01.a - Access Control Policy

The entry requires an organization to create, document and maintain an Access Control Policy that governs how access to information systems and data is authorized, managed and reviewed. The policy must align with regulatory and business requirements, be communicated to personnel, and be periodically evaluated for effectiveness.