E8-RA-ML2.2 bolt ASD Essential Eight

Privileged access is disabled after 45 days of inactivity

Disable admin accounts if unused for 45 days to improve security.

Preventative ML2 Essential EightRestrict admin privileges privileged access

record_voice_over

Plain language

This control is about ensuring that admin accounts don't sit around unused for too long. If an administrator hasn't used their access for 45 days, their account should be turned off. This is important because old admin accounts could be a way in for hackers if they aren't managed properly.

01 - Overview

Framework

ASD Essential Eight

Control effect

Preventative

E8 mitigation strategy

Restrict administrative privileges

Classifications

N/A

Official last update

N/A

Control Stack last updated

19 Mar 2026

E8 maturity levels

ML2

Official control statement

Privileged access to systems and applications is disabled after 45 days of inactivity.

bolt ASD Essential Eight E8-RA-ML2.2

priority_high

Why it matters

If privileged accounts remain enabled beyond 45 days of inactivity, attackers can exploit forgotten admin credentials to gain elevated access and persist undetected.

settings

Operational notes

Set up alerts for privileged accounts approaching 45 days inactivity, then automatically disable access (or require reauthorisation) and record actions for audit.

02 - Implement

build

Implementation tips

The IT team should regularly review activity logs to identify inactive admin accounts. Use automated tools to help track usage and alert when accounts have been inactive for 45 days.
The system administrator needs to disable unused admin accounts. Configure systems to automatically disable accounts after 45 days of inactivity as a preventive measure.
The security officer should establish a policy for managing admin account inactivity. Develop guidelines on how accounts should be reviewed, disabled, and reactivated if needed.
The IT support staff should train administrators on the policy. Explain the importance of regularly using their accounts or notifying IT if access is no longer needed.

03 - Audit

fact_check

Audit / evidence tips

AskHow does the organisation monitor admin account activity?
GoodLogs show consistent monitoring and actions taken once inactivity exceeds 45 days
AskWhat is the process for disabling inactive admin accounts?
GoodPolicies and system settings that detail the criteria and actions for account disabling

04 - Mappings

link

Cross-framework mappings

How E8-RA-ML2.2 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
layers Partially meets (1) expand_less
Annex A 8.2	E8-RA-ML2.2 requires privileged access to be disabled after 45 days of inactivity

ASD ISM

Control	Notes	Details
sync_alt Partially overlaps (3) expand_less
ISM-1620	ISM-1620 requires privileged user accounts to be placed in the AD Protected Users group to reduce authentication abuse (e.g
ISM-1647	E8-RA-ML2.2 requires privileged access to be disabled after 45 days of inactivity
ISM-1940	ISM-1940 requires service accounts to be excluded from highly privileged AD groups such as Domain Admins and Enterprise Admins
handshake Supports (2) expand_less
ISM-0445	ISM-0445 requires separate privileged accounts so that privileged access is only used when necessary for administrative duties
ISM-1927	ISM-1927 requires limiting access to AD DS/CS/FS and Entra Connect servers to privileged users that require access
link Related (1) expand_less
ISM-1648	E8-RA-ML2.2 requires privileged access to systems and applications to be disabled after 45 days of inactivity

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.