1. Document Control

• Document Title: Access Control Policy

• Document Identifier: POL-ALL-003

• Version Number: v1.0

• Approval Date: <23 June 2025>

• Effective Date: <23 June 2025>

• Review Date: <23 June 2026>

• Document Owner: <Chief Information Security Officer>

• Approved By: <Information Security Governance Committee>

2. Purpose

The purpose of this Access Control Policy is to define the principles, rules, and procedures that govern access to 's information systems, data, applications, and physical environments. Effective access control ensures that only authorized individuals are granted access to systems and data based on business need, least privilege, and segregation of duties.

This policy is essential for reducing the risk of data breaches, insider threats, and regulatory non-compliance. It also enables consistent implementation of logical access controls that protect against unauthorized use, alteration, or disclosure of company information. The policy supports compliance with ISO/IEC 27001:2022 controls A.5.15 through A.5.18 and SOC 2 Trust Criteria CC6.1 and CC6.2, which require organizations to enforce identity and access management aligned to risk and business function.

3. Scope

This policy applies to all users who access 's information systems and facilities, including:

• Full-time and part-time employees

• Contractors, consultants, and third-party service providers

• Remote workers and users accessing resources via VPN or cloud platforms

• Automated systems and service accounts

It covers logical access to applications, operating systems, databases, networks, cloud services, as well as physical access to secure office areas and data centers. This policy also governs access provisioning, modification, and deprovisioning processes across the user lifecycle.

4. Policy Statement

shall enforce strict access control measures to ensure that:

1. Access is based on the principle of least privilege and granted on a need-to-know basis.

2. All users are uniquely identified and authenticated before accessing any system.

3. Access to systems and data is assigned according to documented roles and approved access levels.

4. Elevated and administrative access is granted only to authorized personnel with appropriate business justification and oversight.

5. All access permissions are reviewed on a periodic basis (at least quarterly for privileged accounts).

6. Access rights are revoked immediately upon termination, role change, or contract conclusion.

7. Default accounts (e.g., admin, root) are renamed or disabled when possible and strongly secured if active.

5. Safeguards

implements the following technical and administrative controls to support access management:

Access review logs and provisioning records must be retained for a minimum of one year for audit purposes.

6. Roles and Responsibilities

• CISO: Accountable for policy enforcement, exception management, and alignment with compliance frameworks.

• IT Operations: Responsible for implementing and maintaining access control tools and systems.

• Application Owners: Approve access to systems they manage and review access entitlements quarterly.

• HR: Coordinate with IT to initiate access changes during onboarding, role changes, and terminations.

• All Users: Must protect their credentials and report any unauthorized access or suspicious activity immediately.

7. Compliance and Exceptions

Internal audits, automated access logs, and periodic entitlement reviews are used to validate policy compliance. Exceptions to this policy require formal documentation, risk assessment, and approval by the CISO. Temporary exceptions (e.g., vendor access) must include expiration dates and be monitored.

Failure to comply with access control requirements may be flagged during regulatory, customer, or third-party audits.

8. Enforcement

Non-compliance with this policy may result in:

• Revocation of access privileges

• Mandatory security re-training

• Disciplinary action up to and including termination (for employees)

• Contract suspension or termination (for vendors/contractors)

Where applicable, violations may also lead to legal action or regulatory reporting obligations. All violations will be logged and reviewed by the compliance team.

9. Related Policies/Documents

• POL-ALL-001: Information Security Policy

• POL-ALL-002: Acceptable Use Policy

• POL-SEC-004: Password Policy

• PRC-ALL-005: Access Request and Revocation Procedure

• ISO 27001:2022 Controls: A.5.15–A.5.18

• SOC 2 Criteria: CC6.1, CC6.2

10. Review and Maintenance

This policy shall be reviewed annually by the Information Security team or when significant changes occur in infrastructure, regulatory environment, or business operations. All changes must follow the company’s formal change control process and be approved by the Information Security Governance Committee.