Access Control Policy
(Annex A.9)

Public version

Effective Date: 01 July 2025

Owner: Chief Information Security Officer (CISO)

Applies To: All employees, contractors, and systems of Advntg.AI

ISO 27001 & SOC 2 Mapping

This Policy supports compliance with the following standards and controls:

ISO 27001 Annex A Controls

  • A.6 – Organization of Information Security: Assigning defined access control responsibilities to specific roles (CISO, Cybersecurity Team, HR, Department Heads).
  • A.9 – Access Control: Implementing least privilege, access workflows, authentication standards, and segregation of environments.
  • A.12 – Operations Security: Enforcing endpoint protection, logging, and security monitoring requirements.
  • A.13 – Communications Security: Protecting data in transit through secure access and environment segregation.
  • A.18 – Compliance: Enforcing policy adherence and consequences for violations.

SOC 2 Trust Services Criteria

  • Security (CC6.x) – Logical and physical access controls for users and administrators.
  • Security (CC7.x) – System monitoring, logging, and detection of unauthorized access attempts.
  • Confidentiality (C1.x) – Segregation of client/vendor data and protection of credentials.
  • Availability (A1.x) – Ensuring that access controls support system availability while preventing misuse.

Table of Contents

Access Control Policy (Annex A.9)

ISO 27001 & SOC 2 Mapping

1. Purpose

2. Scope (Annex A.9.1)

3. Roles and Responsibilities (Annex A.6.1)

4. Access Levels and Workflow (Annex A.9.2)

5. Authentication and Password Standards (Annex A.9.3)

6. Segregation of Data and Environments (Annex A.9.4)

9. Endpoint Security Requirements (Annex A.12.6)

10. Monitoring, Logging, and Audit (Annex A.12.4)

9. Enforcement and Violations (Annex A.18.1)

10. Annex – Technical Controls Checklist

Version

Date

Made By

Approved By

Comments

1.0

01 July 2025

CISO

CEO

n/a

1. Purpose

This Policy establishes the framework for managing user, administrator, and system access to Company systems, networks, and data, ensuring compliance with ISO 27001 Annex A.9 and SOC 2 requirements.

The Company may, based on its individual business needs and specific legal requirements, exceed the security requirements put forth in this document, but must, at a minimum, achieve the security levels required by this Policy.

2. Scope

This Policy applies to all the Company’s computer systems and facilities, including those managed on the Company’s behalf by third parties. In particular, this Policy applies to:

  • All employees, contractors, and third-party vendors
  • All information systems, devices, and applications managed by the Company
  • All data handled by the Company, including personal data, client data, and proprietary information.

The information systems, devices, and applications and the data handled by the Company shall be referred to collectively as the Technology Assets. More specifically, the Technology Assets may include, but are not limited to:

  • Bluetooth
  • Cameras
  • Data
  • Email
  • External drives
  • Freeware/Shareware
  • Cloud Infrastructure, including Websites
  • Cloud storage
  • Internal Network
  • Mobile devices
  • Message boards and blogs
  • Passwords
  • Password cracking software
  • Personal Information
  • Phones
  • Physical security elements
  • Printers
  • Remote access fixtures
  • Scanners
  • Social networks instances
  • USB drives
  • Wireless devices.

Violations to this Policy may be subject to disciplinary action up to and including termination of employment. In addition, when circumstances warrant, breaches of security and failure to comply with this Policy will be referred to external law enforcement when appropriate. Users who discover a violation of this Policy must promptly notify their manager, Human Resources or the Help Desk. Business partners and managed service providers should report any violation of this Policy to their designated point of contact.

3. Roles and Responsibilities

3.1. CISO

Chief Information Security Officer (CISO) shall own this Policy and ensures governance.

3.2. Cybersecurity Team

Cybersecurity Team shall enforce the technical controls established in this Policy.

3.3. Human Resources

Human Resources administration shall manage onboarding/offboarding procedures of the employees.

3.4. Other Departments

Department Heads shall approve user access levels.

4. Access Levels and Workflow

4.1. Least Privilege

This Policy prescribes the so-called Least Privilege principle for granting access within the Company.

This means that the access shall be granted in accordance with the user’s job responsibilities and will be limited only to those elements that are necessary to accomplish assigned tasks in accordance with the Company’s missions and business functions.

4.2. Access Levels

Access Levels shall include:

  • Standard User Access (read/write limited to assigned systems)
  • Administrative Access (privileged, requires CISO approval)
  • Service/System Accounts (non-human, token rotation enforced)

4.3. Workflow

All requests must follow a documented workflow with multi-level approval, logged in the Access Management System.

5. Authentication and Password Standards

5.1. Passwords and Multi-Factor Authentication

Passwords and Multi-Factor Authentication are mandatory for all admin and cloud accounts.

