44
InformatIon SecurIty PolIcy DeveloPment for comPlIance
Access control rules should take account of policies for information
dissemination and authorization.
A.11.1.1 Access control policy
Control: An access control policy should be established, docu-
mented, and reviewed based on business and security require-
ments for access.
A.11.2 User access management
Objective: To ensure authorized user access and to prevent unauthor-
ized access to information systems.
Formal procedures should be in place to control the allocation of
access rights to information systems and services.
e procedures should cover all stages in the life cycle of user access,
from the initial registration of new users to the nal deregistration of
users who no longe ...