Validating privileged access requests upon initial request
Check and approve requests for admin access to systems and data at the start.
Plain language
This control is about making sure anyone who asks for special admin access to your systems gets checked out first. It's like making sure someone's ID and reasons are verified before giving them the keys to your house. Without it, someone could sneak in and potentially wreak havoc by stealing sensitive information or causing damage.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Restrict administrative privileges
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
Requests for privileged access to systems, applications and data repositories are validated when first requested.
Why it matters
Unchecked admin access requests can lead to unauthorised changes or data breaches, exposing sensitive info and harming the organisation.
Operational notes
Validate each privileged access request at submission (requester identity, business need, approver authority, scope and duration) and record the approval decision in logs.
Implementation tips
- The IT team should create a formal request process for admin access. They can use a simple online form where users must provide their name, department, and reason for needing access.
- Supervisors should review admin access requests. They should check if the request is valid, aligns with job duties, and approve or reject it based on this judgement.
- System administrators should maintain a list of all systems that require admin access. They should regularly update this list so they can cross-check new access requests efficiently.
- Security officers should ensure that approved requests are only granted to dedicated admin accounts. They can verify this by setting rules that prevent regular user accounts from receiving admin privileges.
Audit / evidence tips
-
AskHow are admin access requests submitted and approved?
GoodEach request should have associated documentation showing supervisor approval
-
AskHow do you ensure admin privileges are assigned correctly?
GoodThere should be a one-to-one match between approved requests and admin accounts
-
AskWhat controls are in place to prevent regular accounts from having admin access?
GoodProcedures should clearly differentiate between admin and regular accounts, with strict controls on upgrades
Cross-framework mappings
How E8-RA-ML1.1 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| Annex A 5.15 | E8-RA-ML1.1 requires organisations to validate privileged access requests upon initial request | |
| Annex A 5.18 | E8-RA-ML1.1 requires organisations to validate privileged access requests when first requested, prior to provisioning | |
| Annex A 8.2 | E8-RA-ML1.1 requires organisations to validate privileged access requests when they are first requested | |
| handshake Supports (1) expand_less | ||
| Annex A 8.4 | Annex A 8.4 requires appropriate management of read and write access to source code, development tools and software libraries | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (5) expand_less | ||
| ISM-0446 | ISM-0446 requires that foreign nationals are not granted privileged access to AUSTEO/REL systems | |
| ISM-1508 | E8-RA-ML1.1 requires organisations to validate privileged access requests upon initial request | |
| ISM-1647 | E8-RA-ML1.1 requires organisations to validate privileged access requests when first requested to ensure only legitimate admin access is ... | |
| ISM-1883 | E8-RA-ML1.1 requires organisations to validate privileged access requests at the point they are first raised | |
| ISM-1927 | ISM-1927 requires that only privileged users who require access can access AD DS/CS/FS and Entra Connect servers | |
| handshake Supports (3) expand_less | ||
| ISM-0407 | E8-RA-ML1.1 requires organisations to validate privileged access requests when first requested | |
| ISM-0432 | E8-RA-ML1.1 requires organisations to validate privileged access requests upon initial request | |
| ISM-1939 | ISM-1939 requires minimising the number of accounts that are members of highly privileged security groups | |
| link Related (1) expand_less | ||
| ISM-1507 | ISM-1507 requires that requests for privileged access to systems and resources are validated at the time they are first requested | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.