Template
Access Reference Register
The Access Reference Register is a template for documenting where important access is managed without recording secret values.
It is designed to help small organizations understand which accounts, services, tools, and systems exist, who owns them, where credentials are securely managed, and how access should be reviewed.
The template should not be used as a password list.
Purpose
The purpose of this template is to help an organization keep a safe, practical record of access-related information.
It helps answer questions such as:
- What important accounts or services exist?
- Who owns each account or service?
- Where are credentials securely stored?
- Is MFA enabled?
- Who owns recovery or escalation?
- When was the access reference last reviewed?
- Which related services depend on the account?
The template is meant to point people toward the approved secure system. It should not contain the credential value itself.
Important safety notice
Do not record passwords, API keys, MFA recovery codes, private keys, seed phrases, payment card data, or other sensitive credential values in this template.
Credential values should remain in the approved systems your organization uses to protect them.
Use references such as:
- password-manager item names
- secure vault locations
- identity provider names
- account owner names
- responsible roles
- MFA method notes
- recovery owner notes
- review dates
The template is for access references, not secret storage.
Who this template is for
This template is designed for:
- small businesses
- nonprofits
- founder-led organizations
- community projects
- small teams
- independent maintainers
- early-stage organizations
- organizations without formal IT or operations staff
Larger organizations may adapt it, but they may need more formal identity, access, security, compliance, and review processes.
Recommended use
Use this template to create a register of important accounts and services.
Start with the most important accounts first, such as:
- domain registrar
- website hosting
- DNS provider
- email admin account
- payment processor
- accounting software
- cloud storage
- password manager
- business bank portal
- social media accounts
- support inbox
- repository or deployment platform
Do not try to document every minor account on the first pass. Begin with the accounts that would create confusion if no one knew where access was managed.
Template fields
The Access Reference Register may include the following fields.
Service or account name
Record the name of the account, service, vendor, tool, or system.
Examples:
- Primary domain registrar
- Website hosting account
- Email workspace admin
- Payment processor
- Cloud storage admin
- Accounting software
- Password manager admin
Purpose
Describe why the account exists.
Examples:
- Manages the organization’s primary domain.
- Hosts the public website.
- Processes customer payments.
- Manages organization email accounts.
- Stores shared organization documents.
The purpose should be clear enough for someone unfamiliar with the account to understand why it matters.
Responsible owner
Record the person, role, team, or provider responsible for the account.
Examples:
- Founder
- Operations lead
- Finance owner
- Website maintainer
- External IT provider
- Board treasurer
Where possible, use both a role and current person.
Credential storage reference
Record where credentials are securely stored.
Examples:
- Password manager item: “Primary Domain Registrar”
- Secure vault folder: “Website / Hosting”
- Identity provider: managed through SSO
- External provider managed
- Not applicable
Do not record the credential value.
MFA status
Record whether multi-factor authentication is enabled, if known.
Examples:
- Enabled
- Not enabled
- Unknown
- Not applicable
MFA method note
Record a general note about the MFA method.
Examples:
- Authenticator app
- Hardware security key
- SSO-based MFA
- SMS
- Email confirmation
- Managed by vendor
- Unknown
Do not record recovery codes.
Recovery owner
Record who owns access recovery or escalation.
Examples:
- Founder
- Operations lead
- Finance owner
- External IT provider
- Vendor support
- Board secretary
Related vendor or service
Record the related vendor or service, if applicable.
Examples:
- Domain registrar
- Website host
- Payment processor
- Email provider
- Cloud storage provider
This helps connect the access reference to the vendor inventory.
Related records
Record related internal documentation.
Examples:
- Vendor and Service Inventory
- Responsibility Record
- Continuity Notes
- Incident Timeline Notes
- Contract folder
- Billing folder
Use safe references only.
Last reviewed
Record the date the access reference was last checked.
Review frequency
Record how often the reference should be reviewed.
Examples:
- Monthly
- Quarterly
- Twice per year
- Annually
- After role changes
- After vendor changes
- After incidents
Status
Record the current status of the access reference.
Examples:
- Active
- Needs review
- Unknown
- Archived
- External provider managed
Notes
Use notes for neutral, non-sensitive context.
Examples:
- Backup owner should be added.
- Review before annual renewal.
- Account ownership should be confirmed after staff changes.
- Vendor support requires account owner verification.
Do not use notes for secrets or sensitive evidence.
Minimum version
A very small organization can begin with only these fields:
| Field | Purpose |
|---|---|
| Service/account | What the access reference applies to |
| Owner | Who is responsible |
| Credential storage reference | Where credentials are securely stored |
| MFA note | General MFA status or method |
| Recovery owner | Who handles recovery or escalation |
| Last reviewed | Date last checked |
| Status | Active, needs review, unknown, or archived |
This minimum version is enough to reduce confusion while avoiding unsafe credential storage.
Example entry
| Field | Example |
|---|---|
| Service/account | Primary domain registrar |
| Purpose | Manages the organization’s main domain name |
| Owner | Website maintainer |
| Credential storage reference | Password manager item: “Primary Domain Registrar” |
| MFA status | Enabled |
| MFA method note | Authenticator app |
| Recovery owner | Founder |
| Related vendor | Domain registrar |
| Related records | Vendor inventory, continuity notes |
| Last reviewed | 2026-07-08 |
| Review frequency | Quarterly |
| Status | Active |
When to update this template
Update the Access Reference Register when:
- a new important account is created
- an account owner changes
- a backup or recovery owner changes
- MFA settings change
- the password manager or secure vault location changes
- a vendor or service changes
- an incident reveals unclear access ownership
- a critical account is archived or cancelled
- a scheduled review occurs
What not to include
Do not include:
- passwords
- passphrases
- API keys
- private keys
- seed phrases
- MFA recovery codes
- one-time passwords
- security questions and answers
- payment card numbers
- customer records
- confidential contracts
- regulated data
- sensitive incident evidence
If sensitive information must be preserved, store it in an approved secure location and reference it safely.
Related standard
This template supports the Access References standard.
It also connects to:
- Vendor Inventory
- Responsibility Records
- Continuity Notes
- Review Routines
License
This template is intended to be provided as a free public resource.
Unless otherwise stated on the project license page, the standards and templates are made available for use, adaptation, and sharing under the project’s open content license.
The project name, logo, and official identity are not included in the template license.
Download template
This template is provided as a free public resource. Review the guidance on this page before using it, especially the notes about sensitive information.
Download Access Reference Register