This procedure defines the controls and operational steps for managing user access to information systems and resources. It covers provisioning, modification, and de-provisioning of access rights in alignment with the principle of least privilege.
1. Purpose
To establish a formal process for granting, modifying, and revoking access rights to information systems and data assets across the organisation.
2. Scope
This procedure applies to all employees, contractors, and third parties who require access to company systems, applications, and data.
3. Access Provisioning
All access requests must be initiated via the IT service desk portal and approved by the line manager and the system owner. Privileged access requires additional CISO sign-off.
4. Quarterly Review
A mandatory quarterly review of all privileged accounts must be performed by the IT Operations team. Any accounts with no activity in 60 days are suspended pending review...
Evidence Score
Based on age, completeness & linkage| Period | Due Date | Submitted | Reviewer | Status | Notes |
|---|---|---|---|---|---|
| Annual 2025 | 12 Nov 2025 | 10 Nov 2025 | Thomas Richards | Reviewed | Version updated to v3.0 |
| Annual 2024 | 12 Nov 2024 | 11 Nov 2024 | Thomas Richards | Reviewed | Minor wording changes |
| Annual 2023 | 12 Nov 2023 | 19 Nov 2023 | Sarah Lin | Late | Added cloud access section |
| Annual 2022 | 12 Nov 2022 | 8 Nov 2022 | Sarah Lin | Reviewed | Initial published version |
days until next review
Due: 12 November 2026| Name | Role | Department | Assignment | Notified |
|---|---|---|---|---|
T Thomas Richards | IT Manager | IT Operations | Responsible | |
J Jane Cooper | CISO | Information Security | Accountable | |
M Mike Patel | Risk Manager | GRC | Consulted | |
S Sarah Lin | Compliance Officer | Legal & Compliance | Informed | |
L Laura McCarthy | HR Manager | Human Resources | Informed |