Immediate Suspension of Unneeded System Access
Revoke system access for individuals as soon as it's no longer needed.
Plain language
This is about making sure that when someone no longer needs access to a system or data, their access is cut off straight away. It's like taking back the keys from someone who has moved out of a shared house. If not done immediately, the risk is that former employees or contractors could still get into your systems, possibly leading to data breaches or unauthorised usage.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
Access to systems and their resources are removed or suspended the same day personnel no longer have a legitimate requirement for access.
Why it matters
Delays in revoking access can let former staff use retained credentials, increasing the likelihood of unauthorised access, data breaches or misuse.
Operational notes
Integrate same-day access suspension/removal into offboarding, and validate accounts are disabled across all systems.
Implementation tips
- HR should inform the IT team of any staff departures or role changes immediately. They can do this by setting up a daily notification email to alert the IT team about changes in employment status or job roles.
- The IT team should remove access on the same day when notified by HR. They should have a checklist of all systems each employee has access to, and once notified by HR, they need to go through this list and revoke access one by one.
- Managers should regularly review access rights of their team members. They should set a reminder to do this monthly and cross-check the access list with current team roles to ensure nobody has access they no longer need.
- Set up automatic alerts for any inactive accounts that haven't been used in a set period. The IT team can configure these alerts to notify them when an account has been inactive so they can check if the account is still needed.
- Create clear joiner, mover, and leaver procedures. HR, managers, and IT should together outline steps in a document for incorporating access reviews and make sure everyone knows who is responsible for what in these processes.
Audit / evidence tips
-
Askto see the access revocation logs: Request logs or documents that track when access is revoked from systems
Goodis a log showing timely revocation for each recorded employee change
-
Askhow they notify the IT team about role changes or departures
Goodis a description of a clear and consistent daily notification process
-
Goodis that they use a comprehensive checklist and act swiftly once they receive HR's notification
-
Aska report on all accounts, including when they were last used
Goodis all inactive accounts are marked or flagged for review
-
Goodis a detailed document listing specific tasks for each group
Cross-framework mappings
How ISM-0430 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.18 | ISM-0430 requires organisations to remove or suspend system access the same day a person no longer has a legitimate need for it | |
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.11 | Annex A 5.11 requires that, when personnel or other interested parties leave or change roles, they return all organisational assets in th... | |
| Annex A 6.5 | Annex A 6.5 requires information security responsibilities and duties that continue after termination or a role change to be defined, enf... | |
| handshake Supports (1) expand_less | ||
| Annex A 8.4 | Annex A 8.4 requires controlled management of access to source code and development tooling, including removing access when no longer needed | |
| link Related (1) expand_less | ||
| Annex A 5.16 | Annex A 5.16 requires organisations to manage identities through their full life cycle, including timely deprovisioning when access is no... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.