Access Control Policy

Document Ref: ISMS-POL-AC-01
Version: 1.0
Owner: Co-Chair
Review: Annual
Last updated: March 2026

Pretzel Films Ltd controls access to information, systems and services to protect client and company data. This policy sets out how we apply access control, least privilege and secure account management across our organisation.

Scope

This policy applies to all employees, contractors and freelancers who access Pretzel Films Ltd systems, accounts, data or services. It covers:

• Company devices (primarily macOS laptops and desktops)
• Cloud services (including Google Workspace and other third-party services)
• Shared storage, project folders and client materials
• Administrative access and privileged accounts

Principles

• Least privilege: users receive only the access required for their role.
• Need to know: access to client and confidential information is limited to authorised project personnel.
• Unique accounts: accounts must not be shared.
• Separation of privilege: administrative tasks use separate admin accounts where practicable.
• Timely removal: access is removed promptly when no longer required.

Roles and Responsibilities

User Account Provisioning

User accounts are created only after approval by a Co-Chair (or delegated approver). Access is granted based on role and project need.

• Users are assigned a company identity within Google Workspace (where applicable).
• Access to shared drives and project folders is granted via controlled permissions, preferably using Google Groups.
• Default access is restricted. Additional access requires explicit approval.

Administrative Access

Administrative access is limited to authorised individuals and is granted only where required for business operations. Administrative access is:

• Approved by a Co-Chair (or delegated approver).
• Recorded in an Admin Access List (or Access Review Log).
• Reviewed regularly and removed when no longer needed.

Administrative accounts must not be used for everyday activities such as email, web browsing or general file access, except where unavoidable. Where feasible, separate accounts are used for admin activity.

Authentication Requirements

Pretzel Films Ltd requires secure authentication controls, including:

• Strong, unique passwords for all accounts.
• Multi-factor authentication (MFA) enabled where supported by the service, particularly for cloud services.
• Password management using an approved password manager (where in use).

Access Reviews

Access rights are reviewed on a regular basis and additionally:

• When a staff member changes role or responsibilities
• When a project starts or ends
• When a supplier or contractor engagement ends

Access reviews confirm that:

• Users have appropriate permissions for their role
• Administrative access remains justified
• Former staff and suppliers no longer have access

Account Removal and Leavers

When an employee, freelancer or supplier no longer requires access, accounts and access permissions are removed promptly. This includes:

• Disabling Google Workspace accounts (where applicable)
• Removing access to shared drives and project folders
• Revoking third-party tool access
• Recovering company devices where issued

Access Logging and Monitoring

Where available, system logs and access records are maintained through cloud service audit capabilities (for example, Google Workspace logging) and device controls. Logs are used to support security monitoring and incident investigation.

Reporting a Security Concern

Any suspected credential compromise, unauthorised access, or access control weakness must be reported immediately.

Compliance and Exceptions

Non-compliance with this policy may result in access being restricted or removed and may be handled in line with Pretzel Films Ltd disciplinary processes where applicable.

Exceptions to this policy must be approved by a Co-Chair and documented with a reason, scope and review date.

Approval