5.2. Requirements for passwords

Passwords must:

  • Contain at least 12 characters, including:
  • Uppercase letters (A-Z)
  • Lowercase letters (a-z)
  • Numbers (0-9)
  • Special characters (e.g., !, @, #, $)
  • Not be reused within the last 10 password cycles.
  • Be rotated every 90 days for all privileged accounts.
  • Trigger account lockout after 5 consecutive failed login attempts, with a 30-minute lockout period before retry is allowed.

5.3. Passwords in personal use

Users are strongly discouraged from using the same passwords in their personal use of social media sites as those used on the Company’s devices and Technology Assets, to prevent unauthorized access to resources if the password is compromised.

5.4. Confidentiality of passwords

Passwords used to authenticate a person or process must be treated as confidential and protected appropriately.

5.5. Storage of passwords

Passwords must not be stored on paper, or in an electronic file, hand-held device or browser, unless they can be stored securely and the method of storing (e.g., password vault) has been approved by the CISO.

5.6. Multi-Factor Authentication (MFA)

5.6.1. MFA is mandatory for:

  • All administrative accounts.
  • All accounts hosted in cloud environments.
  • Any remote access to Company networks or systems.

5.6.2. MFA must use at least two different authentication factors from the following categories:

  • Something you know – e.g., password, PIN.
  • Something you have – e.g., security token, smart card, mobile authenticator app.
  • Something you are – e.g., biometric identifier such as fingerprint or facial recognition.

5.6.3. MFA configurations must:

  • Be enabled and enforced at the system or application level.
  • Use Company-approved authentication methods only.
  • Be reviewed at least annually to ensure they meet current security standards.

5.6.4. Temporary MFA exemptions (e.g., due to technical limitations) require written approval from the CISO and must have compensating controls in place.

6. Segregation of Data and Environments

6.1. Logical Segregation

Client and vendor data must be logically segregated into separate environments or dedicated storage partitions to prevent unauthorized access or data leakage.

6.2. Segregation methods may include:

  • Separate virtual environments or instances.
  • Isolated network segments.
  • Distinct databases or file system structures.

6.2. Access Isolation

Access to each client’s or vendor’s environment shall be restricted to authorized personnel only and be based on the principle of least privilege.

Access controls must be implemented to prevent cross-client/vendor data access.

6.3. Logging and Audit

All access to client/vendor environments must be recorded in system logs including:

  • User ID.
  • Timestamp.
  • Access method.
  • Actions performed.

Logs must be retained in accordance with the Company’s audit retention policy and reviewed regularly for suspicious activity.

6.4. Environment Management

Development, testing, and production environments must be separated to prevent unintended data exposure or operational disruption.

6.5. Physical security

Devices containing any client and vendor data must be physically secured when unattended (e.g., locked office, encrypted storage, device password protection).

7. Access to Third-Party, Client and Partner Data and Infrastructures, its Limitation and Duration

7.1. Principle of Least Privilege

Users, including employees of the Company, will be granted access to any third-party, client and partner data and infrastructures only to the minimum extent necessary to perform their tasks.

7.2. Time-Bound Access

Access permissions will be time-limited and automatically expire upon the completion of the necessary task or at relevant contract termination, whichever occurs first.

7.3. Periodic Access Review

The Company will conduct quarterly reviews of vendor and subcontractor access to verify that:

  • Access is still required.
  • No unnecessary privileges are retained.
  • Expired accounts are promptly disabled or removed.

7.4. Immediate Revocation

Access must be revoked immediately when it is no longer needed, or upon termination of the individual’s role, project, or contract.

8. Approved Data and Asset Transfer Methods

8.1. Third-Party Data Transfers

All transfers of the Third-Party (including Company’s Clients) data or assets between the Company, the relevant Third Party and other third parties the Company must use the secure transfer methods approved by that relevant Third Party.

8.2. Prohibited Transfer Methods

The following methods are strictly prohibited for transferring ABK data or assets:

  • Unsecured FTP sites.
  • Consumer-grade or personal cloud storage services (e.g., Dropbox, personal Google Drive, OneDrive personal accounts).

8.3. Security of Transfer

All approved transfers must use encryption in transit and comply with the Company’s Data Handling Requirements.

9. Endpoint Security Requirements

9.1. Encryption

9.1.1. All company-owned and personally-owned devices that access Company systems must have full-disk encryption enabled (e.g., BitLocker, FileVault).

9.1.2. Encryption keys must be stored and managed securely in accordance with the Company’s key management policy.

9.2. Anti-Malware and Endpoint Detection & Response (EDR)

9.2.1. All endpoints must run Company-approved anti-malware software and EDR solutions.

9.2.2. Definitions and signatures must be updated automatically and without user intervention.

9.2.3. EDR must be configured to alert the security team of suspicious or malicious activities.

9.3. Firewalls

9.3.1. All workstations, laptops, and servers must have firewall protection enabled.

9.3.2. Firewalls must be configured to:

  • Block unauthorized inbound connections.
  • Restrict outbound traffic in accordance with Company policy.
  • Firewall rules must be reviewed periodically for effectiveness.

