Keep Physical Credentials Separate from Systems
Store physical credentials away from systems except when logging in.
Plain language
This control is about making sure your physical keys or access cards aren't left lying around near the computers or servers they unlock. This matters because if someone found them, they could easily access your systems and potentially steal data or cause harm to your business.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Authentication hardeningTopic
Protecting CredentialsOfficial control statement
Physical credentials are kept separate from systems they are used to authenticate to, except for when performing authentication activities.
Why it matters
Leaving physical credentials near systems exposes them to unauthorised access, risking data theft or service disruption.
Operational notes
Store access cards/keys away from the system when not authenticating; confirm return after use and record any exceptions to identify weak practices.
Implementation tips
- Office Managers should create a designated secure location for storing physical credentials, like keys or access cards. Use a locked cabinet or safe that only authorised staff can access.
- IT teams should educate staff about the importance of securely storing physical credentials when not in use. This can be done through regular training sessions and reminders in team meetings.
- Business Owners should develop a policy that outlines how physical credentials should be handled and stored. Make sure all employees read and acknowledge this policy as part of their onboarding process.
- HR departments should keep track of who is issued each physical credential and conduct regular audits. This involves maintaining an up-to-date register showing which employees have which credentials.
- Security personnel should implement a check-out/check-in process for physical credentials, especially if they are used by multiple staff. Staff should log when they take and return credentials, ensuring accountability.
Audit / evidence tips
-
Askthe physical credential storage policy document: Request the written policy that describes how credentials should be securely stored
Goodincludes specific storage procedures and staff responsibilities
-
Askstaff members how they handle their access cards or keys when not in use
Goodis they describe storing them in a secure, designated place as outlined in the policy
-
Goodshows a clearly defined, secure storage area accessible only to authorised personnel
-
Goodis an up-to-date and accurately maintained log
-
Askto see training records that indicate staff have been informed about credential handling procedures
Goodincludes recent training sessions and acknowledgment by new and existing employees
Cross-framework mappings
How ISM-0418 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.15 | ISM-0418 requires a specific rule for handling physical credentials: keep them separate from the systems they authenticate to except duri... | |
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 7.2 | ISM-0418 requires physical credentials (e.g | |
| Annex A 8.5 | ISM-0418 requires physical credentials to be stored separately from the systems they authenticate to reduce the chance of immediate compr... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.