Access control policy is specifically aimed at logical not physical access. Physical controls are covered under clause 11. A policy for access control needs to be established and documented.

Consideration should be given to the consistency vs access rights of classification of information held within network devices (need to know) , scope for all types of connections used, requirements for all business applications, any applicable legislation.

Roles should be segregated for request/authorisation and administration to prevent moral hazard.

Formal authorisation is required for access requests, privileged access. There should be a specific procedure for the removal of access rights. Specific procedures should be established for the archiving of records concerning the granting and use of access rights for audit and investigation purposes.

The thrust of the policy should be that everything is forbidden unless expressly permitted and not the vice versa.