IAM-001 Access Control Policy
Description
A documented access control policy exists that defines the rules and criteria for granting, reviewing, and revoking access to systems, applications, and data, based on business need and the principle of least privilege.
Rationale
Ensures access decisions are consistent, auditable, and driven by defined criteria rather than made ad hoc. Forms the governance foundation for all other IAM controls.
Framework Mappings (5)
| IAM-01 | Identity and Access Management Policy and Procedures | full |
| 5.15 | Access control | full |
| AC-1 | Policy and Procedures | full |
| IA-1 | Policy and Procedures | partial |
| CC6.1 | Logical Access Security Software, Infrastructure, and Architectures | partial |
Evidence (2)
Approved access control policy document covering rules for granting, reviewing, and revoking access based on least privilege and business need.
Example: Access Control Policy (PDF or Confluence page), version-controlled, with a named approver, effective date, and review date. Must explicitly state least-privilege and need-to-know requirements.
Test: Request the current access control policy document. Verify: (1) document has an owner and approval signature or workflow record, (2) effective date is within the last 12 months or a next-review date is set, (3) policy explicitly references least privilege and defines criteria for granting and revoking access.
Annual review record confirming the access control policy was reviewed and re-approved by an authorised owner.
Example: Jira ticket, Confluence approval workflow record, or document revision history showing the policy was reviewed and approved by an authorised owner within the last 12 months.
Test: Request the policy's version history or associated review ticket. Verify: (1) a review was completed within the last 12 months, (2) a named individual with the appropriate role approved the review outcome.
Questions (2)
Does your organisation have a documented access control policy that defines rules for granting, reviewing, and revoking access?
The policy should be version-controlled, have a named owner, and include explicit least-privilege and need-to-know requirements. An undocumented or informal approach does not satisfy this control.
How frequently is the access control policy reviewed and re-approved?
Annual review is the minimum acceptable cadence. The policy must be re-approved by a named owner after each review.