Access Control Policy

Updated 27.01.2026

A document forming part of the Immercial IMS.

Contact us

11. Access Control Policy

Document Name: Access Control Policy
Version: 1.0
Approved by: Directors, Immercial Limited
Review Frequency: Annual or upon material change

11.1 Purpose

This policy defines how Immercial Limited controls access to information, systems, and data to prevent unauthorised use, disclosure, or modification.

It supports ISO 27001 requirements and aligns with Cyber Essentials principles.

11.2 Scope

This policy applies to:

  • All digital systems and platforms used by Immercial

  • Cloud storage environments (including OneDrive)

  • End-user devices

  • Internal documents and information assets

  • All personnel and authorised users

Public-facing governance and data-related policies published on the Immercial website apply by reference and are not duplicated internally.

11.3 Access Control Principles

Access controls are based on the following principles:

  • Least privilege: Users are granted only the access required to perform their role.

  • Role-based access: Permissions align with defined responsibilities.

  • Unique user accounts: Shared accounts are not permitted.

  • Authentication controls: Strong passwords and multi-factor authentication are used where supported.

  • Access review: Access rights are reviewed periodically.

11.4 User Access Management

  • Access is approved by senior management.

  • New access is provided only where a legitimate business need exists.

  • Access is removed promptly when no longer required.

  • Temporary access is time-limited where applicable.

11.5 Device & System Access

  • Devices used to access Immercial systems are configured securely.

  • Devices are protected by authentication controls.

  • Lost or compromised devices are treated as security incidents and managed accordingly.

  • Use of unmanaged or unauthorised devices is restricted.

11.6 Monitoring & Control

  • Access to critical systems and data is monitored as appropriate.

  • Unusual or unauthorised access attempts are investigated.

  • Access control effectiveness is reviewed as part of information security risk management.

11.7 Incident Management

Access control failures or breaches are recorded and managed in accordance with the Information Security Incident Procedure.

11.8 Review & Maintenance

This policy is reviewed at least annually or when changes to systems, personnel, or risks occur.

Immercial Limited