1.1 This policy establishes the Organization's comprehensive framework for managing logical and physical access to information systems, applications, data, networks, and facilities. The policy ensures that access rights are granted, modified, and revoked based on the principles of least privilege and need-to-know, minimising the risk of unauthorised access, data breaches, and insider threats. This policy is aligned with ISO 27001 Annex A.9 Access Control requirements, NIST SP 800-53 access control family, and applicable data protection and privacy regulations.

1.2 This policy applies to all logical and physical access to the Organization's information assets, including servers, workstations, network devices, applications, databases, cloud services, and physical facilities, whether by employees, contractors, consultants, temporary workers, third-party service providers, or automated systems and processes. The policy covers access across all environments including on-premise data centres, cloud infrastructure, hybrid environments, remote access, and mobile access. All individuals and systems that require access to Organization resources must comply with this policy, and access shall not be granted until the requirements defined herein have been satisfied.

1.3 The Chief Information Security Officer shall be responsible for establishing access control standards, defining role-based access models, approving access control technologies, and monitoring compliance with this policy across the Organization. Data owners, defined as the business unit leaders or functional heads with accountability for specific systems or data domains, shall be accountable for authorising access to the systems and data within their domain and for certifying the continued appropriateness of granted access on a periodic basis. The Identity and Access Management team within the IT department shall administer the Organization's access control infrastructure, process access requests, and execute access provisioning and de-provisioning activities in accordance with this policy.

2.1 Access to Organization systems, applications, and data shall be provisioned exclusively through a formal request and approval process managed through the Organization's identity governance platform or IT service desk. Access requests shall specify the systems, applications, and data resources required, the level of access needed including read, write, or administrative privileges, the business justification for the access, the anticipated duration of access, and the approving data owner or system owner. Access shall not be provisioned on the basis of verbal requests, informal communications, or self-service registration unless the system has been specifically approved for self-service access by the CISO. The IAM team shall process approved access requests within 2 business days and shall verify that the requested access is consistent with the user's role and the principle of least privilege.

2.2 The Organization shall implement role-based access control as the primary access management model, where access permissions are assigned to defined roles that correspond to job functions, rather than to individual users. Role definitions shall be developed by the IAM team in collaboration with data owners and business unit leaders, and shall specify the minimum set of permissions required for each job function. Each role shall be documented with a clear description of its purpose, the systems and data it grants access to, and the level of access provided. Role assignments shall be reviewed by data owners at least annually to ensure continued alignment with business requirements and the principle of least privilege. Where a user requires access that exceeds their assigned role, a supplementary access request shall be submitted with a specific business justification and shall be subject to approval by the relevant data owner and the IAM team.

2.3 Segregation of duties shall be enforced across all critical business processes and systems to prevent any single individual from having a combination of access rights that could enable them to initiate and approve transactions, create and review their own work, administer systems and audit their own administrative activity, or perform any other combination of conflicting duties that could result in fraud, error, or abuse without independent oversight. The IAM team shall maintain a segregation of duties conflict matrix that identifies prohibited access combinations, and the identity governance platform shall enforce these rules automatically during access provisioning. Where a segregation of duties conflict is identified, the request shall be escalated to the relevant data owner and the CISO for review and, if necessary, the implementation of compensating controls such as enhanced monitoring or dual-approval workflows.

2.4 Temporary access, defined as access required for a limited period to support a specific project, task, or engagement, shall be provisioned with an explicit expiration date and shall be automatically revoked by the identity governance platform upon expiry. Extensions of temporary access shall require a new access request and approval. Emergency access, also known as break-glass access, may be granted outside the standard approval process in situations where immediate access is required to respond to a critical incident or prevent significant business disruption. Emergency access shall be provisioned by the IAM team or designated on-call personnel, logged in detail including the requestor, authoriser, systems accessed, and actions performed, reviewed by the relevant data owner and the CISO within 24 hours of provisioning, and revoked immediately when no longer required or within a maximum of 72 hours, whichever is sooner.

3.1 Access rights for all systems containing Confidential or Restricted data, as defined in the Organization's Data Management Policy, shall be reviewed at least quarterly. Access rights for all other systems shall be reviewed at least semi-annually. Data owners shall be responsible for certifying the continued appropriateness of each user's access during these reviews, confirming that the user still requires the access, the level of access remains consistent with the user's current role, and no segregation of duties conflicts have been introduced. Access reviews shall be conducted through the Organization's identity governance platform, which shall generate review campaigns, track reviewer responses, and automatically flag accounts with incomplete reviews or overdue certifications. Access that is not certified during the review period shall be automatically suspended pending data owner confirmation.

