SOC 2 Guide

How to Write an Access Control Policy for SOC 2

By Johnathan Christopherson · AuditWolf · Updated 2026

A SOC 2 access control policy must define how you grant, restrict, review, and revoke logical access so an assessor can trace every account back to least privilege, unique identity, MFA, and a documented review cadence—the controls that satisfy CC6.1 through CC6.3. The policy itself is quick to write. The work that passes the audit is producing the deprovisioning tickets and quarterly access review artifacts that prove you actually operate it. This guide covers what the policy needs to say, how an assessor tests each clause, and where teams lose their first audit.

What does CC6.1-6.3 actually require your policy to cover?

The Trust Services Criteria don't hand you a template. They describe outcomes and leave the implementation to you, which is why two companies can pass the same criteria with very different policies. CC6.1 requires logical access security measures that restrict access to information assets and protect against unauthorized use. CC6.2 covers registration and authorization: access is provisioned and modified only on the basis of an authorized request, and removed when no longer needed. CC6.3 requires you to manage access based on roles and least privilege and to review those rights on a defined cadence.

Map your policy cleanly to these three points and you remove ambiguity for your team and the assessor at the same time. Each clause below should read as an enforceable statement someone can be held to, not an aspiration you hope to grow into.

How do you handle the joiner/mover/leaver lifecycle?

The identity lifecycle—joiner, mover, leaver—is where CC6.2 lives, and it's the most heavily sampled area of access control in a Type II. Your policy needs to state, for each event, who triggers it, who approves it, the SLA for completing it, and what evidence gets kept.

Deprovisioning is the clause assessors scrutinize hardest, because it's the one that fails quietly. A leaver whose accounts stayed live for three weeks is an exception, and stale terminated access is one of the most common findings in first-year reports.

How do you document privileged and break-glass access?

Administrative and production access earns tighter controls than standard user access, so treat it as its own tier in the policy. Privileged accounts should be few, assigned to named individuals, protected by MFA, and logged. Vague 'admins have full access' language is exactly what gets probed.

Break-glass (emergency) access needs its own clause. Define when it's permitted, how it's requested, how the credential is secured, and how each use gets reviewed after the fact. Assessors expect break-glass activations to be logged and reviewed, not exercised silently and forgotten.

How does an assessor actually test your access control policy?

The assessor doesn't grade your prose. For a Type II report they test whether the control operated across the review period, which means they request evidence and sample it. Knowing exactly what they'll pull tells you what to build before the window opens.

The gap between a well-written policy and a passing report is almost always missing evidence: the review happened but nobody kept the artifact, or the account was disabled on time but no ticket exists to prove the date.

What are the most common access control failures on a first SOC 2?

First-year exceptions are rarely exotic. They're the same operational gaps repeated across companies. Writing the control into the policy is necessary but not enough. You have to run it and evidence it for the full period, and these are the places teams slip.

Should you write the policy from scratch or start from a mapped template?

Writing from scratch means guessing at the clause structure that maps to CC6.1-6.3, then rewriting half of it after your assessor's first read. A pre-mapped policy hands you the enforceable clauses, the RBAC and lifecycle language, the review cadence, and the evidence expectations already aligned to the criteria, so your time goes into operating the control instead of drafting it.

A complete access control policy pack pairs the policy with the access review template and deprovisioning workflow that produce the evidence assessors sample. That turns the policy from a document you file and forget into a system you can actually pass an audit with.

Skip the blank page

Get all 19 SOC 2 policies — editable, mapped to the Trust Services Criteria and ISO 27001, with a 90-day readiness plan and an evidence index.

Get the SOC 2 Policy Pack — $149

FAQ

How often do you need to run access reviews for SOC 2?

The Trust Services Criteria don't mandate a frequency, but quarterly is the practical standard assessors expect for a Type II report. Whatever cadence you commit to in the policy, you have to run it on schedule and retain evidence of each review, including what was flagged and how it was remediated. A review with no artifact is treated as a review that never happened.

Does a SOC 2 access control policy require MFA on every system?

CC6.1 doesn't literally say 'MFA everywhere,' but assessors expect it enforced on every system that supports it—SSO, VPN, cloud consoles, email, and production access at minimum. Any exception, like a legacy system with no MFA support, should be documented with a compensating control. MFA that's available but not enforced is a routine finding.

What's the difference between the access control policy and the evidence an assessor wants?

The policy states what you will do; the evidence proves you did it. Assessors test operating effectiveness by sampling artifacts—deprovisioning tickets matched to termination dates, completed quarterly reviews, MFA configuration exports, and provisioning approvals. A strong policy with no retained evidence still fails, because a Type II report grades whether the control operated across the period, not whether it was written down.

A SOC 2 access control policy passes not because it reads well but because you can produce the deprovisioning tickets and quarterly access review evidence that prove least privilege, unique identity, and MFA operated for the entire review period.