Maintain Effective System Administration Practices
Ensure systems are managed effectively with developed and maintained procedures.
Plain language
This control is about setting up and keeping good habits for managing your computer systems. It’s important because if these processes are neglected, things can quickly get disorganised, leading to security weaknesses, data loss, and downtime—especially in a small business or school environment where resources are limited.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system managementSection
System administrationOfficial control statement
System administration processes, and supporting system administration procedures, are developed, implemented and maintained.
Why it matters
Without documented and maintained system administration processes, admin tasks become inconsistent, increasing misconfigurations, unpatched systems, unauthorised access, and slower incident recovery.
Operational notes
Maintain documented admin procedures (accounts, patching, backups, change control) and review them after major changes or incidents to keep tasks consistent and repeatable across systems.
Implementation tips
- The IT team should create a clear, written procedure for routine system checks and updates. This can be done by listing all the essential tasks needed to keep your systems running smoothly, such as software updates and backups, and assigning team members to specific tasks.
- System owners should regularly review these procedures with the IT team. They can set up monthly meetings to go through what's been working and what needs tweaking, ensuring that the procedures remain up-to-date and effective.
- Managers should ensure there is a backup plan in place. They can work with the IT team to establish ongoing backup schedules and test the backup process at least once a quarter to confirm that data can be restored if something goes wrong.
- The procurement officer should have a role in system administration by making sure that any new hardware or software purchases fit the existing management procedures. They can review new tool requirements with IT before finalising a purchase.
- HR should collaborate with the IT team to ensure new staff are trained on basic system use and security practices. They could organise onboarding training sessions that cover essential system administration processes and security basics.
Audit / evidence tips
-
Askthe documented system administration procedures: Request the written guide describing standard processes for the IT team
Goodis a current document that the IT team says they use regularly
-
Askthem about the last time procedures were updated and why
Goodshows they actively maintain and refine the procedures
-
Goodoutcome is the task is done smoothly without unexpected issues
-
Asklogs or reports of backups conducted, including their success or failure details. Ensure they align with documented procedures
Goodlog shows consistent backups with any issues addressed promptly
-
Askrecent training records: Request documentation on recent staff training regarding system administration practices
Goodincludes evidence that all relevant staff attended the sessions
Cross-framework mappings
How ISM-0042 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.37 | ISM-0042 requires organisations to develop, implement and maintain end-to-end system administration processes and supporting procedures a... | |
| Annex A 8.9 | ISM-0042 requires organisations to develop, implement and maintain effective system administration practices and procedures for managing ... | |
| link Related (3) expand_less | ||
| Annex A 8.13 | ISM-0042 requires organisations to develop, implement and maintain system administration procedures for effective ongoing system operations | |
| Annex A 8.19 | ISM-0042 requires organisations to maintain holistic system administration processes and procedures that govern operational management ac... | |
| Annex A 8.32 | ISM-0042 requires organisations to establish and maintain comprehensive system administration processes and procedures, including control... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.