When to use this
Practical use
Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.
Use this to define standard access rights by role, asset, classification, and approval owner.
Matrix
| Role/profile | Asset/system/location | Classification/sensitivity | Access level | Business need | Approver/owner | Review frequency | Notes |
|---|---|---|---|---|---|---|---|
| TBD | TBD | TBD | Read / Write / Admin / Physical | TBD | TBD | TBD | TBD |
Design checklist
- Access is based on business need.
- Least privilege is applied.
- Need-to-know and need-to-use are considered.
- Asset owner or authorized role approves access.
- Sensitive assets have tighter access controls.
- Privileged access is separated and monitored.
- Role profiles are reviewed periodically.
- Physical access is included where relevant.
Related notes
- Template
- Iso27001
- A5 15
- Access control
Note Metadata
Aliases: Role-Based Access Matrix
Source: 90 Templates/Access Control Matrix.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- Access Control
- ISO 27001 A.5.12 - Classification of Information
- ISO 27001 A.5.15 - Access Control
- ISO 27001 A.5.16 - Identity Management
- ISO 27001 A.5.17 - Authentication Information
- ISO 27001 A.5.18 - Access Rights
- A.5.15 Audit Evidence Pack
- ISO 27001 A.8.3 - Information Access Restriction
- A.5 Organizational Controls Implementation Guide
- ISO 27002 Annex A Control Interpretation Map
- A.5.15 Audit Checklist
- Access Rights Request and Review Register
- Templates MOC