Access Control Policy

CIAO ESSENTIAL — POLICY
C-AO/POL/CAO-410:2026 PUBLIC
Access Control Policy
CAO-400 Cybersecurity sub-policy (CAO-410) — auto-drafted, pending panel review
Date Issued  22 June 2026
Review Date  22 June 2027
Cite as: CIAO Standard. (2026). Access Control Policy. v1.1.3.7. C-AO/POL/CAO-410:2026. www.c-ao.com

1 · Purpose

This policy establishes the requirements for access control policy within the CAO-400 Cybersecurity. It gives effect, in a single harmonised instrument, to the control objectives upon which recognised standards converge for this area.

2 · Scope

This policy applies to all information, systems, services, personnel and third parties within the scope of the management system.

3 · Policy statements

3.x · CAO-410 Policy Controls

outlinesatisfies·solidpartial·greyinforms

The organisation shall establish, implement and maintain a coherent and effective approach to access control, giving effect to the organisational control objectives set out below.

COBIT 2019GDPRHIPAAISAE 3402 Type IIISO/IEC 27001ISO/IEC 27002ISO/IEC 27017NIS2NIST CSF 2.0NIST SP 800-161r1NIST SP 800-53PCI-DSS v4.0.1SOC 2 Type II

3.1 · CAO-411 Access Control Governance

The organisation shall establish, implement and maintain effective Access Control Governance, giving effect to the organisational controls set out below.

COBIT 2019HIPAAISAE 3402 Type IIISO/IEC 27001ISO/IEC 27002NIST CSF 2.0NIST SP 800-161r1NIST SP 800-53PCI-DSS v4.0.1SOC 2 Type II

3.1.x · CAO-411 Organisational Controls

Essential taster — a preview of the Professional depth for this high-density control area.

Professional tier required. The organisational control objectives that decompose this area, and the technical controls beneath them, are revealed at Professional tier and above. Log in or view options ↗

3.2 · CAO-412 Identity Management

The organisation shall establish, implement and maintain effective Identity Management, giving effect to the organisational controls set out below.

ISO/IEC 27001ISO/IEC 27002NIST CSF 2.0NIST SP 800-161r1NIST SP 800-53PCI-DSS v4.0.1SOC 2 Type II

3.2.x · CAO-412 Organisational Controls

Professional tier required. The organisational control objectives that decompose this area, and the technical controls beneath them, are revealed at Professional tier and above. Log in or view options ↗

3.3 · CAO-413 Authentication

The organisation shall establish, implement and maintain effective Authentication, giving effect to the organisational controls set out below.

ISO/IEC 27001ISO/IEC 27002ISO/IEC 27017NIS2NIST CSF 2.0NIST SP 800-53PCI-DSS v4.0.1SOC 2 Type II

3.3.x · CAO-413 Organisational Controls

Essential taster — a preview of the Professional depth for this high-density control area.

Professional tier required. The organisational control objectives that decompose this area, and the technical controls beneath them, are revealed at Professional tier and above. Log in or view options ↗

3.4 · CAO-414 Authorization and Access Rights

The organisation shall establish, implement and maintain effective Authorization and Access Rights, giving effect to the organisational controls set out below.

GDPRISO/IEC 27001ISO/IEC 27002ISO/IEC 27017NIST CSF 2.0NIST SP 800-53PCI-DSS v4.0.1SOC 2 Type II

3.4.x · CAO-414 Organisational Controls

Professional tier required. The organisational control objectives that decompose this area, and the technical controls beneath them, are revealed at Professional tier and above. Log in or view options ↗

3.5 · CAO-415 Privileged Access

The organisation shall establish, implement and maintain effective Privileged Access, giving effect to the organisational controls set out below.

ISO/IEC 27001ISO/IEC 27002ISO/IEC 27017NIST SP 800-53PCI-DSS v4.0.1

3.5.x · CAO-415 Organisational Controls

Professional tier required. The organisational control objectives that decompose this area, and the technical controls beneath them, are revealed at Professional tier and above. Log in or view options ↗

3.6 · CAO-416 Remote and Mobile Access

The organisation shall establish, implement and maintain effective Remote and Mobile Access, giving effect to the organisational controls set out below.

ISO/IEC 27001ISO/IEC 27002ISO/IEC 27017NIS2NIST SP 800-53

3.6.x · CAO-416 Organisational Controls

Professional tier required. The organisational control objectives that decompose this area, and the technical controls beneath them, are revealed at Professional tier and above. Log in or view options ↗

4 · Roles & responsibilities

5 · Compliance, monitoring & review

Compliance with this policy is mandatory. This policy is reviewed at least annually, or upon significant change to the threat, regulatory or technological environment. Exceptions require documented risk acceptance by the accountable owner.

● LIVE CONTENT  ·  Verified 11 July 2026 at 17:36 UTC  ·  Version 1.1.3.7  ·  Always current at c-ao.com  ·  © CIAO Standard Secretariat 2026

Cite this page (APA)