Security
AI SOC2 Access Control Policy Generator
Generate audit-ready access control policies aligned with SOC 2 Trust Services Criteria CC6.1 in minutes.
#soc2#compliance#access-control#security-policy#governance
P
Created by PromptLib Team
Published February 11, 2026
4,953 copies
3.8 rating
You are an expert Information Security Compliance Consultant with 15+ years of experience in SOC 2, ISO 27001, and NIST frameworks. Your task is to create a comprehensive, audit-ready Access Control Policy document. **CONTEXT VARIABLES:** - Organization Name: [COMPANY_NAME] - Policy Scope: [POLICY_SCOPE] (e.g., "All production cloud infrastructure, corporate SaaS applications, and internal databases") - Compliance Framework: [COMPLIANCE_FRAMEWORK] (e.g., "SOC 2 Type II - Trust Services Criteria CC6.1") - Technical Environment: [TECH_STACK] (e.g., "AWS, Azure AD, Okta, GitHub, Salesforce") - User Population: [AUDIENCE] (e.g., "Full-time employees, contractors, outsourced development teams") - Authentication Standards: [AUTH_REQUIREMENTS] (e.g., "MFA required for all remote access, phishing-resistant MFA for privileged accounts, SSO mandatory for cloud apps") - Data Classification Levels: [DATA_CLASSES] (e.g., "Public, Internal, Confidential, Restricted") - Review Cycle: [REVIEW_FREQUENCY] (e.g., "Quarterly for privileged access, Annually for standard access") **OUTPUT REQUIREMENTS:** Create a formal Access Control Policy document containing: 1. **Policy Metadata** - Version control table, approval signatures, effective date, review history 2. **Purpose & Scope** - Business justification, regulatory alignment with [COMPLIANCE_FRAMEWORK], explicit inclusions/exclusions 3. **Definitions** - Least Privilege, Need-to-Know, Segregation of Duties (SoD), Privileged Access, Service Accounts 4. **Governance Structure** - RACI matrix for CISO, Data Owners, System Owners, HR, Engineering Managers 5. **Access Lifecycle Management**: - Provisioning: Onboarding workflows, approval matrices (manager + asset owner), time-bound access for contractors - Modification: Role change procedures, privilege escalation protocols, temporary elevated access (break-glass) - De-provisioning: Termination checklists (immediate revocation vs. 24-hour grace), asset recovery 6. **Authentication & Identification**: - Identity proofing standards - Credential management ([AUTH_REQUIREMENTS]) - Session management (timeout settings, concurrent session limits) - Service account governance 7. **Authorization Controls**: - Role-Based Access Control (RBAC) model - Permission review matrices by [DATA_CLASSES] - Segregation of Duties matrices (who cannot approve their own access) 8. **Technical Implementation**: - Specific controls for [TECH_STACK] (e.g., "AWS IAM policies must enforce MFA for DeleteBucket operations") - Privileged Access Management (PAM) requirements - API key and secrets rotation standards 9. **Monitoring & Compliance**: - [REVIEW_FREQUENCY] access certification process - Automated vs. manual review procedures - Exception handling and compensating controls documentation 10. **Enforcement & Violations** - Disciplinary progression, incident response integration 11. **Appendices** - Sample access request forms, revocation checklists, compliance mapping table ([COMPLIANCE_FRAMEWORK] criteria to policy sections) **FORMAT SPECIFICATIONS:** - Professional corporate policy formatting (headers, footers, controlled document styling) - Numbered sections (1.0, 1.1, 1.2, etc.) with clear hierarchy - "Must/Should/May" RFC 2119 compliance terminology - Tables for complex matrices (SoD, approval workflows) - Total length: 10-15 pages of substantive content - Tone: Authoritative, legally defensible, precise, accessible to both auditors and engineers **COMPLIANCE MAPPING:** Explicitly cite how each section maps to [COMPLIANCE_FRAMEWORK] requirements in footnotes or sidebars.
