Privileged access is disabled after 45 days of inactivity
Disable admin accounts if unused for 45 days to improve security.
Plain language
This control is about ensuring that admin accounts don't sit around unused for too long. If an administrator hasn't used their access for 45 days, their account should be turned off. This is important because old admin accounts could be a way in for hackers if they aren't managed properly.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Restrict administrative privileges
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Privileged access to systems and applications is disabled after 45 days of inactivity.
Why it matters
If privileged accounts remain enabled beyond 45 days of inactivity, attackers can exploit forgotten admin credentials to gain elevated access and persist undetected.
Operational notes
Set up alerts for privileged accounts approaching 45 days inactivity, then automatically disable access (or require reauthorisation) and record actions for audit.
Implementation tips
- The IT team should regularly review activity logs to identify inactive admin accounts. Use automated tools to help track usage and alert when accounts have been inactive for 45 days.
- The system administrator needs to disable unused admin accounts. Configure systems to automatically disable accounts after 45 days of inactivity as a preventive measure.
- The security officer should establish a policy for managing admin account inactivity. Develop guidelines on how accounts should be reviewed, disabled, and reactivated if needed.
- The IT support staff should train administrators on the policy. Explain the importance of regularly using their accounts or notifying IT if access is no longer needed.
Audit / evidence tips
-
AskHow does the organisation monitor admin account activity?
-
GoodLogs show consistent monitoring and actions taken once inactivity exceeds 45 days
-
AskWhat is the process for disabling inactive admin accounts?
-
GoodPolicies and system settings that detail the criteria and actions for account disabling
Cross-framework mappings
How E8-RA-ML2.2 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.2 | E8-RA-ML2.2 requires privileged access to be disabled after 45 days of inactivity | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-1620 | ISM-1620 requires privileged user accounts to be placed in the AD Protected Users group to reduce authentication abuse (e.g | |
| ISM-1647 | E8-RA-ML2.2 requires privileged access to be disabled after 45 days of inactivity | |
| ISM-1940 | ISM-1940 requires service accounts to be excluded from highly privileged AD groups such as Domain Admins and Enterprise Admins | |
| handshake Supports (2) expand_less | ||
| ISM-0445 | ISM-0445 requires separate privileged accounts so that privileged access is only used when necessary for administrative duties | |
| ISM-1927 | ISM-1927 requires limiting access to AD DS/CS/FS and Entra Connect servers to privileged users that require access | |
| link Related (1) expand_less | ||
| ISM-1648 | E8-RA-ML2.2 requires privileged access to systems and applications to be disabled after 45 days of inactivity | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.