Mandatory Authorisation for System Operation
System owners must get permission from an authorising officer to operate certain systems.
Plain language
Before you can start using certain types of systems, you need approval from a designated person in your organisation, like a manager. This approval is important because it ensures the system is safe to use and doesn't put sensitive information at risk.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S
ISM last updated
Mar 2026
Control Stack last updated
24 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for gatewaysSection
System ownersOfficial control statement
System owners obtain an authorisation to operate for each non-classified, OFFICIAL: Sensitive, PROTECTED and SECRET system from its authorising officer.
Why it matters
Without authorisation, systems may operate without adequate security checks, increasing the risk of data breaches or other security incidents.
Operational notes
Regularly review and update system authorisation to reflect any changes in system use or organisational policies, keeping security measures relevant and effective.
Implementation tips
- System owners should schedule a meeting with their authorising officer to discuss and approve the use of a system. In this meeting, ensure both parties understand the system's purpose and potential risks.
- The IT team should prepare a system documentation kit before the meeting. This includes what the system does, where it will be used, and any security measures currently in place.
- The authorising officer should review the documentation and discuss any additional safeguards needed with the system owner. Ensure potential risks are clearly communicated and understood.
- System owners need to maintain a checklist of authorisation requirements. Update this checklist periodically based on changes in system use or organisational policies.
- Managers should ensure they formally record the approval process. Use a standard form or an official email to document the authorisation, noting who approved it and on what date.
Audit / evidence tips
-
Askthe record of system authorisation: Request the documentation showing the system's approval
Look atdetails on the authorising officer and approval date
Goodrecord clearly shows the endorsement and meets all policy requirements
-
Askto see the system's risk assessment report: Check that this report is complete and up-to-date. Ensure it details identified risks and planned mitigations. A well-written report should be thorough, citing specific potential security issues
-
Aska copy of the meeting minutes discussing system authorisation
Look atthe discussions between system owners and authorising officers
Gooddocument should clearly outline key points discussed and decisions made
-
Askto review the system documentation kit: Check for completeness and accuracy, covering system purpose, location, and security measures. This should be detailed enough to inform the authorisation decision
-
Askto see any communications regarding system changes: Ensure that any system updates or changes were communicated and re-approved by the authorising officer. A proper process includes re-approval records for changes affecting security
Cross-framework mappings
How ISM-0027 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.12 | ISM-0027 requires authorisation to operate for each system handling non-classified, OFFICIAL: Sensitive, PROTECTED or SECRET information,... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.15 | ISM-0027 requires system owners to obtain an authorisation to operate from an authorising officer, based on acceptance of the security ri... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.