Identify Nationality of Foreign Personnel in System
Ensure foreign nationals using the system are identified by their nationality for sensitive data security.
Plain language
This control is about making sure you know which foreign nationals, with their specific nationalities, are using your system when dealing with certain types of sensitive data. It's crucial because if you don't know who is accessing your sensitive information, you could unknowingly expose it to foreign interests, which could lead to data breaches or misuse.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityTopic
User IdentificationOfficial control statement
Where systems process, store or communicate AUSTEO, AGAO or REL data, personnel who are foreign nationals are identified as such, including by their specific nationality.
Why it matters
Failure to identify foreign nationals accessing sensitive AUSTEO/AGAO/REL data can increase the risk of unauthorised foreign exposure and reportable data breaches.
Operational notes
Maintain HR/identity records to flag foreign nationals and record their exact nationality in access systems; review regularly when roles or clearances change.
Implementation tips
- HR should work with the IT team to keep a record of personnel's nationality: When a new staff member, especially from overseas, joins the company, HR should verify and document their nationality and share this information with IT for system access records.
- The IT team should set up a system account flagging process: Implement functionality in your system to flag accounts of foreign nationals with their nationality details. This helps system administrators keep track of who is accessing sensitive data.
- Managers should ensure regular audits of user access data: Schedule monthly checks to review lists of users with access to sensitive systems, ensuring all foreign nationals are correctly flagged by nationality.
- System owners need to update system access policies: Collaborate with legal and compliance teams to define roles and access levels appropriate for foreign nationals, aligning with your organisation's policy and any legal obligations.
- Procurement should engage with verified identity management solutions: Invest in solutions that offer strong identity verification processes to efficiently gather and track user nationality information during the onboarding process.
Audit / evidence tips
- AskThe personnel nationality register: Request the document or system feature where personnel nationality is recorded GoodIs a detailed and up-to-date register accessible by HR and IT
- AskThe IT team to show how foreign nationals are flagged in the system GoodDemonstration reveals precise and consistently applied flags
- AskThem how they verify and document the nationality of new hires GoodExplains the verification process, where records are kept, and how this data is transferred to IT
- GoodMeeting shows thorough review and understanding
- AskTo see policies regarding how foreign nationals can access sensitive data GoodPolicy contains explicit procedures and compliance with legal requirements
Cross-framework mappings
How ISM-0420 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.16 | ISM-0420 requires that where systems process, store or communicate AUSTEO, AGAO or REL data, personnel who are foreign nationals are expl... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.