Maintain Secure User Access Records
Keep a secure record of who accessed the system, who authorised it, and details of their access levels.
Plain language
This control is about keeping track of who can access your organisation's systems and what they can do once they're in. It matters because if you don't keep proper records, you might not know who to blame if something goes wrong, like a data breach or unauthorised changes to important files.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
A secure record is maintained for the life of systems and their resources that covers the following for each user: - their user identification - their signed agreement to abide by system usage policies - who authorised their access - when their access was granted - the level of access they were granted - when their access, and their level of access, was last reviewed - when their level of access was changed, and to what extent (if applicable) - when their access was withdrawn (if applicable).
Why it matters
Without secure, lifecycle user access records (approval, dates, reviews and changes), investigating unauthorised access and proving who had what access when becomes difficult.
Operational notes
Regularly audit access records to ensure authorisations align with current role requirements and promptly update changes to user access levels.
Implementation tips
- System owners should create a detailed access log: Document each user's access rights, the person who approved their access, when it was granted, and the user's agreement to follow rules. Use a simple spreadsheet or an access management tool to capture all this information.
- Managers should schedule regular reviews: Periodically review who has access to which systems and why. Use a quarterly calendar reminder to ensure these reviews happen, and adjust access levels as needed to match current job roles.
- Human Resources should ensure signed agreements: Make sure every employee signs an agreement about system usage policies before they receive system access. Store these signed documents securely, possibly as digital copies, in each employee's personnel file.
- IT teams should document access changes: Whenever someone's access level changes or is revoked, note what was changed and why. Use a ticketing system or simple logs to record these adjustments and ensure the record is updated immediately.
- System owners should monitor access records: Regular checks should ensure that the access records are up-to-date and complete. Develop a quick monthly checklist to verify all necessary user and access details are recorded accurately.
Audit / evidence tips
-
Askthe user access log: Request to see the document or system record that lists all current users, their access levels, and authorisation details
Goodwould be a comprehensive log showing up-to-date and detailed information
-
Goodis a full set of signed agreements for all users with current access
-
Askmanagers how often they review user access levels and the outcomes of these reviews
Goodcontains clear evidence of regular reviews and adjustments based on role changes
-
Goodis a clear, step-by-step process that matches the policy documentation
-
Goodis a timely, detailed record for all changes made
Cross-framework mappings
How ISM-0407 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.33 | Annex A 5.33 requires records to be protected from loss, destruction, falsification, unauthorised access and unauthorised release | |
| handshake Supports (5) expand_less | ||
| Annex A 5.1 | ISM-0407 requires keeping user access records including a signed agreement to abide by system usage policies and details of who authorise... | |
| Annex A 5.11 | Annex A 5.11 requires that personnel and other interested parties return all organisation assets in their possession when their employmen... | |
| Annex A 5.15 | ISM-0407 requires a secure record of user identities, access approvals, access levels, periodic reviews, changes and withdrawal | |
| Annex A 5.16 | Annex A 5.16 requires the identity lifecycle to be managed, which relies on maintaining evidence of identity creation, authorisation, cha... | |
| Annex A 8.2 | ISM-0407 requires a secure, life-of-system record for each user covering authorisation, access grant dates, access level, reviews, change... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-RA-ML1.1 | E8-RA-ML1.1 requires organisations to validate privileged access requests when first requested | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.