SecurityPolicy.com.au
Home/ Australia/ Policy Library/ Access control policy
Australia Policy Library Policy template Reviewed 2026-07-12

Access control policy: a practical guide for Australian businesses

15+ characters
ACSC passphrase length guidance
Same day
ISM access removal when business need ends
12 months
Essential Eight privileged-access revalidation at ML2–3
Why this guide exists

MFA, password rules and administrator access generate the most visible operator concern. Offboarding and access reviews appear less often in public discussion, but failures there create some of the clearest real-world exposures.

What is an access control policy, and does my business actually need one?

An access control policy is the rulebook for deciding who can use each system, account, application, file set and data repository, how their identity is verified, and when access is changed or removed. It should cover employees, contractors, service providers, service accounts and anyone else with a pathway into the business. No single Australian law requires every private business to use a document with this exact title, but Privacy Act obligations, contracts, cyber frameworks and the need to control administrator access can make documented rules essential. The policy normally sits beneath the master information security policy and turns broad security principles into approval, authentication, least-privilege, offboarding and review requirements.

How this differs by situation
  • business with employees, contractors or outsourced IT — Cover every human and non-human identity, including vendors, shared services, service accounts and emergency accounts.
  • APP entity covered by the Privacy Act — Access controls become part of the reasonable technical and organisational measures used to protect personal information under APP 11.
  • Essential Eight or ISM-aligned organisation — Map the policy to the target maturity level and applicable ISM controls rather than treating it as a stand-alone document.
PUT THIS IN YOUR POLICY, EXACTLY

Access to the organisation’s systems, applications, accounts, networks, information and data repositories must be based on a verified identity, a documented business need and the minimum permissions required for the person or service to perform authorised duties. Access must be approved before it is granted, reviewed while it remains active, changed when duties change and removed promptly when the business need ends.

What must it contain — the non-negotiable sections?

State the purpose, scope, covered systems and identity types, then define how access is requested, approved, provisioned, changed, reviewed and withdrawn. Include unique user accounts, role or job-based permissions, least privilege, MFA and passphrase rules, privileged and emergency access, service and shared accounts, remote and third-party access, logging, exceptions and breach handling. Name the people who may approve access and require separation between the business owner of the information and the IT person who implements the change. The policy should also require a durable record of who approved each user, what was granted, when it was reviewed and when it was removed.

How this differs by situation
  • cloud and SaaS-heavy business — Include every externally hosted application, vendor portal, API key, integration account and identity provider, not only the corporate network.
  • business handling sensitive or high-value information — Add stronger approval, logging, monitoring and recertification requirements for sensitive data repositories and high-impact systems.
PUT THIS IN YOUR POLICY, EXACTLY

Every user must have a unique identity unless a shared account is technically unavoidable and expressly approved. Each access request must identify the user or service, the system and information involved, the requested role or permissions, the business reason, the approver, the start date and any expiry date. The organisation must retain a record of the access granted, later changes, review decisions, exceptions and withdrawal.

What do MFA and passphrase rules actually require now?

Use MFA for privileged access, remote access and services holding sensitive business or customer data, then expand it according to the organisation's risk and Essential Eight target. Prefer phishing-resistant methods such as passkeys, FIDO2 security keys or certificate-based methods; ACSC describes SMS messages and voice calls as weaker MFA. For memorised credentials, current ACSC guidance favours long, unpredictable and unique passphrases, commonly four or more random words totalling at least 15 characters, supported by a password manager. Do not force every user to change a good passphrase every 90 days simply because an old template says so: current ISM guidance says credentials generally should not need routine changes and specifies changes after compromise or other defined events.

