1 · Purpose
This policy establishes the requirements for access control policy within the CAO-400 Cybersecurity. It gives effect, in a single harmonised instrument, to the control objectives upon which recognised standards converge for this area.
2 · Scope
This policy applies to all information, systems, services, personnel and third parties within the scope of the management system.
3 · Policy statements
3.x · CAO-410 Policy Controls
The organisation shall establish, implement and maintain a coherent and effective approach to access control, giving effect to the organisational control objectives set out below.
3.1 · CAO-411 Access Control Governance
The organisation shall establish, implement and maintain effective Access Control Governance, giving effect to the organisational controls set out below.
3.1.x · CAO-411 Organisational Controls
Essential taster — a preview of the Professional depth for this high-density control area.
3.2 · CAO-412 Identity Management
The organisation shall establish, implement and maintain effective Identity Management, giving effect to the organisational controls set out below.
3.2.x · CAO-412 Organisational Controls
3.3 · CAO-413 Authentication
The organisation shall establish, implement and maintain effective Authentication, giving effect to the organisational controls set out below.
3.3.x · CAO-413 Organisational Controls
Essential taster — a preview of the Professional depth for this high-density control area.
3.4 · CAO-414 Authorization and Access Rights
The organisation shall establish, implement and maintain effective Authorization and Access Rights, giving effect to the organisational controls set out below.
3.4.x · CAO-414 Organisational Controls
3.5 · CAO-415 Privileged Access
The organisation shall establish, implement and maintain effective Privileged Access, giving effect to the organisational controls set out below.
3.5.x · CAO-415 Organisational Controls
3.6 · CAO-416 Remote and Mobile Access
The organisation shall establish, implement and maintain effective Remote and Mobile Access, giving effect to the organisational controls set out below.
3.6.x · CAO-416 Organisational Controls
4 · Roles & responsibilities
- Governing body — approves this policy and oversees its effectiveness.
- Executive management — allocates resources and assigns control ownership.
- Control owners — implement, operate and evidence the controls in their area.
- All personnel & third parties — comply with this policy within their role.
5 · Compliance, monitoring & review
Compliance with this policy is mandatory. This policy is reviewed at least annually, or upon significant change to the threat, regulatory or technological environment. Exceptions require documented risk acceptance by the accountable owner.