9.4. Centralized Monitoring and Telemetry

9.4.1. All endpoint security logs, telemetry, and event data must be reported to the centralized monitoring platform.

9.4.2. Logged events must include:

  • User logon/logoff activity.
  • Security alerts and incidents.
  • System configuration changes.

9.4.3. Logs must be retained in accordance with the Company’s audit retention policy and reviewed regularly by the Cybersecurity team.

9.5. Compliance Monitoring

9.5.1. Endpoint compliance will be verified through periodic automated scans and security audits.

9.5.2. Non-compliant devices may be immediately denied access to Company systems until issues are remediated.

10. Physical Security Requirements

10.1. Physical Access Controls

The Company maintains physical security controls at all of its physical facilities including offices, including but not limited to the following:

  • Keycard access systems.
  • PIN or keypad entry codes.
  • On-site security personnel.

10.2. Access Restriction

Physical access must be restricted to authorized personnel only and reviewed periodically to ensure continued necessity.

10.3. Visitor Management

Visitors must be logged, accompanied by authorized staff at all times, and prohibited from unsupervised access to the Company facilities.

10.4. Alignment with Other Security Requirements

These measures are in addition to logical access controls, encryption, and other safeguards defined in this Policy.

11. Monitoring, Logging, and Audit

11.1. Logging of Privileged and Administrative Activities

All administrative and privileged account activities must be logged in detail, including:

  • User ID.
  • Timestamp of the action.
  • System or resource accessed.
  • Actions performed (e.g., configuration changes, access granted).

Logging must be enabled on all critical systems, applications, and network devices.

11.2. Log Retention

Logs must be retained for a minimum of 12 months in secure, tamper-resistant storage.

Access to logs is restricted to authorized personnel in the Cybersecurity Team.

11.3. Log Review and Analysis

The Cybersecurity Team must review logs quarterly to detect:

  • Unauthorized access attempts.
  • Privilege escalations.
  • Configuration changes outside approved change management processes.

High-risk incidents detected during reviews must be escalated per the Company’s incident response procedure.

11.4. Integration with SIEM

All logs must be integrated with the Company’s Security Information and Event Management (SIEM) system for:

  • Real-time monitoring and alerting.
  • Correlation of events across systems.
  • Automated threat detection.

11.5. Compliance and Evidence

Evidence of log reviews, retention, and SIEM alerts must be documented for audit purposes.

Non-compliance with this control must be reported to the CISO for remediation.

12. Enforcement and Violations

12.1. Compliance Requirement

All employees, contractors, vendors, and third parties with access to Company systems, data, or facilities are required to comply with this Policy and all related security procedures.

12.2. Violation Consequences

Violations of this policy, whether intentional or due to negligence, may result in:

  1. Disciplinary action, up to and including termination of employment or contract.
  2. Legal action, including civil or criminal proceedings where applicable.
  3. Notification of regulatory bodies or affected parties, if required by law or contractual obligations.

12.3. Incident Reporting

All suspected or confirmed violations must be reported immediately to the Cybersecurity Team or the designated compliance contact.

Reports will be handled confidentially, with investigation and remediation carried out in line with the Company’s incident response process.

12.4. Due Process

Enforcement actions will be taken only after a fair investigation has been conducted, with findings documented and retained according to the Company’s records management policy.

12.5. Zero Tolerance for Retaliation

The Company prohibits retaliation against individuals who, in good faith, report suspected violations of this policy.

13. Annex – Technical Controls Checklist

13.1. Review Frequency

The Cybersecurity Team must verify the technical controls listed below at least quarterly.

Verification activities must be documented, with evidence retained in accordance with the Company’s audit retention policy.

13.2. Quarterly Control Verification Items

Control Area

Verification Requirement

Evidence Required

Multi-Factor Authentication (MFA)

Confirm MFA is enabled for all user, administrative, and cloud accounts.

MFA configuration reports or screenshots from identity provider.

Service Account Token Rotation

Review logs confirming rotation of service account tokens/credentials per policy.

Token rotation log exports from relevant systems.

Quarterly Access Reviews

Validate completion of access review reports for all critical systems and applications.

Signed and approved access review reports.

Endpoint Protection

Verify endpoint telemetry confirms encryption enabled, anti-malware active, and EDR reporting on all devices.

Endpoint management dashboard reports.

Log Retention Compliance

Confirm all required system and security logs are retained for at least 12 months.

Log retention configurations and SIEM storage reports.

13.3. Reporting

Any deviations or failures identified during quarterly verification must be documented and reported to the CISO within 5 business days of discovery.

Corrective actions must be tracked to completion in the Company’s issue management system.

This Policy shall be reviewed and edited from time to time, subject to the CISO’s approval.

For questions or reports regarding this Policy, contact:
security@advntg.ai

*        *        *