← All templates
SOC 2 · FREE TEMPLATE

SOC 2 Access Control Policy — Free Template

The SOC 2 Common Criteria CC6 series is the most-tested area of every Type II audit and the most common qualification finding. This policy template gives you the language auditors expect to see and the operational sections (provisioning, MFA, JML, privileged access, quarterly reviews) you will be required to evidence.

Who needs it
  • Any company pursuing SOC 2 Type I or Type II attestation
  • Companies whose enterprise prospects request a SOC 2 report under NDA
  • ISO 27001 candidates (maps directly to A.5.15, A.5.16, A.5.18)
  • Anyone consolidating ad-hoc IT access procedures into a single audit-ready document
What's included
  • Purpose and scope statement
  • Roles and responsibilities (Owner, Approvers, IT, HR)
  • Provisioning and de-provisioning (JML) procedure with SLAs
  • Authentication standards (MFA, password length, SSO)
  • Privileged access management
  • Quarterly access review procedure
  • Remote access requirements
  • Service / non-human account governance
  • Exception handling
  • Policy review and approval cadence

Template — full text

1. Purpose

[Company Legal Name] ("Company") restricts logical and physical access to information assets to authorised personnel only, in support of the SOC 2 Common Criteria CC6.1, CC6.2, and CC6.3 and the confidentiality, integrity, and availability of customer data.

2. Scope

This policy applies to all employees, contractors, interns, and third parties accessing any Company system, application, source code repository, cloud account, or production data — including SaaS services, infrastructure (AWS, GCP, Azure), corporate IT, and on-premises systems. It covers human users and non-human / service accounts.

3. Roles and Responsibilities

  • Policy Owner: [Document Owner / Role] — owns this policy and the annual review
  • System / Data Owner: approves access requests for the systems and data they own
  • Identity & Access Management (IAM) Team: implements provisioning, MFA, and reviews
  • People Operations: triggers joiner / mover / leaver workflows in the HRIS
  • Internal Audit / Security: validates quarterly access reviews are completed

4. Provisioning (Joiner)

All access is granted on a least-privilege basis through an approved access-request workflow:
  • HRIS event triggers an automated provisioning ticket within one (1) business day of hire date
  • Default access bundle by role is granted automatically; any system outside the bundle requires System Owner approval
  • MFA is enrolled before any production access is issued
  • All access grants are logged with requester, approver, justification, and timestamp; logs are retained for at least one (1) year

5. Modification (Mover)

On a role change, IAM revokes access associated with the prior role and provisions the new role's bundle within five (5) business days. The user's manager confirms the new access profile is appropriate.

6. De-provisioning (Leaver)

Termination access removal SLA:
  • Federated SSO (Okta / Azure AD / Google Workspace) sessions revoked within one (1) hour of termination effective time
  • Production system access, cloud console, source code repositories revoked within twenty-four (24) hours
  • Mailbox archived and shared resources reassigned within seven (7) days
  • Quarterly reconciliation of HRIS terminations vs IAM directory to catch missed revocations

7. Authentication Standards

  • All workforce identities authenticate via Company SSO (SAML or OIDC) wherever the service supports it
  • Multi-factor authentication is required on SSO and on any system holding production data, source code, or admin access. Phishing-resistant MFA (FIDO2 / WebAuthn / hardware token) is required for administrators
  • Password minimum length: 14 characters; complexity per NIST SP 800-63B; password reuse blocked
  • Sessions time out after eight (8) hours of inactivity for production systems; thirty (30) minutes for administrative consoles

8. Privileged Access Management

  • Privileged accounts (root, admin, super-user, break-glass) are inventoried and reviewed monthly
  • Standing administrative access is prohibited; just-in-time (JIT) elevation is required for routine work, time-boxed to four (4) hours
  • Break-glass accounts are stored in a sealed vault, MFA-protected, monitored, and tested annually
  • All privileged actions are logged to an immutable store and alerted on

9. Service / Non-Human Accounts

Service accounts and machine identities use short-lived, scoped credentials (e.g. AWS IAM roles, GCP service-account workload identity federation). Long-lived access keys are prohibited except where technically unavoidable, in which case they are rotated at least every ninety (90) days and stored in an approved secrets manager.

10. Quarterly Access Reviews

System Owners review the user list of each in-scope system every calendar quarter:
  • Reviewer confirms each user still requires the access, or marks for revocation
  • Reviews must be completed within thirty (30) days of quarter-end
  • Evidence (signed reviewer attestation and any revocation tickets) is retained for the SOC 2 audit period
  • Security Team aggregates exceptions and reports to leadership

11. Remote Access

Remote access to production environments is permitted only via Company-managed devices and MFA-protected channels (SSO + VPN or Zero-Trust gateway). Personal devices are not authorised to access production data.

12. Exceptions

Any deviation from this policy requires a documented exception approved by the Policy Owner, with a defined expiry date (maximum 12 months) and compensating controls. The exception register is reviewed quarterly.

13. Enforcement and Review

Violations may result in disciplinary action up to and including termination, plus contractual or legal action against third parties. This policy is reviewed at least annually and after any material change in environment, by the Policy Owner. Next review: [Annual Review Date].
Disclaimer: This template is provided for general informational purposes only and does not constitute legal advice. Customise to your specific facts and have counsel review before execution.

Fields you customise

Company name and document owner roleEffective date and annual review dateSpecific SSO and MFA platforms in useProduction system inventory referenced in the quarterly reviewHRIS platform name for joiner / leaver triggers
Email me a clean copy of this template
Polished HTML you can print, paste into Word, or share with counsel. No drip spam — one delivery email and one follow-up with the framework audit.
We'll send the template + one audit-invitation follow-up. Unsubscribe anytime.
Want a branded, multi-framework, board-ready version?

The ComplianceIQ generator produces this document in your company name and brand, mapped across every framework you need (HIPAA + GDPR + SOC 2 + ISO simultaneously), exported as DOCX + PDF, and scored against the audit checklist. Pre-populated with your tenant-specific values so nothing is left in brackets.

Run free SOC2 audit Generate branded version

FAQ

Which SOC 2 criteria does this policy satisfy?
This policy directly addresses CC6.1 (logical access), CC6.2 (registration and authorisation), and CC6.3 (modification and removal). It also supports CC6.6 (external access), CC6.7 (transmission of data), and CC7.2 (system monitoring) when paired with the related procedures.
What's the most common SOC 2 access-control finding?
Quarterly access reviews not completed or evidence not retained. Auditors will sample 1-3 quarters per system in scope. Build a recurring calendar reminder with a structured spreadsheet or use an automated review tool to keep the evidence trail intact.
Do I need privileged access management (PAM) for SOC 2?
The TSC does not mandate a specific PAM product, but it requires that privileged access is restricted, monitored, and reviewed. Just-in-time elevation, monthly review of admin accounts, and immutable logging of privileged actions satisfy the criteria.

More free templates

HIPAA Business Associate Agreement (BAA)GDPR Data Processing Agreement (DPA)SOC 2 Incident Response PlanISO 27001 Information Security Policy