilled.
• Emergency accounts should have strong, unique credentials and be monitored closely.

7. Password and Authentication Requirements

• Passwords must meet complexity requirements defined in the organisation’s password policy (e.g. minimum length, complexity, expiration).
• MFA should be implemented where feasible, particularly for remote access, privileged accounts and sensitive systems.
• Passwords must never be shared or reused across multiple systems.
• Users should consider using password managers to store and generate complex passwords securely.

8. Access Reviews and Audit

• System owners or designated managers must perform periodic reviews (at least annually) of user access rights to ensure they remain appropriate.
• Access logs should be retained for a period defined by regulatory requirements and internal policy (e.g. 6–12 months) and reviewed to detect suspicious activity.
• Any discrepancies or signs of unauthorised access must be investigated promptly.

9. Monitoring and Logging

• All systems should implement appropriate logging to record access attempts (successful and failed), changes to permissions, and privileged activities.
• Logs must be protected from tampering and accessible only to authorised personnel.
• Monitoring should be in place to detect patterns of attempted unauthorised access or unusual behaviour, with alerts escalated to the security team.

10. Remote and Third‑Party Access

• Remote access to organisational systems must be via approved secure channels (e.g. VPN, remote desktop gateways) using strong authentication.
• Third parties (e.g. vendors, partners) granted access must adhere to this policy and sign appropriate agreements including confidentiality clauses.
• Third‑party access should be limited to the scope of their contract and reviewed regularly.

11. Physical Access Control

• Access to physical locations housing critical systems (server rooms, data centres) must be restricted to authorised personnel only.
• Physical access lists should be maintained and reviewed regularly, with entry/exit logged.
• Visitors must be escorted and may require temporary access badges; their details should be recorded.

12. Violations and Disciplinary Actions

• Any breach of this policy may result in disciplinary action up to and including termination of employment or contract.
• Violations may also result in civil or criminal liabilities under UK law.

13. Exceptions and Deviations

• Any exceptions to this policy must be approved by senior management and documented with a clear justification.
• Exceptions should be reviewed periodically to ensure they remain valid.

14. Policy Communication and Awareness

• This policy must be communicated to all employees and relevant third parties. It should be included in induction training and made available on the corporate intranet.
• Managers should ensure that staff understand their responsibilities under this policy and are trained on secure access practices.

15. Supporting Policies and Standards

• Information Security Policy – overarching framework for protecting information assets.
• Acceptable Use Policy – guidelines for appropriate use of organisational resources, particularly IT systems.
• Password Policy – detailed requirements for password complexity, management and storage.
• Remote Working Policy – rules for secure remote work and BYOD use.
• Data Protection Policy – compliance with UK GDPR and Data Protection Act 2018.

16. Policy Add‑ons

The policy may be supplemented with additional sections or procedures based on the organisation’s risk profile. For example:

• Secure Coding Standards for developers to manage access controls within applications.
• Identity Federation and Single Sign‑On for managing access across multiple systems.
• Privileged Access Management (PAM) solutions and procedures.

Use this template as a foundation and adapt it to your organisation’s needs. Review and update the policy regularly to reflect changes in business processes, technology and regulations.