3.2 Access rights shall be modified or revoked promptly in response to changes in an employee's role, responsibilities, or employment status. Specifically, when an employee transfers to a different department or assumes a new role, access rights associated with the previous role shall be reviewed and, where no longer required, revoked within 5 business days of the effective date of the change. When an employee begins extended leave exceeding 30 days, their access shall be suspended for the duration of the leave and reactivated upon their return, subject to re-verification. When an employee is subject to disciplinary proceedings that warrant access restriction, the IT department shall restrict access within 4 hours of receiving a request from Human Resources. The IAM team shall coordinate with Human Resources to receive timely notification of all role changes, transfers, leaves, and disciplinary actions that may affect access requirements.

3.3 The IAM team shall implement automated monitoring to identify dormant user accounts that have not recorded any authentication or activity for 90 consecutive days. Dormant accounts shall be automatically disabled, and the account owner and their line manager shall be notified. If the account owner does not request reactivation with a valid business justification within an additional 90 days, the account shall be permanently deleted from the Organization's directory services and all associated access rights shall be revoked. The IAM team shall generate a monthly dormant account report and shall present the report to the CISO, highlighting any accounts belonging to privileged users or accounts with access to Restricted data. Exceptions to the dormant account policy, such as accounts required for seasonal or cyclical business activities, shall be documented and approved by the relevant data owner and the CISO.

4.1 Physical access to the Organization's facilities shall be controlled through a combination of electronic access control systems, visitor management procedures, and security personnel, with the level of control proportionate to the sensitivity of each area. General office areas shall be secured by electronic badge access requiring a valid employee or contractor access badge. Restricted areas, including data centres, server rooms, network closets, and executive areas, shall require additional authentication such as PIN entry, biometric verification, or two-person access rules. The Facilities Management team shall administer the physical access control system in coordination with the IT department and the CISO, and shall conduct quarterly reviews of physical access rights to ensure that only authorised individuals have access to restricted areas.

4.2 All visitors to Organization facilities shall be pre-registered by their host employee through the visitor management system, shall present government-issued photo identification upon arrival, and shall be issued a temporary visitor badge that is clearly distinguishable from employee badges. Visitors shall be escorted by their host or an authorised employee at all times while on the premises and shall not be left unattended in work areas. Visitor access shall not extend to restricted areas, including data centres, server rooms, or areas containing Confidential or Restricted data, without explicit prior approval from the area manager and the CISO. The reception or security desk shall maintain a visitor log recording the visitor's name, organization, host employee, arrival time, departure time, and areas visited. Visitor badges shall be collected upon departure, and the Facilities Management team shall reconcile visitor badges daily.

4.3 All physical access events, including badge swipes, biometric authentications, denied access attempts, and door-held-open alerts, shall be logged by the electronic access control system with timestamps, user identification, and location details. Access logs shall be retained for a minimum of 12 months, or for such longer period as may be required by applicable regulations or the Organization's data retention schedule. The security team shall review physical access logs for anomalies, including access attempts outside normal business hours, repeated denied access attempts, tailgating alerts, and access to restricted areas by individuals whose access has not been verified. Anomalous events shall be investigated within 24 hours, and confirmed security incidents shall be reported to the CISO and managed in accordance with the Organization's incident response procedures.

5.1 The IAM team shall produce monthly access management metrics and present them to the CISO and the IT Department Head. Metrics shall include access request provisioning turnaround times and adherence to the 2-business-day service level, access review campaign completion rates by data owner and system, dormant account identification and remediation statistics, segregation of duties violations detected and resolved, emergency and temporary access events and their post-event review status, and physical access anomaly investigation outcomes. Trends and patterns identified through these metrics shall inform risk assessments, resource allocation decisions, and continuous improvement initiatives for the Organization's access control program.

5.2 Any violation of this policy, including but not limited to gaining or attempting to gain unauthorised access to systems or facilities, sharing access credentials, failing to complete assigned access review certifications, circumventing access controls or segregation of duties requirements, or failing to report suspected unauthorised access, shall be subject to disciplinary action proportionate to the nature, severity, and impact of the violation. Disciplinary measures may include mandatory security retraining, temporary suspension of access privileges, formal written warning, suspension from employment, or termination of employment. All violations shall be documented and investigated in coordination with the Information Security team, Human Resources, and, where appropriate, Legal Counsel.

5.3 This policy shall be reviewed comprehensively at least once every 12 months by the CISO, in consultation with the IAM team, data owners, the Facilities Management team, and Legal Counsel. Reviews shall assess the policy's effectiveness in the context of changes to the Organization's access control infrastructure, identity governance platform capabilities, threat landscape, organizational structure, and regulatory requirements including ISO 27001 certification audit findings. Interim reviews shall be triggered by significant access-related security incidents, deployment of new access control technologies, organizational restructuring, or material regulatory changes. Approved amendments shall be communicated to all employees and stakeholders at least 14 calendar days before the effective date, and all access provisioning and review processes shall be updated to reflect the amended policy requirements.