Enforcement of Secure Session Locking Measures
Sessions lock after inactivity or maximum duration, blocking access until users re-authenticate with all required factors.
Plain language
This control ensures that when you're using a system, it will automatically lock you out if you’ve been inactive for a while or have been logged in too long. This matters because if you're away from your device, someone else shouldn't be able to access sensitive information without re-entering your security details.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Services are configured with a session lock that: - activates after a maximum of 15 minutes of user inactivity, a maximum of 12 hours of overall session time or when manually activated by users - blocks access to all session content - requires users to re-authenticate using all authentication factors to unlock the session - denies users the ability to disable the session locking mechanism.
Why it matters
Failure to enforce session locking and full re-authentication can allow unauthorised access to an unattended, still-valid user session and expose sensitive data.
Operational notes
Verify session locks trigger at 15 minutes idle and 12 hours max, block all content, require all factors to unlock, and cannot be disabled by users.
Implementation tips
- IT team should set automatic session lock policies: Implement session locks that activate after 15 minutes of inactivity or a maximum session time of 12 hours. Use your system’s settings to configure these policies and ensure they are enforced across all user accounts.
- System administrators should require multi-factor authentication: Ensure that to unlock a session, users must enter all required authentication factors, such as a password and a code sent to their phone. Set up these factors through your security software settings and inform users about these requirements.
- Managers should educate staff about session locking: Explain why session locks are important and how users can manually lock their sessions when stepping away from their devices. Conduct regular information sessions or send instructional emails to remind staff.
- HR should include session locking policies in security training: Ensure new employees are briefed on session locking during their onboarding process by including it in the security training package. Regularly update training materials to reflect any changes in policies.
- IT departments should monitor adherence to session lock policies: Regularly review logs to ensure that session lock policies are being followed and address any issues immediately. This could be managed through weekly automated reports that flag non-compliance.
Audit / evidence tips
-
Aska copy of the session lock policy documentation: Review the document to confirm it specifies session time frames and re-authentication requirements
Goodis a clear policy document with defined time limits and no option for users to disable it
-
Goodis consistent logging data showing compliance with policy requirements
-
Askthem how they lock their sessions and if they understand why it’s necessary
Goodis staff easily explaining how they re-authenticate and why session locking is important
-
Goodis the system locking and requiring re-authentication after the set inactivity period
-
Aska technical demonstration or screen capture of the configuration settings
Goodis settings that match the policy, with no option for users to disable the locking
Cross-framework mappings
How ISM-0428 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| Annex A 8.3 | ISM-0428 requires services to enforce secure session locking after defined inactivity or maximum session duration, blocking session conte... | |
| Annex A 8.5 | ISM-0428 requires re-authentication using all authentication factors to unlock a locked session, and prevents users from disabling the lo... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.