How to Write an Access Control Policy for SOC 2
A SOC 2 access control policy must define how you grant, restrict, review, and revoke logical access so an assessor can trace every account back to least privilege, unique identity, MFA, and a documented review cadence—the controls that satisfy CC6.1 through CC6.3. The policy itself is quick to write. The work that passes the audit is producing the deprovisioning tickets and quarterly access review artifacts that prove you actually operate it. This guide covers what the policy needs to say, how an assessor tests each clause, and where teams lose their first audit.
What does CC6.1-6.3 actually require your policy to cover?
The Trust Services Criteria don't hand you a template. They describe outcomes and leave the implementation to you, which is why two companies can pass the same criteria with very different policies. CC6.1 requires logical access security measures that restrict access to information assets and protect against unauthorized use. CC6.2 covers registration and authorization: access is provisioned and modified only on the basis of an authorized request, and removed when no longer needed. CC6.3 requires you to manage access based on roles and least privilege and to review those rights on a defined cadence.
Map your policy cleanly to these three points and you remove ambiguity for your team and the assessor at the same time. Each clause below should read as an enforceable statement someone can be held to, not an aspiration you hope to grow into.
- Least privilege by default: users get the minimum access their role requires, and any elevated rights need documented approval tied to a business reason.
- Unique, attributable accounts: every user authenticates as an individual. No shared logins, no generic 'admin' account three people know the password to.
- Role-based access control (RBAC): access is assigned by role or group rather than one-off per person, so entitlements stay predictable and a reviewer can actually reason about them.
- MFA on everything that supports it: enforced across SSO, VPN, cloud consoles, email, and production—not left as an option users can skip.
- Provisioning tied to authorization: access is granted only after the manager or system owner approves it against the role definition, and that approval is retained.
How do you handle the joiner/mover/leaver lifecycle?
The identity lifecycle—joiner, mover, leaver—is where CC6.2 lives, and it's the most heavily sampled area of access control in a Type II. Your policy needs to state, for each event, who triggers it, who approves it, the SLA for completing it, and what evidence gets kept.
Deprovisioning is the clause assessors scrutinize hardest, because it's the one that fails quietly. A leaver whose accounts stayed live for three weeks is an exception, and stale terminated access is one of the most common findings in first-year reports.
- Joiner: HR or the hiring manager raises a ticket; access is provisioned to the role baseline only after approval; the ticket is retained as the evidence trail.
- Mover: a role change triggers a re-evaluation of entitlements. Access from the old role is removed rather than layered under the new access, so privilege doesn't quietly accumulate.
- Leaver: termination triggers deprovisioning within a defined SLA—24 hours is common, immediate for involuntary terminations. Accounts are disabled, then removed.
- Every lifecycle event produces a ticket. The ticket, its approval, and its timestamp are the artifacts the assessor samples against your stated SLA.
How do you document privileged and break-glass access?
Administrative and production access earns tighter controls than standard user access, so treat it as its own tier in the policy. Privileged accounts should be few, assigned to named individuals, protected by MFA, and logged. Vague 'admins have full access' language is exactly what gets probed.
Break-glass (emergency) access needs its own clause. Define when it's permitted, how it's requested, how the credential is secured, and how each use gets reviewed after the fact. Assessors expect break-glass activations to be logged and reviewed, not exercised silently and forgotten.
- Privileged access is granted by role, reviewed more frequently than standard access, and never runs on shared credentials.
- Break-glass accounts live in a vault, alert on use, and require a documented post-activation review of every checkout.
- Production access is separated from standard corporate access and follows least privilege, with time-bound or just-in-time grants where the tooling supports it.
- Logs for privileged and production access are retained (90 days is a common floor, a year is better) and are available for the assessor to sample.
How does an assessor actually test your access control policy?
The assessor doesn't grade your prose. For a Type II report they test whether the control operated across the review period, which means they request evidence and sample it. Knowing exactly what they'll pull tells you what to build before the window opens.
The gap between a well-written policy and a passing report is almost always missing evidence: the review happened but nobody kept the artifact, or the account was disabled on time but no ticket exists to prove the date.
- Access review evidence: your completed quarterly reviews, showing who reviewed, what got flagged, and the remediation tickets that closed the gaps.
- Deprovisioning tickets: they pull a sample of terminated employees from HR records and match each to a deprovisioning ticket, checking the completion date against your SLA.
- MFA enforcement: a configuration export or screenshot proving MFA is enforced, not merely available.
- New-hire provisioning: they sample joiners and confirm access was approved before it was granted, not after.
- User listings: they reconcile system user lists against active employees to surface orphaned or ghost accounts.
What are the most common access control failures on a first SOC 2?
First-year exceptions are rarely exotic. They're the same operational gaps repeated across companies. Writing the control into the policy is necessary but not enough. You have to run it and evidence it for the full period, and these are the places teams slip.
- Access reviews performed but not documented: no signed artifact, no record of what was reviewed, no remediation trail.
- Terminated users still active because deprovisioning blew the SLA or was never logged.
- Shared or generic accounts—a single 'admin' login—that break the unique-identity requirement.
- MFA enforced everywhere except one legacy system nobody flagged, which is exactly the exception the assessor finds.
- Privilege creep from movers: people accumulate access across role changes because old entitlements were never revoked.
- Contractors and service accounts left out of reviews, leaving a blind spot the assessor walks straight into.
Should you write the policy from scratch or start from a mapped template?
Writing from scratch means guessing at the clause structure that maps to CC6.1-6.3, then rewriting half of it after your assessor's first read. A pre-mapped policy hands you the enforceable clauses, the RBAC and lifecycle language, the review cadence, and the evidence expectations already aligned to the criteria, so your time goes into operating the control instead of drafting it.
A complete access control policy pack pairs the policy with the access review template and deprovisioning workflow that produce the evidence assessors sample. That turns the policy from a document you file and forget into a system you can actually pass an audit with.
Skip the blank page
Get all 19 SOC 2 policies — editable, mapped to the Trust Services Criteria and ISO 27001, with a 90-day readiness plan and an evidence index.
Get the SOC 2 Policy Pack — $149FAQ
How often do you need to run access reviews for SOC 2?
The Trust Services Criteria don't mandate a frequency, but quarterly is the practical standard assessors expect for a Type II report. Whatever cadence you commit to in the policy, you have to run it on schedule and retain evidence of each review, including what was flagged and how it was remediated. A review with no artifact is treated as a review that never happened.
Does a SOC 2 access control policy require MFA on every system?
CC6.1 doesn't literally say 'MFA everywhere,' but assessors expect it enforced on every system that supports it—SSO, VPN, cloud consoles, email, and production access at minimum. Any exception, like a legacy system with no MFA support, should be documented with a compensating control. MFA that's available but not enforced is a routine finding.
What's the difference between the access control policy and the evidence an assessor wants?
The policy states what you will do; the evidence proves you did it. Assessors test operating effectiveness by sampling artifacts—deprovisioning tickets matched to termination dates, completed quarterly reviews, MFA configuration exports, and provisioning approvals. A strong policy with no retained evidence still fails, because a Type II report grades whether the control operated across the period, not whether it was written down.
A SOC 2 access control policy passes not because it reads well but because you can produce the deprovisioning tickets and quarterly access review evidence that prove least privilege, unique identity, and MFA operated for the entire review period.