Ensure Unique Identification for System Access
People accessing systems must have unique identifiers to ensure accountability.
Plain language
This control is about making sure everyone who accesses your systems has a unique username or identifier. It's important because if something goes wrong, like data being changed or sensitive information being leaked, you can trace it back to the specific person responsible.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityTopic
User IdentificationOfficial control statement
Personnel granted access to systems and their resources are uniquely identifiable.
Why it matters
Without unique user IDs, actions cannot be reliably traced to a person, reducing accountability and enabling misuse to go undetected.
Operational notes
Regularly review accounts to confirm each identifier is unique and remove shared, duplicate or reused accounts when staff roles change.
Implementation tips
- System owners should assign unique usernames: Make sure every person using your systems has their own username. Do this by working with your IT team to set up accounts for every individual rather than shared logins.
- HR should update staff records: Ensure HR keeps detailed records of employment that link each employee to their unique username. Do this by creating a spreadsheet where HR logs each employee's start and end date alongside their assigned username.
- Managers should conduct regular audits: Managers must check that all system users are accounted for and their access is still necessary. Do this by requesting a list of all active users from IT and comparing it against current staff.
- IT team should implement user lifecycle management: Establish a process where IT updates, revokes, or adds user accounts as employees join or leave. Document this process in a policy manual that HR and IT review regularly.
- Procurement should include unique ID requirements in contracts: When purchasing new software, ensure contracts require user account controls that support unique identifiers. Work with IT to specify this need when evaluating new systems.
Audit / evidence tips
- AskThe user account list: Request a system-generated list of all current user accounts GoodIs a list with clear names or IDs matching actual employees
- GoodIncludes a defined workflow and an emphasis on individual access
- GoodPractice is prompt action informed by HR updates
- GoodIncludes checklist items showing HR coordinates with IT for creating accounts
- AskAny recent contracts for software that involve user access GoodShows these clauses exist, ensuring future systems support this control
Cross-framework mappings
How ISM-0414 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.16 | ISM-0414 requires personnel granted system access to be uniquely identifiable for accountability | |
| handshake Supports (2) expand_less | ||
| Annex A 5.18 | ISM-0414 mandates that personnel with system access have unique identifiers, supporting the management of access rights (Annex A 5.18) | |
| Annex A 8.4 | Annex A 8.4 requires organisations to appropriately manage read and write access to source code, development tools and software libraries | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.