Access Control Policy

Version: 2.5
Status: Approved
Last modified: February 2025
Next Review Date: August 2025

ISO Statement

oboloo Limited is actively preparing for ISO/IEC 27001 certification and has developed this Access Control Policy in alignment with ISO/IEC 27001:2022 control objectives. This policy also incorporates best practices from the AWS Well-Architected Framework and IONOS VPS security guidelines.

Introduction

This Access Control Policy defines the standards, responsibilities, and practices governing user access to oboloo’s information systems, applications, and data. It supports ISO/IEC 27001 compliance by ensuring that access rights are appropriately provisioned, monitored, and revoked in line with the principle of least privilege.

Definitions

  • Access Control: Mechanisms and procedures used to limit access to information systems and data.

  • IAM (Identity and Access Management): Centralised system for managing user identities and authentication.

  • RBAC (Role-Based Access Control): The assignment of system access based on a user’s job role.

  • JIT (Just-in-Time Access): Temporary elevated access granted for a defined period.

  • Users: Employees, contractors, customers, suppliers, and third parties accessing the platform or internal systems.

Who We Are and How to Contact Us

This policy is issued by oboloo Limited, a company registered in England and Wales (Company Number: 12420854), with its trading address at:

7 Bell Yard, London, England, WC2A 2JR

For any questions relating to this Access Control Policy, please contact us at:
📧 hello@oboloo.com

Acceptance of Terms

By accessing any oboloo system or platform, you agree to comply with the terms outlined in this policy. If you do not agree with any part of this policy, you must not use our systems or services.

Changes to This Policy

oboloo reserves the right to update or revise this policy at any time. Users will be notified of material changes, and the most recent version will always be accessible on our website. Continued access following an update constitutes acceptance of the revised terms.

Related Policies

This policy should be read in conjunction with:

Together, these documents ensure a unified approach to data protection and access control in line with ISO/IEC 27001 requirements.

Purpose

The purpose of this policy is to:

  • Ensure access to information and systems is restricted to authorised users.

  • Support the confidentiality, integrity, and availability of information assets.

  • Define controls and procedures for access provisioning, monitoring, and revocation.

  • Prevent unauthorised access, misuse, or data breaches.

Scope

This policy applies to:

  • All employees, contractors, and temporary workers with access to internal systems.

  • All customers and suppliers using the oboloo SaaS platform.

  • All third-party services, tools, or integrations accessing oboloo via API.

Access Lifecycle Management

Access rights are provisioned during onboarding, adjusted upon internal role changes, and revoked immediately upon termination. The HR function notifies IT Security of all joiners, movers, and leavers. Deprovisioning of access is completed within 24 hours of a user’s departure, and records are logged in the access management system.

Access Requests and Approvals

All access requests must be submitted via the internal ticketing system. The request must:

  • Clearly state the role, system, and justification

  • Be reviewed by the requesting user’s manager

  • Be approved by IT Security

Privileged or administrative access requires written justification and CISO approval. Records of access approvals and changes are retained for audit purposes.

Internal Access Control – Employee Systems

Identity & Access Management (IAM)

  • Centralised access control via AWS IAM and IONOS

  • Unique credentials for all employees (no shared accounts)

  • Multi-Factor Authentication (MFA) enforced on all systems

  • Azure Active Directory for identity mapping and SSO

Role-Based Access Control (RBAC)

  • Access rights tied to job roles (e.g., DevOps, Support, Finance)

  • Minimum access required to perform duties

  • Quarterly role review for accuracy

Privileged Access Management

  • Admin/root access restricted and requires justification

  • Temporary elevated access (Just-in-Time) must be time-limited and logged

  • Approvals required from the CISO or a delegated approver

Session & Endpoint Security

  • Session timeout after 15 minutes of inactivity

  • Endpoint devices must be encrypted, patched, and monitored

  • Remote access requires VPN with MFA

Logging and Monitoring

  • All access, role changes, and escalations logged centrally

  • Logs retained for 12 months minimum

  • Anomalous or failed logins trigger alerts and investigation

Service and Shared Accounts

  • Shared or service accounts are only permitted for non-human system integrations or automation tasks. These accounts must:

    • Be individually approved by the Information Security Officer

    • Use strong authentication mechanisms (e.g., long-lived API keys or secure credential vaults)

    • Be subject to regular review and usage monitoring

External Access Control – Customers & Suppliers

Customer Platform Access

  • Access via organisation-specific login URLs

  • Microsoft Azure AD SSO supported

  • Defined platform roles: Admin, Editor, Viewer

  • Approval rights restricted to designated roles

Session & Authentication Controls

  • Strong password policies 

  • Session timeouts

  • API tokens expire every 24 hours; secure refresh required

API Access Control

Security Protocols

  • Unique API tokens per customer environment

  • Tokens expire every 24 hours and must be refreshed securely

  • Rate limiting applied to prevent abuse

Access Scoping

  • API tokens scoped by module (e.g., supplier, contract)

  • IP whitelisting available on request

  • Custom field access restricted by auth level and field permissions

Third-Party Access

Time-bound access for external parties (e.g., auditors, contractors, consultants) may be granted under the following conditions:

  • Justification is provided and approved by the CISO

  • Access is restricted to required systems only

  • Monitoring and expiry controls are enforced

  • NDAs or data handling agreements are in place prior to access

Risk Alignment

This Access Control Policy is directly informed by the company’s Information Security Risk Assessment and supports the implementation of relevant controls listed in the Statement of Applicability (SoA) for ISO/IEC 27001.

Enforcement

Violations of this policy may result in:

  • Immediate access revocation

  • Disciplinary or legal action

  • Incident reporting and investigation

All employees must complete annual training on access control and identity management.

ISO/IEC 27001 Annex A Mapping

Policy Area ISO/IEC 27001 Ref. Description
IAM and RBAC
A.5.15 / A.5.16 / A.5.19
User access policies, identity and role management
Authentication Controls
A.5.17 / A.5.21 / A.5.22
Passwords, tokens, and secure log-on procedures
Access Reviews and Removal
A.5.20
Timely deprovisioning of accounts
Use of Privileged Accounts
A.8.9
JIT, admin access control, justification
Logging and Monitoring
A.8.15 / A.8.16
Logging events, log protection
Customer Role Management
A.5.18
Role-based restrictions for external users
Secure API Access
A.9.4.2 / A.13.1
Secure API key handling, rate limits

Review and Update of the Methodology

  • Review Frequency: Annually, or after major system or role structure changes

  • Policy Updates: Communicated to all users and access owners; training delivered as necessary

Document Control

Version: 2.5
Date: February 2025
Description: Full policy review and alignment with ISO/IEC 27001:2022 controls

Previous Versions:

  • Version 2.4 (Aug 2024): Added API scoping and JIT access controls

  • Version 2.3 (Feb 2024): Enhanced endpoint protection guidance

  • Version 2.0 (Aug 2023): Reorganised by user type and access tier