Mandatory Authorisation for System Operation
System owners must get permission from an authorising officer to operate certain systems.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S
🗓️ ISM last updated
Mar 2026
✏️ Control Stack last updated
23 Mar 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for gatewaysSection
System OwnersSystem owners obtain an authorisation to operate for each non-classified, OFFICIAL: Sensitive, PROTECTED and SECRET system from its authorising officer.
Source: ASD Information Security Manual (ISM)
Plain language
Before you can start using certain types of systems, you need approval from a designated person in your organisation, like a manager. This approval is important because it ensures the system is safe to use and doesn't put sensitive information at risk.
Why it matters
Without authorisation, systems may operate without adequate security checks, increasing the risk of data breaches or other security incidents.
Operational notes
Regularly review and update system authorisation to reflect any changes in system use or organisational policies, keeping security measures relevant and effective.
Implementation tips
- System owners should schedule a meeting with their authorising officer to discuss and approve the use of a system. In this meeting, ensure both parties understand the system's purpose and potential risks.
- The IT team should prepare a system documentation kit before the meeting. This includes what the system does, where it will be used, and any security measures currently in place.
- The authorising officer should review the documentation and discuss any additional safeguards needed with the system owner. Ensure potential risks are clearly communicated and understood.
- System owners need to maintain a checklist of authorisation requirements. Update this checklist periodically based on changes in system use or organisational policies.
- Managers should ensure they formally record the approval process. Use a standard form or an official email to document the authorisation, noting who approved it and on what date.
Audit / evidence tips
-
Ask: the record of system authorisation: Request the documentation showing the system's approval
Look at: details on the authorising officer and approval date
Good: record clearly shows the endorsement and meets all policy requirements
-
Ask: to see the system's risk assessment report: Check that this report is complete and up-to-date. Ensure it details identified risks and planned mitigations. A well-written report should be thorough, citing specific potential security issues
-
Ask: a copy of the meeting minutes discussing system authorisation
Look at: the discussions between system owners and authorising officers
Good: document should clearly outline key points discussed and decisions made
-
Ask: to review the system documentation kit: Check for completeness and accuracy, covering system purpose, location, and security measures. This should be detailed enough to inform the authorisation decision
-
Ask: to see any communications regarding system changes: Ensure that any system updates or changes were communicated and re-approved by the authorising officer. A proper process includes re-approval records for changes affecting security
Cross-framework mappings
How ISM-0027 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (1) | ||
| Annex A 5.12 | ISM-0027 requires authorisation to operate for each system handling non-classified, OFFICIAL: Sensitive, PROTECTED or SECRET information,... | |
| Supports (1) | ||
| Annex A 5.15 | ISM-0027 requires system owners to obtain an authorisation to operate from an authorising officer, based on acceptance of the security ri... | |