Restrict Foreign Nationals' Access to Sensitive Data
Foreign nationals can't access certain sensitive data unless security measures prevent it.
Plain language
This control is about making sure that sensitive information, especially data meant for Australian use only, isn’t accidentally accessed by people from other countries. It’s important because unauthorised access to sensitive data could lead to serious privacy breaches or national security risks.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
May 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO or REL data unless effective controls are in place to ensure such data is not accessible to them.
Why it matters
If foreign nationals access AUSTEO or REL data, it risks national security breaches and loss of sensitive information, damaging trust and integrity.
Operational notes
Regularly review identity, nationality status and role-based access to AUSTEO/REL systems; audit logs to confirm foreign nationals cannot access restricted data.
Implementation tips
- The IT team should identify systems that handle sensitive data restricted to Australian nationals. They can do this by reviewing the types of data each system processes and noting which ones are labelled AUSTEO (Australian Eyes Only).
- Managers should ensure that foreign nationals are clearly identified within the system's access controls. They can do this by reviewing employee records and access permissions regularly and flagging those who shouldn't have access to certain data.
- The system owner should implement technical controls to restrict access, such as setting up permissions or firewalls to block sensitive data from being accessed externally. This involves configuring systems so that only authorised Australian personnel can retrieve this information.
- HR should work with IT to ensure that all foreign nationals are informed of the access restrictions. They can achieve this by including information on data access policies during onboarding and sending out regular reminders.
- Management should establish a process for regularly reviewing and updating access controls to account for staffing changes. This can be done by scheduling periodic audits and requiring IT to document any changes in access rights.
Audit / evidence tips
- AskThe list of systems processing AUSTEO data GoodIncludes a comprehensive and up-to-date list with proper classifications
- GoodOutcome shows no recorded access or attempts to restricted data by unauthorised users
- AskThem to describe how they enforce these controls GoodIncludes a detailed explanation of the technical measures in place and how they are monitored
- GoodFlow shows restricted access with clear error messages or log records when attempts are made
- GoodResult includes clear policy documents provided during onboarding and updated in employee manuals
Cross-framework mappings
How ISM-0409 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| Annex A 5.15 | ISM-0409 requires foreign nationals to be restricted from accessing systems that process AUSTEO or REL data unless controls prevent this ... | |
| Annex A 5.18 | ISM-0409 mandates preventing foreign nationals from accessing AUSTEO or REL data unless effective controls eliminate access | |
| Annex A 8.3 | ISM-0409 requires restrictions on access by foreign nationals to systems handling AUSTEO or REL data | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.