<![CDATA[The development of Information Technology (IT) has brought various conveniences in organizational operations, but also introduced significant security risks. One of the most critical areas of concern is access control, where weaknesses can lead to unauthorized access and data breaches. While absolute security is difficult to achieve, structured governance frameworks are essential to minimize vulnerabilities. ISO/IEC 27001:2013 is an international standard that provides guidelines for managing information security risks, while the OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) method supports in-depth, organization-specific risk assessments. This study aims to enhance access control governance at PT. XYZ, an IT-based company, by integrating ISO 27001:2013 controls with the OCTAVE methodology. Risk evaluation is performed through the CIA (Confidentiality, Integrity, Availability) triad, based on internal knowledge collected via interviews with operational teams. The OCTAVE method identifies key assets, assesses threat probabilities, and evaluates business impacts, which are then mapped to appropriate ISO 27001 Annex 9 controls. The implementation resulted in several critical access control mechanisms, including User Access Management, Network and Service Access Restrictions, Privileged Access Management, and Password Security Policies. This combined framework enables PT. XYZ to address specific risk exposures more effectively and to ensure compliance with international standards. The integration of ISO 27001:2013 and OCTAVE provides a practical, risk-based model for access control governance that is adaptable to organizational context and resource constraints. The study offers a replicable reference for similar IT organizations seeking to strengthen their information security posture.]]>