How this differs by situation
  • Essential Eight Maturity Level One — Apply MFA to the online services, third-party services and customer services specified by the maturity model, especially where sensitive data is handled.
  • Essential Eight Maturity Level Two or Three — Use MFA for privileged and unprivileged system users and implement the phishing-resistant requirements for the relevant services and repositories.
  • small business without enterprise identity tooling — Start with email, remote access, finance, cloud administration, password managers and other high-impact accounts, while planning a move away from weaker factors.
PUT THIS IN YOUR POLICY, EXACTLY

Multi-factor authentication must be enabled for privileged accounts, remote access and all other systems or services designated by the organisation. Phishing-resistant MFA must be used where supported and proportionate to the risk, with weaker methods treated as transitional or fallback controls. User passphrases must be long, unpredictable and unique and must not be shared or reused. Routine 90-day changes are not required unless a system, contract or documented risk requires them; credentials must be changed immediately when compromised, suspected of compromise, exposed in clear text or otherwise affected by a defined security event.

How do least privilege and admin/privileged access work?

Least privilege means giving a person or service only the access needed for current duties, not every permission that might one day be convenient. People who administer systems should use a normal account for email and everyday work and a separate privileged account only for authorised administrative tasks. Privileged access should be validated before it is granted, time-limited where practical, protected by MFA, logged and reviewed; standing local administrator rights should be the exception. Essential Eight Maturity Levels Two and Three also require privileged access to be disabled after 45 days of inactivity and after 12 months unless it is revalidated.

How this differs by situation
  • small business using an MSP or external administrator — Give the provider named, attributable accounts and only the systems and time window needed; do not rely on one permanent shared super-admin login.
  • Essential Eight Maturity Level Three — Add just-in-time administration and the stronger segregation and privileged operating-environment controls required by the maturity model.
PUT THIS IN YOUR POLICY, EXACTLY

Users and services must receive only the minimum access required for authorised duties. Privileged users must use a separate named privileged account solely for administrative work and a separate unprivileged account for email, web browsing and routine activity. Privileged access must be approved, protected by MFA, logged, reviewed and removed when no longer required. Permanent local administrator rights and shared administrator accounts are prohibited unless a documented exception is approved.

Who owns it, and who approves access?

The board, executive or business owner remains accountable for the organisation's security posture, while a CISO, security lead or nominated senior manager should own the policy. The manager, system owner or data owner who understands the business need should approve access; IT or the identity administrator should implement it and should not approve its own request merely because it controls the platform. HR or the engagement owner must provide reliable start, role-change and leaving information, and finance or legal may need to approve access to particularly sensitive systems. Small businesses can combine roles, but the request, approval and implementation trail must still show who made each decision.

How this differs by situation
  • small business without a CISO — The owner or chief executive should approve the policy and nominate a senior manager or trusted provider to administer it, while business managers approve individual need.
  • larger or regulated organisation — Separate policy ownership, business approval, technical provisioning and assurance, with system and data owners accountable for their access populations.
PUT THIS IN YOUR POLICY, EXACTLY

The Policy Owner is [role]. The board, executive or business owner approves this policy. Access to a system or information set must be approved by the relevant manager, system owner or data owner based on a documented business need. IT, the service desk or an identity administrator may provision approved access but must not approve access solely because they administer the technology. Conflicts of interest and self-approval are prohibited unless an emergency process expressly permits them and records a later independent review.

How do joiner-mover-leaver and access reviews work in practice?

Before a person starts, grant only the approved role access needed on day one and set an expiry for temporary or contractor access. When duties change, remove access tied to the old role as part of the same change that grants the new role; access should not simply accumulate. For leavers, coordinate HR, the manager and IT so interactive access, sessions, tokens, MFA methods, remote access, physical credentials and third-party services are disabled at the agreed time, with immediate action for higher-risk departures. Review access on a risk-based schedule and after role changes, incidents or restructures; privileged access at Essential Eight Maturity Levels Two and Three must be revalidated within 12 months and disabled after 45 days of inactivity.

