Dedicated privileged accounts for admin tasks
Ensure admins use special accounts only for their admin work.
Plain language
This control means that people who have extra powers to change important parts of an organisation's computer systems use special accounts only for those tasks. This is important because if they used the same account for everything, like checking email or browsing the web, it would be easier for cybercriminals to trick them and gain control over the organisation's critical systems.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Restrict administrative privileges
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
Privileged users are assigned a dedicated privileged account to be used solely for duties requiring privileged access.
Why it matters
Without separate privileged accounts, a phished standard login can be reused for admin actions, enabling rapid escalation and system takeover.
Operational notes
Maintain separate privileged accounts; review membership and logons, and alert on privileged use from standard accounts or outside admin workflows.
Implementation tips
- The IT manager should ensure that all administrators have two separate accounts: one with special privileges and one without, used only for regular tasks.
- System administrators must create a list of all people who need privileged accounts and set up these accounts using their existing identity management system.
- The security officer should train administrators on why they need to use their privileged accounts only for special tasks and how to switch between accounts safely.
- The IT team should monitor account usage regularly to ensure privileged accounts are only used for administrative purposes and not for everyday activities like email or web browsing.
Audit / evidence tips
-
AskAre privileged accounts separate from everyday user accounts?
-
GoodEach user requiring special system access has a clearly marked privileged account, separate from their everyday account
-
AskAre there records showing privileged accounts are only used for administrative tasks?
-
GoodLogs indicate privileged accounts access only administrative areas and tools, distinct from general user activities
-
AskHow are employees educated on the use of privileged accounts?
-
GoodDocumented sessions and materials, showing all administrators have been trained on the proper use of privileged accounts
Cross-framework mappings
How E8-RA-ML1.2 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.2 | E8-RA-ML1.2 requires a specific administrative practice: privileged users must use separate dedicated privileged accounts only for privil... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.3 | Annex A 5.3 requires segregation of conflicting duties and responsibilities to reduce misuse, including separating high-risk administrati... | |
| link Related (1) expand_less | ||
| Annex A 5.15 | Annex A 5.15 requires organisations to define and apply access control rules and procedures, including controls over privileged access | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (4) expand_less | ||
| ISM-1263 | E8-RA-ML1.2 requires a dedicated privileged account be used only for duties requiring privileged access | |
| ISM-1827 | E8-RA-ML1.2 requires privileged users to use dedicated privileged accounts solely for admin tasks | |
| ISM-1842 | E8-RA-ML1.2 requires privileged users to use dedicated privileged accounts exclusively for administrative tasks | |
| ISM-1949 | ISM-1949 requires Microsoft AD FS servers to be administered using a dedicated service account that is not used to administer other systems | |
| sync_alt Partially overlaps (1) expand_less | ||
| ISM-1508 | E8-RA-ML1.2 requires privileged users to use dedicated privileged accounts solely for privileged duties | |
| handshake Supports (11) expand_less | ||
| ISM-0616 | ISM-0616 requires organisations to implement separation of duties when performing administrative activities for gateways to reduce the ri... | |
| ISM-1175 | ISM-1175 requires privileged user accounts to be prevented from accessing the internet, email and web services unless explicitly authorised | |
| ISM-1590 | ISM-1590 requires organisations to change user account credentials when they are compromised or suspected of compromise, including for sh... | |
| ISM-1620 | E8-RA-ML1.2 requires privileged users to perform admin work using dedicated privileged accounts rather than their standard accounts | |
| ISM-1750 | ISM-1750 requires segregation of administrative infrastructure between critical, high-value, and regular servers to prevent cross-contami... | |
| ISM-1841 | ISM-1841 requires that unprivileged user accounts cannot add machines to the domain (i.e | |
| ISM-1846 | ISM-1846 requires that the legacy **Pre-Windows 2000 Compatible Access** group contains no user accounts to avoid unintended broad read a... | |
| ISM-1883 | ISM-1883 requires that privileged accounts authorised to access online services are limited to what is necessary to perform duties | |
| ISM-1898 | ISM-1898 requires the use of Secure Admin Workstations for administrative activities to reduce compromise risk during privileged operations | |
| ISM-1939 | ISM-1939 requires the number of accounts in Domain Admins, Enterprise Admins and other highly privileged groups to be minimised | |
| ISM-1952 | ISM-1952 requires organisations to prevent synchronisation of privileged accounts between AD DS and Entra ID to avoid creating highly pri... | |
| link Related (1) expand_less | ||
| ISM-0445 | E8-RA-ML1.2 requires privileged users to have a dedicated privileged account used solely for tasks requiring privileged access | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.