Screenata
All answers

How do I write an access control policy for SOC 2?

December 6, 20252 min readSOC 2 Policies and Documentation

What an Access Control Policy Covers

Access control is one of the most heavily tested areas in a SOC 2 audit. Your policy maps to CC6.1 through CC6.8 and defines how your organization manages who can access what — from cloud infrastructure to your application code to customer data.

Key Sections

SectionWhat to Document
Access provisioningHow new employees get system access
Role-based accessWhat roles exist and what each can access
Least privilegeHow you limit access to what's needed
MFA requirementsWhich systems require multi-factor authentication
Access revocationHow access is removed when someone leaves
Access reviewsHow often you review who has access and why
Shared accountsYour stance on shared credentials (ideally: prohibited)

Example Policy Statements

  • "All employees authenticate via Google Workspace SSO with hardware key MFA required."
  • "AWS console access is restricted to the CTO and senior engineers. Access is provisioned through IAM roles with least-privilege policies."
  • "When an employee leaves, their Google Workspace account is suspended within 4 hours by the CTO. This automatically revokes SSO access to all connected applications."
  • "Access reviews are conducted quarterly. The CTO reviews all active user accounts across Google Workspace, AWS, GitHub, and Supabase."

What Auditors Test

  1. Provisioning: Pick a recent hire — was access granted according to policy?
  2. Termination: Pick a recent departure — was access revoked promptly?
  3. Access reviews: Show evidence of your most recent quarterly review.
  4. MFA: Verify MFA is enforced (not just available) across critical systems.
  5. Privilege levels: Confirm that not everyone has admin access.

Common Startup Mistakes

  • Everyone is admin. Early-stage startups often give all engineers full admin access. Before your audit, implement role-based access — even simple "admin" vs. "developer" roles help.
  • No offboarding process. Document and follow a checklist for removing access when someone leaves.
  • No access reviews. Set a quarterly calendar reminder to review active accounts. Export the user list, confirm each person still needs access, and document the review.

Related Questions

SOC 2 Policies and Documentation

How do I write a change management policy for SOC 2?

A SOC 2 change management policy describes how code and infrastructure changes are proposed, reviewed, approved, and deployed. For most startups, this means documenting your GitHub PR workflow, branch protection rules, and deployment process. The policy maps to CC8.1 in Trust Services Criteria.

SOC 2 Policies and Documentation

How do I write a SOC 2 policy when I'm not a compliance expert?

You don't need to be a compliance expert to write SOC 2 policies. Start by documenting what your team actually does — how you deploy code, manage access, and handle incidents. Then map those descriptions to SOC 2 language. Alternatively, use an AI compliance tool that reads your systems and generates policies for you.

SOC 2 Policies and Documentation

How do I write an incident response plan for SOC 2?

A SOC 2 incident response plan defines how your team detects, responds to, and recovers from security incidents. It should cover who gets alerted, escalation steps, communication protocols, and post-incident review. For startups, a 2-3 page plan that matches your actual tools and team size is sufficient.

Ready to Automate Your Compliance?

See what your compliance program looks like with your real systems.

Book a demo