How this differs by situation
  • remote or SaaS-heavy workforce — Maintain a complete application and identity inventory so offboarding reaches services outside the main directory, including tokens, integrations and vendor portals.
  • contractors and temporary staff — Use named accounts, an accountable sponsor and an automatic expiry date rather than relying on someone to remember later.
  • Essential Eight Maturity Level Two or Three — Revalidate privileged access at least every 12 months and disable it after 45 days of inactivity, while still removing access sooner when the business need ends.
PUT THIS IN YOUR POLICY, EXACTLY

New access must be based on an approved role or specific request before the user starts. A change of duties must trigger review and removal of access that is no longer required, not only the addition of new access. When employment or engagement ends, access must be removed or suspended on the same day the legitimate requirement ends, or immediately where risk requires it. Temporary, contractor, vendor and emergency access must have an owner and an expiry or formal revalidation date.

What evidence proves it's real to an auditor or insurer?

A policy alone proves intent, not operation. Keep the approved policy and version history, an inventory of identities and privileged accounts, role or access matrices, access requests and owner approvals, provisioning records, MFA and identity-provider settings, joiner-mover-leaver tickets, access-review sign-offs and evidence that unwanted access was removed. Retain relevant authentication and privileged-access logs, exception approvals, expiry dates and remediation records. An auditor or insurer may ask for different evidence, so the business should map each claimed control to a current configuration, report, log, ticket or test result rather than answering from memory.

How this differs by situation
  • Essential Eight assessment or contractual assurance — Provide evidence against the exact target maturity level and document any approved exceptions and compensating controls.
  • business seeking cyber insurance — Preserve evidence for every representation made in the proposal, especially MFA scope, privileged access, offboarding and periodic reviews.
PUT THIS IN YOUR POLICY, EXACTLY

The organisation must retain evidence sufficient to show that access controls operate in practice. Evidence must include current policy approval, access and privileged-account inventories, access requests and approvals, provisioning and removal records, MFA and identity configuration, access-review results, exceptions and expiry dates, relevant event logs, and records showing that identified excess or inactive access was remediated.

How does it relate to the Essential Eight and APP 11?

The policy is the governance layer that tells people how the organisation will operate access controls; the Essential Eight supplies specific technical outcomes for MFA and restricting administrative privileges. If the business adopts the Essential Eight, it should choose a risk-based target and aim for the same maturity level across all eight strategies rather than claiming maturity from MFA alone. Essential Eight certification is not generally required, although an independent assessment can be required by a government directive, regulator or contract. APP 11 is different: for entities covered by the Privacy Act it is a legal obligation to take reasonable steps to protect personal information, and access controls, authentication, least privilege, logs and prompt removal are part of the technical and organisational response.

How this differs by situation
  • organisation implementing the Essential Eight — Map policy requirements to the chosen maturity level for MFA and administrative privileges and track exceptions through an approved, reviewed process.
  • APP entity covered by the Privacy Act — Treat access control as one layer in the reasonable technical and organisational measures protecting personal information throughout its lifecycle.
  • organisation not covered by APP 11 or not formally adopting Essential Eight — The ACSC and OAIC guidance still provides a strong Australian risk-management baseline, but label it as guidance rather than a legal or certification claim.
PUT THIS IN YOUR POLICY, EXACTLY

This policy supports the organisation’s implementation of the Essential Eight multi-factor authentication and restriction of administrative privileges strategies and the organisation’s obligations under APP 11 where the Privacy Act applies. The organisation must not represent that it has achieved an Essential Eight maturity level unless all eight strategies have been assessed against the applicable requirements. Access controls for personal information must form part of layered technical and organisational security measures.

The common gaps and red flags?

Red flags include shared passwords, generic administrator accounts, permanent local admin, former workers still present in SaaS tools, and MFA methods tied to a departed person's phone. Also look for service accounts with no owner, dormant privileged access, IT approving its own access, contractors without expiry dates, administrators using privileged accounts for email and browsing, and reviews that produce no remediation. A blanket 90-day password rule paired with short or reused passwords is not a modern substitute for long unique passphrases, MFA and compromise-driven resets. The most dangerous gap is an incomplete identity inventory: the business cannot remove or review access it does not know exists.

