Restrict System Access for Foreign Nationals
Foreign nationals need strict controls to access systems handling AGAO data.
Plain language
This control ensures that people from other countries can't access critical data in your systems unless there are strong rules in place to prevent them from seeing or tampering with it. It's important because if we don't manage this well, sensitive information could end up in the wrong hands, leading to potential security breaches that can damage the organization's reputation and finances.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
May 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO data unless effective controls are in place to ensure such data is not accessible to them.
Why it matters
If foreign nationals can access systems processing AGAO data, sensitive information may be exposed or exfiltrated, increasing security and compliance risk.
Operational notes
Maintain a register of foreign nationals (excluding seconded) and enforce deny-by-default on systems handling AGAO data; review access logs and permissions regularly.
Implementation tips
- Managers should verify who in their team is a foreign national and confirm their access levels to sensitive systems. This can be done by conducting a simple employee report with HR that lists citizenship and current access permissions.
- IT teams should set up specific access controls to make sure foreign nationals don’t have the ability to unintentionally see or interact with AGAO data. This might include setting up special user accounts with limited permissions.
- System administrators should regularly review and update system access settings. They can do this by setting reminders to audit access levels every quarter, ensuring the restrictions are still in place and effective.
- HR departments should implement clear policies for onboarding and offboarding foreign nationals, making sure that their access to sensitive systems is properly accounted for and restricted if necessary.
- Data protection officers need to establish and maintain a communication line with all departments to quickly address and rectify any breaches in policy, making sure all employees understand why sensitive data must be protected from unauthorized access.
Audit / evidence tips
-
Askthe employee access records: Request a list from HR showing the citizenship status of all employees and their access permissions. Look to ensure there are restrictions or controls in place for foreign nationals
Goodwill have a list showing compliance with restricted access policies
-
AskIT staff about the controls in place: Conduct an interview with IT personnel to understand what specific controls are implemented to restrict access
Gooddescribes robust measures without gaps
-
AskHR for documentation outlining how new foreign national employees are onboarded and what measures are taken to restrict their access
Goodlinks to document flows and checkpoints in these processes
-
Aska recent access review report: Request any reports from the latest access audit performed on the systems in question
Goodreport shows noted compliance and any necessary actions taken
Cross-framework mappings
How ISM-0411 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| Annex A 5.15 | ISM-0411 requires foreign nationals (excluding seconded foreign nationals) to be prevented from accessing AGAO data on systems unless eff... | |
| Annex A 5.18 | ISM-0411 requires blocking foreign nationals from accessing AGAO data on relevant systems unless controls ensure the data is not accessib... | |
| Annex A 8.3 | ISM-0411 requires that foreign nationals are not granted access to AGAO data on systems unless effective controls prevent their access to... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.