Access Control Policy - SME

This Access Control Policy (P04S) provides a comprehensive framework for small and medium-sized enterprises (SMEs) to manage and secure access to organizational systems, data, and physical facilities. As an SME-tailored policy, it notably designates responsibilities to simplified roles such as the General Manager and IT Manager/External IT Provider, reflecting the reality that many SMEs do not have dedicated IT security teams like CISO or SOC. Importantly, this policy remains fully aligned and compliant with internationally recognized standards, most significantly ISO/IEC 27001:2022, while still enabling practical implementation for organizations without complex internal resources. The policy meticulously outlines procedures for granting, modifying, and revoking access, addressing every stage of the user lifecycle. It covers all users, employees, contractors, temporary staff, and external IT service providers, and applies across company-issued or BYOD devices, cloud and on-premises systems, as well as physical premises such as offices and secure server rooms. By embedding the principle of least privilege throughout, access is given only according to business need, thoroughly minimizing the risk of unauthorized or excessive access to sensitive assets. Central to the policy are clear, actionable roles and responsibilities: the General Manager oversees policy approval, resource allocation, and exception handling; the IT Manager (or trusted external provider) implements provisioning and de-provisioning, maintains an auditable Access Control Register, configures RBAC and MFA, and conducts access log reviews. Department Managers authorize access for their teams and prompt updates upon role changes, while employees must adhere to secure access and usage protocols. The policy triggers regular access reviews, with a minimum annual cadence, and mandates both automated and manual documentation of access changes and audits. Robust risk treatment, violation management, and compliance monitoring procedures are embedded. Deviations from standard process, such as temporary access after resignation, are only permitted with top-level approval and comprehensive documentation. Clear disciplinary consequences for non-compliance are provided, ranging from retraining to contract termination or legal escalation. The policy also responds promptly to triggers such as technological changes, organizational shifts, or security incidents, requiring updated reviews and revised controls. Lastly, this policy is designed for seamless integration with related critical SME policies, such as Acceptable Use, Change Management, Onboarding and Termination, Data Protection and Privacy, and Incident Response. Its annual review cycle and mandated staff training ensure that it remains effective and readily applicable to evolving business and compliance needs, empowering SMEs to maintain strong, practical, and audit-ready access control environments.