How this differs by situation
  • business with outsourced IT or multiple SaaS administrators — Check ownership of tenant-level accounts, reseller portals, recovery methods, API keys and vendor emergency access.
  • legacy environment — Document controls that cannot yet meet the target, approve time-limited exceptions and use compensating controls rather than silently claiming compliance.
PUT THIS IN YOUR POLICY, EXACTLY

Shared credentials, anonymous or generic administrator use, unowned service accounts, standing privileged access without a current business need, and access without an identifiable approver are prohibited. All exceptions must record the reason, affected systems and users, compensating controls, accountable owner, approval date and expiry date. Exceptions must be reviewed before expiry and removed when no longer justified.

What's my next step?

Common misconceptions

  • Every user password must be changed every 90 days even when it is long, unique and uncompromised. VERIFIED
  • Any form of MFA is equally strong, so an SMS code is equivalent to a phishing-resistant passkey or security key. VERIFIED
  • IT administrators should use their privileged account for email, web browsing and normal daily work. VERIFIED
  • A shared administrator password is acceptable if everyone on the IT team is trusted. INFERRED
  • Removing access at the next monthly review is sufficient after someone leaves or changes roles. VERIFIED
  • Implementing MFA alone means the organisation has achieved an Essential Eight maturity level. VERIFIED
  • Every Australian business is legally required to obtain Essential Eight certification. VERIFIED
  • APP 11 is satisfied by publishing an access control policy without implementing technical controls or checking whether they work. VERIFIED
  • An annual review is enough for an account that should have been removed today. INFERRED

Obligations at a glance

The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.

OBLIGATION REGULATOR TRIGGER TIMEFRAME PENALTY
APP 11 security of personal information Office of the Australian Information Commissioner An APP entity holds personal information covered by the Privacy Act 1988. Ongoing while the personal information is held.
APP 11 technical and organisational measures Office of the Australian Information Commissioner An APP entity determines the reasonable steps required to protect or securely destroy or de-identify personal information. Ongoing and proportionate to the nature, volume, sensitivity, threat environment and potential consequences.
Essential Eight multi-factor authentication Australian Signals Directorate, Australian Cyber Security Centre The organisation adopts the Essential Eight or must meet it under a government directive, regulatory requirement or contract. According to the selected target maturity level and the systems, services and data repositories within scope.
Essential Eight restriction of administrative privileges Australian Signals Directorate, Australian Cyber Security Centre The organisation adopts the Essential Eight or must meet it under a government directive, regulatory requirement or contract. Validate privileged access when first requested; at Maturity Levels Two and Three, disable it after 45 days of inactivity and after 12 months unless revalidated.
ISM same-day access removal or suspension Australian Signals Directorate, Australian Cyber Security Centre An ISM-aligned organisation determines that personnel no longer have a legitimate requirement for access. The same day the legitimate requirement ends; as soon as practicable when malicious activity is detected.
ISM access authorisation record Australian Signals Directorate, Australian Cyber Security Centre An ISM-aligned organisation grants a user access to a system or its resources. Maintain the record for the life of the system or resource and update it when access is reviewed, changed or withdrawn.

Sources

  1. Small business cyber security guide primary
  2. Guidelines for personnel security primary
  3. Guidelines for system hardening primary
  4. Guidelines for System Hardening (December 2024) primary
  5. Essential Eight maturity model primary
  6. Implementing multi-factor authentication primary
  7. Creating strong passphrases primary
  8. Guidelines for cyber security roles primary
  9. Gateway operations and management primary
  10. Chapter 11: APP 11 Security of personal information primary
  11. Guide to securing personal information primary
  12. Googleworkspace, do you enjoy working with it? forum
  13. Is anyone watching our Teams chats? forum
  14. Workplace wants me to install their Microsoft Passkey on my personal mobile. forum
  15. Can a work laptop be bricked without internet? forum
  16. Is everything security-related, by and large, harassment? forum
  17. Finishing up today - what should I make sure I've tidied up before I go? forum
  18. Team member refuses to use electronic calendar, WWYD? forum
  19. Has anyone ever accidentally kept something after leaving a job? forum
Not legal advice

This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.