Limit privileged accounts to essential online service access
Only allow privileged accounts the minimum access needed for online duties.
Plain language
This control is about making sure that people with special access to your systems can only use those privileges for their job-related activities online. It's important because it stops unauthorised persons from taking advantage of these accounts to cause harm or steal information.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Restrict administrative privileges
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
Privileged accounts explicitly authorised to access online services are strictly limited to only what is required for users and services to undertake their duties.
Why it matters
If privileged accounts have unnecessary online service access, attackers can abuse stolen credentials or tokens to access cloud/SaaS admin portals and sensitive data.
Operational notes
Maintain an approved list of online services each privileged account may use, review it routinely, and remove any SaaS, email, or cloud console access not required for duties.
Implementation tips
- The IT manager should review which employees need privileged accounts to do their job online and limit these accounts to essential services only.
- System administrators should create a list of online services that require privileged access and ensure accounts are only set up for these specified services.
- The security officer should implement a system where any changes to privileged accounts require approval from a supervisor and are documented.
- IT staff should use tools to regularly check and confirm that privileged accounts do not have unnecessary internet access, thereby reducing exposure to potential security threats.
Audit / evidence tips
-
AskCan you show me the process used to review and limit privileged account access?
-
GoodA comprehensive list of online services requiring privileged access with supporting approval documentation should be available
-
AskHow do you ensure privileged accounts don't have unnecessary internet access?
-
GoodSettings and logs should clearly show restricted internet access for privileged accounts, except those explicitly approved
Cross-framework mappings
How E8-RA-ML1.4 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| Annex A 5.15 | E8-RA-ML1.4 requires enforcing least privilege for privileged accounts that are authorised to access online services | |
| Annex A 5.18 | E8-RA-ML1.4 requires limiting authorised privileged account access to online services to what is necessary for duties | |
| Annex A 8.2 | E8-RA-ML1.4 requires that privileged accounts authorised to access online services are restricted to the minimum necessary access for duties | |
| handshake Supports (1) expand_less | ||
| Annex A 8.22 | E8-RA-ML1.4 requires limiting privileged accounts’ online service access to only what is required for duties | |
| link Related (1) expand_less | ||
| Annex A 8.3 | Annex A 8.3 requires access to information and associated assets to be restricted in accordance with an access control policy | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1508 | E8-RA-ML1.4 requires privileged accounts to be limited to essential access specifically for online services | |
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-0441 | ISM-0441 requires limiting what temporarily authorised personnel can access to only the data required for their duties | |
| ISM-1852 | ISM-1852 requires organisations to restrict unprivileged access to only what is required for users and services to do their jobs | |
| ISM-2068 | E8-RA-ML1.4 requires that privileged accounts authorised to use online services are limited to only the access required for their duties | |
| handshake Supports (9) expand_less | ||
| ISM-0258 | ISM-0258 requires organisations to establish and maintain a web usage policy defining acceptable access and use of web services | |
| ISM-0445 | E8-RA-ML1.4 requires privileged accounts authorised for online services to have only the minimum access needed to perform online duties | |
| ISM-0611 | E8-RA-ML1.4 requires privileged accounts to have only essential access when using online services | |
| ISM-1507 | E8-RA-ML1.4 requires that privileged accounts authorised for online service access are strictly limited to what is necessary | |
| ISM-1647 | E8-RA-ML1.4 requires limiting privileged accounts’ online service access to only what is required for duties | |
| ISM-1648 | E8-RA-ML1.4 requires that privileged accounts authorised for online services are strictly limited to what is needed for duties | |
| ISM-1833 | E8-RA-ML1.4 requires that privileged accounts authorised for online services have only the access required to perform their duties | |
| ISM-1927 | ISM-1927 requires that access to AD DS domain controllers, AD CS CA servers, AD FS servers and Entra Connect servers is limited to privil... | |
| ISM-1939 | E8-RA-ML1.4 requires limiting privileged accounts to only essential online service access needed for duties | |
| link Related (2) expand_less | ||
| ISM-1175 | E8-RA-ML1.4 requires privileged accounts authorised for online services to be tightly limited to only what is needed to perform online du... | |
| ISM-1883 | ISM-1883 requires that privileged user accounts authorised to access online services are limited to only what is necessary to perform duties | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.