Validation for Unprivileged System Access Requests
Requests for basic system access are checked when they are first made.
Plain language
When someone wants to access a computer system for everyday tasks, their request is checked at the very beginning. This is important because if you don't verify requests first, unauthorised people could gain access, leading to stolen data or other security issues.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
Requests for unprivileged access to systems and their resources are validated when first requested.
Why it matters
Failure to validate unprivileged access requests can lead to unauthorised access, data breaches, and misuse of system resources by unapproved users.
Operational notes
Validate each unprivileged access request at submission against user identity and business need, and record approvals/denials to provide an auditable trail.
Implementation tips
- The system owner should create a checklist of who can approve new access requests and the criteria they need to meet. This involves working with the HR department to ensure the list includes all necessary details about the employee and their role.
- The IT team should design an access request form that collects relevant information about the person needing access and the level of access required. This can be done by using simple online forms that automatically record details.
- Line managers should review each access request for their team members to ensure it aligns with their job role. This should be done by comparing the employee's job description with the access requested, ensuring no unnecessary privileges are granted.
- The HR department should maintain an updated list of staff roles and corresponding access levels. This ensures that the IT team has accurate information to validate any access requests.
- Staff responsible for approving access should be trained on how to evaluate requests properly. This includes knowing the potential risks of granting access and ensuring requests align with organisational policies.
Audit / evidence tips
- AskRecent access request logs: Examine the log to see that each request is accompanied by a completed form and approval signature GoodShows completed requests with clear approvals and reasons for granting access
- GoodIs all approvals matching the criteria outlined without exception
- AskThem to explain how they verify that the access level requested is appropriate for the role GoodShows managers are aware of and adhere to access guidelines
- GoodIs a smooth process where each step is clearly followed and documented
- AskTraining records of staff responsible for approving access: Review records to confirm that employees received training on the access approval process GoodIncludes completion certificates or sign-in sheets showing who attended and when
Cross-framework mappings
How ISM-0405 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.18 | ISM-0405 requires that requests for unprivileged access to systems and resources are validated when first requested | |
| handshake Supports (1) expand_less | ||
| Annex A 8.4 | Annex A 8.4 requires controlled assignment of read/write access to source code and development tooling to reduce unauthorised changes and... | |
| link Related (1) expand_less | ||
| Annex A 5.15 | Annex A 5.15 requires organisations to establish and implement access control policies and procedures based on business and security requ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.