Background
----------

ISO/IEC 27002:2022 clause 5.15 indicates that "Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements [in order] to ensure authorized access and to prevent unauthorized access to information and other associated assets."


Policy statements
-----------------

1.	A simple way to clarify access requirements is to classify information, applying standard access controls for general levels with custom controls for SECRET information.

2.	Information owners should actively participate in determining information risks and security controls, seeking expert assistance to assess risks and develop access policies.

3.	Effective access control requires authentication of claimed identities, the strength of which should reflect the risks of inappropriate/unauthorised access.

4.	Access type is important: read-write or administrative access is substantially different to read-only or no-access.


Notes
-----

This is a “skeleton” policy providing just the bare bones, the basic foundations on which to construct a custom policy for your organisation.  Jump-start the process by visiting www.SecAware.com for a more comprehensive customisable policy template in MS Word.