Privileged users use separate privileged and unprivileged environments
Ensure privileged users have separate work environments for admin tasks and regular tasks.
Plain language
This control is about making sure that users with special privileges in an organisation, like IT admins, use different environments for their high-level tasks and everyday tasks. This matters because if these users use the same environment for everything and it gets compromised, attackers could gain access to the entire system and cause a lot of damage.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Restrict administrative privileges
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
Privileged users use separate privileged and unprivileged operating environments.
Why it matters
If privileged and unprivileged tasks aren't separated, a user compromise can grant attackers admin access, risking entire system control.
Operational notes
Use separate admin accounts/workstations for privileged tasks; monitor privileged logons, audit usage, and alert on unapproved access to admin environments.
Implementation tips
- The IT team should create separate accounts for privileged users. Use one account solely for administrative tasks and another for general tasks.
- System administrators need to set up separate virtual desktops or systems for admin tasks. This can be done using separate workstations or virtual machines for different types of work.
- Security officers should ensure that any privileged account does not have access to general internet browsing, email, or social media to minimise risk of exposure to attacks.
- The IT team should regularly review and manage the access permissions of privileged accounts. Use tools to verify that accounts are only used for their intended purpose.
Audit / evidence tips
-
AskDo privileged users have separate accounts for admin and regular tasks?
-
GoodA list showing privileged and unprivileged accounts per user, with clear documentation on their use
-
AskAre there separate environments set up for privileged and regular activities?
-
GoodClear documentation and logs showing separate environments being used by privileged users
Cross-framework mappings
How E8-RA-ML1.5 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| ISM-1387 | E8-RA-ML1.5 requires privileged users to use separate privileged and unprivileged operating environments for admin versus standard activi... | |
| handshake Supports (6) expand_less | ||
| ISM-0445 | ISM-0445 requires privileged users to use a dedicated privileged account solely for privileged activities | |
| ISM-1400 | ISM-1400 requires enforced separation of classified data and personal data on privately-owned devices used to access sensitive systems or... | |
| ISM-1687 | E8-RA-ML1.5 requires privileged users to use separate privileged and unprivileged operating environments | |
| ISM-1689 | E8-RA-ML1.5 requires privileged users to operate in separate privileged and unprivileged environments | |
| ISM-1958 | E8-RA-ML1.5 requires privileged users to use separate privileged and unprivileged operating environments to reduce exposure of high-value... | |
| ISM-1990 | ISM-1990 requires organisations to keep work and personal apps and data separated on mobile devices to reduce data leakage and cross-cont... | |
| link Related (2) expand_less | ||
| ISM-1380 | E8-RA-ML1.5 requires privileged users to use separate privileged and unprivileged operating environments to isolate admin activity from d... | |
| ISM-1635 | ISM-1635 requires system owners to implement controls for each system and its operating environment | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.