B.2 Access Management Procedures

Version: April 2025
Aligned with: ISO/IEC 27001:2022 (Annex A: A.5.15, A.5.16, A.5.17, A.5.18)
Applies to: All employees, contractors, HR, and IT administrators

Purpose
To define procedures for provisioning, managing, and deprovisioning user access to organizational systems and data.

1. User Account Provisioning
(Aligned with A.5.16 – Identity management)

1.1 Access Request Process

  • Submit formal access request with business justification
  • Obtain manager approval for access request
  • Security team reviews and approves access level
  • IT team provisions account with minimum required privileges

1.2 Account Activation

  • Verify identity of new user before account activation
  • Provide security awareness training before access
  • Document account creation and access granted
  • Schedule first access review within 30 days

2. Account Deprovisioning
(Aligned with A.5.18 – Access rights)

  1. HR notifies IT of employment termination
  2. Disable all accounts immediately upon notification
  3. Transfer data ownership to manager or designated successor
  4. Remove physical access cards and return company equipment
Direct URL:
Navigation
Back to Appendix B: Procedures Policy Overview