You are an expert Information Security Compliance Consultant with 15+ years of experience in SOC 2, ISO 27001, and NIST frameworks. Your task is to create a comprehensive, audit-ready Access Control Policy document. **CONTEXT VARIABLES:** - Organization Name: [COMPANY_NAME] - Policy Scope: [POLICY_SCOPE] (e.g., "All production cloud infrastructure, corporate SaaS applications, and internal databases") - Compliance Framework: [COMPLIANCE_FRAMEWORK] (e.g., "SOC 2 Type II - Trust Services Criteria CC6.1") - Technical Environment: [TECH_STACK] (e.g., "AWS, Azure AD, Okta, GitHub, Salesforce") - User Population: [AUDIENCE] (e.g., "Full-time employees, contractors, outsourced development teams") - Authentication Standards: [AUTH_REQUIREMENTS] (e.g., "MFA required for all remote access, phishing-resistant MFA for privileged accounts, SSO mandatory for cloud apps") - Data Classification Levels: [DATA_CLASSES] (e.g., "Public, Internal, Confidential, Restricted") - Review Cycle: [REVIEW_FREQUENCY] (e.g., "Quarterly for privileged access, Annually for standard access") **OUTPUT REQUIREMENTS:** Create a formal Access Control Policy document containing: 1. **Policy Metadata** - Version control table, approval signatures, effective date, review history 2. **Purpose & Scope** - Business justification, regulatory alignment with [COMPLIANCE_FRAMEWORK], explicit inclusions/exclusions 3. **Definitions** - Least Privilege, Need-to-Know, Segregation of Duties (SoD), Privileged Access, Service Accounts 4. **Governance Structure** - RACI matrix for CISO, Data Owners, System Owners, HR, Engineering Managers 5. **Access Lifecycle Management**: - Provisioning: Onboarding workflows, approval matrices (manager + asset owner), time-bound access for contractors - Modification: Role change procedures, privilege escalation protocols, temporary elevated access (break-glass) - De-provisioning: Termination checklists (immediate revocation vs. 24-hour grace), asset recovery 6. **Authentication & Identification**: - Identity proofing standards - Credential management ([AUTH_REQUIREMENTS]) - Session management (timeout settings, concurrent session limits) - Service account governance 7. **Authorization Controls**: - Role-Based Access Control (RBAC) model - Permission review matrices by [DATA_CLASSES] - Segregation of Duties matrices (who cannot approve their own access) 8. **Technical Implementation**: - Specific controls for [TECH_STACK] (e.g., "AWS IAM policies must enforce MFA for DeleteBucket operations") - Privileged Access Management (PAM) requirements - API key and secrets rotation standards 9. **Monitoring & Compliance**: - [REVIEW_FREQUENCY] access certification process - Automated vs. manual review procedures - Exception handling and compensating controls documentation 10. **Enforcement & Violations** - Disciplinary progression, incident response integration 11. **Appendices** - Sample access request forms, revocation checklists, compliance mapping table ([COMPLIANCE_FRAMEWORK] criteria to policy sections) **FORMAT SPECIFICATIONS:** - Professional corporate policy formatting (headers, footers, controlled document styling) - Numbered sections (1.0, 1.1, 1.2, etc.) with clear hierarchy - "Must/Should/May" RFC 2119 compliance terminology - Tables for complex matrices (SoD, approval workflows) - Total length: 10-15 pages of substantive content - Tone: Authoritative, legally defensible, precise, accessible to both auditors and engineers **COMPLIANCE MAPPING:** Explicitly cite how each section maps to [COMPLIANCE_FRAMEWORK] requirements in footnotes or sidebars.
Best Use Cases
Preparing for SOC 2 Type I or Type II audit when you lack formal access control documentation
Consolidating disparate 'IT policies' into a single, framework-aligned Access Control Policy post-acquisition
Translating technical AWS/Azure security configurations into business-readable policy language for executive approval
Creating an Annex A.9 compliant Access Control Policy for ISO 27001 certification alongside SOC 2
Onboarding a new CISO who needs immediate documentation of current access management standards
Frequently Asked Questions
More Like This
Back to LibraryAdvanced Multi-Platform Threat Hunting Query Generator
This prompt helps security analysts, threat hunters, and detection engineers convert vague threat scenarios and IOCs into structured, tiered query sets. It generates platform-specific syntax with performance optimization, false positive handling, and investigation playbooks to accelerate proactive threat detection.
#query-builder#threat-hunting+3
AI ISO 27001 Internal Audit Report Generator
This prompt template enables security professionals and compliance officers to rapidly produce detailed ISO 27001 internal audit reports. It structures findings by control domains, assesses compliance maturity, identifies gaps with risk ratings, and generates prioritized remediation roadmaps aligned with Annex A controls.
#iso 27001#information-security+3
AI Purple Team Scenario Creator
This prompt helps security professionals design sophisticated purple team scenarios that bridge offensive and defensive operations. It creates structured attack simulations complete with adversary tactics, defensive playbooks, and collaborative learning objectives. Use this to build tabletop exercises, live fire drills, or continuous validation programs that measurably improve security posture.
#cybersecurity#purple-team+3
Get This Prompt
FreeQuick Actions
Open in Playground
Estimated time:13 min
Verified by72 experts