Strict Control of Shared User Accounts
Ensure shared user accounts are used carefully, with each user clearly identified to maintain security.
Plain language
This control is all about ensuring that if multiple people are using a shared user account, each person's activity can be tracked back to them. This matters because if something goes wrong or suspicious activity is detected, it's crucial to know who was responsible. Without this clarity, it's like trying to find a needle in a haystack if something bad happens.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
July 2019
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityTopic
User IdentificationOfficial control statement
The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable.
Why it matters
Without strict control of shared accounts, accountability is lost, making it difficult to trace malicious activity back to the responsible user.
Operational notes
Record who uses shared accounts (e.g., ticket/authorisation) and log all actions. Review logs routinely to ensure each session is attributable.
Implementation tips
- The IT manager should set up individual logins for each person using a shared account, even if just to log who uses it. Implement real-time logging software that captures when these accounts are accessed and by whom, ensuring each user’s identity is recorded.
- An HR representative should regularly update user access permissions when staff or roles change. Make it a routine to review which personnel have access to shared accounts to ensure only current, authorised staff can use them.
- The office manager should work with IT to label shared accounts clearly, showing who is currently allowed to use them. This means maintaining an up-to-date list that tracks every user's identity connected to the account.
- The IT team should implement logging software to track each login and action taken under shared accounts. Enable auditing features in systems to ensure there is a detailed usage log associated with every session initiated using a shared login.
- A security officer should conduct quarterly reviews of shared account use. Have them examine records to spot any unusual behaviour, such as access outside normal hours or to sensitive areas outside an individual’s remit.
Audit / evidence tips
-
Askthe user access control policy: Request documentation that outlines how shared accounts are managed and how user identities are recorded
Goodshows a detailed process for both assigning and tracking individual access
-
Askthem how they log in and what steps confirm that their actions are recorded
Goods should mention steps for identity confirmation when using shared accounts and awareness of accountability
-
Askto see a live demonstration of how users log into a shared account
Goodsession shows both the recording of the session and individual accountability
-
Goodis clear documentation showing improvements made based on audit feedback
Cross-framework mappings
How ISM-0415 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.16 | ISM-0415 requires shared user accounts to be strictly controlled and used in a way that makes each individual user uniquely identifiable | |
| Annex A 5.18 | ISM-0415 requires that shared user accounts are tightly controlled and that activity performed using them can be attributed to a uniquely... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.2 | ISM-0415 requires strict governance over shared user accounts and unique identification of each person who uses them to maintain accounta... | |
| handshake Supports (1) expand_less | ||
| Annex A 8.4 | Annex A 8.4 requires organisations to appropriately manage read and write access to source code, development tools and software libraries | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-RA-ML2.6 | E8-RA-ML2.6 requires privileged access events to be centrally logged to detect misuse and support attribution | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.