Australian Supervision of AUSTEO/AGAO Data Systems
Only Australian nationals should control systems handling sensitive Australian data.
Plain language
This control requires that any system handling sensitive Australian data, specifically AUSTEO (Australian Eyes Only) or AGAO (Australian Government Access Only), must always be managed by an Australian citizen. This matters because allowing foreign nationals to control these systems increases the risk of sensitive data being accessed by individuals or entities not authorised by the Australian Government.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
May 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
Systems processing, storing or communicating AUSTEO or AGAO data remain at all times under the control of an Australian national working for or on behalf of the Australian Government.
Why it matters
Allowing non-Australian nationals to manage AUSTEO/AGAO systems risks data leaks to unauthorised foreign entities, compromising national security.
Operational notes
Weekly confirm AUSTEO/AGAO admins are Australian nationals acting for the Australian Government, and review access lists/logs for any non-compliant accounts.
Implementation tips
- The system manager should verify the nationality of all staff who can control or manage systems containing AUSTEO or AGAO data. This can be done by checking passports or other government-issued identification to confirm Australian citizenship.
- The HR department should ensure that job descriptions for roles involving access to AUSTEO/AGAO systems clearly list Australian citizenship as a requirement. This ensures that only eligible candidates can apply for these sensitive positions.
- IT managers should configure access controls on AUSTEO/AGAO systems to ensure that only approved accounts belonging to Australian citizens have administrative rights. This can be set up through identity verification tools and tight account management processes.
- The compliance officer should regularly audit staff lists and access logs to ensure only Australian nationals are controlling these systems. They can use automated tools designed for monitoring access to maintain oversight efficiently.
- Procurement teams should ensure any service contracts involving access to AUSTEO/AGAO systems specify that staff must be Australian citizens. They should include specific clauses in contracts and verify the compliance of contractors at regular intervals.
Audit / evidence tips
- AskThe personnel list of individuals with access to AUSTEO/AGAO systems: Verify that the list includes only Australian citizens GoodIs that all listed individuals have citizenship proof on file
- GoodIncludes all job descriptions with this stipulation, demonstrating compliance with hiring policies
- GoodShows audit logs reflecting access attempts and confirms access was granted only to authorised accounts
- AskHow they verify citizenship when hiring for these roles and how they update access when employment status changes GoodInvolves checking citizenship upon hiring and maintaining a current list of authorised individuals
- GoodIncludes contract excerpts confirming these requirements and the practice of regular contractor compliance checks
Cross-framework mappings
How ISM-0078 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 8.2 | ISM-0078 requires that systems handling AUSTEO/AGAO data remain under the control of an Australian national working for or on behalf of t... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.