Limit privileged access to what is necessary for duties
Ensure privileged access is granted only when needed to perform specific duties.
Plain language
Limiting privileged access means making sure that employees only have access to the systems and information they need to do their jobs, nothing more. This is important because if someone were to misuse or accidentally provide excess access, it could lead to sensitive data being exposed or malicious activities happening within the organisation.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Restrict administrative privileges
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Official control statement
Privileged access to systems, applications and data repositories is limited to only what is required for users and services to undertake their duties.
Why it matters
If privileged access isn’t limited to duty needs, compromised or misused admin accounts can enable unauthorised changes and broad data exposure.
Operational notes
Perform scheduled reviews of privileged/admin roles and service accounts; remove excess rights and grant only the minimum permissions required for each duty.
Implementation tips
- Security Officer: Determine the minimum access needed for each role by reviewing job descriptions and aligning system access requirements.
- IT Team: Create dedicated privileged accounts for users who need them by following a structured request and approval process in collaboration with department heads.
- System Administrator: Regularly review and disable privileged accounts that have been inactive for 45 days by using available system access logs and user activity reports.
- IT Support Staff: Set up a process to renew and validate privileged access every 12 months by sending reminders to account holders and their supervisors for reapproval.
- Security Officer: Ensure strict separation of internet and email access for privileged accounts by configuring network policies that block unnecessary traffic.
Audit / evidence tips
-
AskWhat steps are in place to ensure privileged access is reviewed periodically?
-
GoodAll privileged access requests have been approved and are necessary for specific duties, with periodic revalidation records available
-
AskHow is privileged user activity monitored?
-
GoodLogs indicate regular monitoring, and inactive accounts are promptly disabled
Cross-framework mappings
How E8-RA-ML3.1 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 5.3 | Annex A 5.3 requires organisations to segregate conflicting duties and responsibilities so no single person can complete an end-to-end hi... | |
| link Related (3) expand_less | ||
| Annex A 5.15 | Annex A 5.15 requires establishing and implementing access control policies and procedures to ensure access is appropriate to business an... | |
| Annex A 8.2 | E8-RA-ML3.1 requires privileged access to systems, applications and data repositories to be limited to what is necessary for duties | |
| Annex A 8.3 | Annex A 8.3 requires restricting access to information and other assets according to a topic-specific access control policy | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (8) expand_less | ||
| ISM-1249 | ISM-1249 requires server applications to run under separate user accounts with only the minimum privileges required for their function | |
| ISM-1255 | ISM-1255 requires database users’ ability to access, insert, modify and remove database contents to be restricted based on work duties | |
| ISM-1843 | ISM-1843 requires an annual review to ensure unconstrained delegation is only present where there is a demonstrated business requirement ... | |
| ISM-1883 | ISM-1883 requires that privileged user accounts authorised to access online services are limited to only what is required for duties | |
| ISM-1933 | ISM-1933 requires that service accounts with SPNs are not granted DCSync permissions, limiting a high-risk privilege that enables domain ... | |
| ISM-1934 | ISM-1934 requires user accounts with DCSync permissions to be reviewed at least annually and removed if not required | |
| ISM-1938 | ISM-1938 requires that the Active Directory "Domain Computers" group is not granted write or modify permissions to any AD objects, preven... | |
| ISM-1939 | ISM-1939 requires minimising membership of highly privileged groups such as Domain Admins and Enterprise Admins | |
| sync_alt Partially overlaps (8) expand_less | ||
| ISM-0133 | ISM-0133 requires notifying the data owner and restricting access to data when a data spill occurs to contain further unauthorised exposure | |
| ISM-0441 | E8-RA-ML3.1 requires privileged access to be limited to what is necessary for duties | |
| ISM-0446 | ISM-0446 requires blocking privileged access for foreign nationals to systems processing, storing or communicating AUSTEO or REL data | |
| ISM-1268 | E8-RA-ML3.1 requires limiting privileged access to systems, applications, and data repositories to only what is necessary for duties | |
| ISM-1507 | ISM-1507 requires validation of privileged access requests at the time of initial request to prevent unauthorised elevation | |
| ISM-1852 | ISM-1852 requires unprivileged access to systems and resources to be limited to only what users and services need to perform their duties... | |
| ISM-1958 | E8-RA-ML3.1 requires privileged access to be limited to only what is necessary for duties across systems, applications and data repositories | |
| ISM-2093 | ISM-2093 requires role-based access controls (RBAC) for AI applications to restrict access to sensitive AI data to authorised personnel | |
| handshake Supports (5) expand_less | ||
| ISM-0488 | ISM-0488 requires limiting SSH key-based remote access by forcing a specific command and validating parameters, reducing the effective pr... | |
| ISM-1263 | E8-RA-ML3.1 requires privileged access to be limited to only what is necessary for duties | |
| ISM-1392 | ISM-1392 requires enforcing who can modify approved files and write to approved folders under application control path rules | |
| ISM-1746 | ISM-1746 requires that, when application control uses path rules, only approved users can change file system permissions for approved fil... | |
| ISM-1948 | ISM-1948 mandates CA Certificate Manager approval for SAN-supplying certificate templates, constraining who can enable potentially abusab... | |
| link Related (4) expand_less | ||
| ISM-0611 | E8-RA-ML3.1 requires privileged access to systems, applications and data repositories to be limited to what is necessary for users and se... | |
| ISM-1250 | E8-RA-ML3.1 requires limiting privileged access so users and services only have what they need to perform duties | |
| ISM-1508 | E8-RA-ML3.1 requires privileged access to systems, applications and data repositories to be limited to what is required for users and ser... | |
| ISM-1833 | ISM-1833 requires Active Directory user accounts to be provisioned with the minimum privileges required | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.