An access control matrix is a tabular representation that maps user roles to systems and applications, defining the respective access levels (e.g., read, write, admin). In an ISMS, it serves as the authoritative document for permission assignments. It makes it easy to verify compliance with the principle of least privilege and shows at a glance which role may access which resources. During audits, the access control matrix is a frequently requested evidence document.