Immediate Suspension of Unneeded System Access
Revoke system access for individuals as soon as it's no longer needed.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
May 2025
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for personnel securityAccess to systems and their resources are removed or suspended the same day personnel no longer have a legitimate requirement for access.
Source: ASD Information Security Manual (ISM)
Plain language
This is about making sure that when someone no longer needs access to a system or data, their access is cut off straight away. It's like taking back the keys from someone who has moved out of a shared house. If not done immediately, the risk is that former employees or contractors could still get into your systems, possibly leading to data breaches or unauthorised usage.
Why it matters
Delays in revoking access can let former staff use retained credentials, increasing the likelihood of unauthorised access, data breaches or misuse.
Operational notes
Integrate same-day access suspension/removal into offboarding, and validate accounts are disabled across all systems.
Implementation tips
- HR should inform the IT team of any staff departures or role changes immediately. They can do this by setting up a daily notification email to alert the IT team about changes in employment status or job roles.
- The IT team should remove access on the same day when notified by HR. They should have a checklist of all systems each employee has access to, and once notified by HR, they need to go through this list and revoke access one by one.
- Managers should regularly review access rights of their team members. They should set a reminder to do this monthly and cross-check the access list with current team roles to ensure nobody has access they no longer need.
- Set up automatic alerts for any inactive accounts that haven't been used in a set period. The IT team can configure these alerts to notify them when an account has been inactive so they can check if the account is still needed.
- Create clear joiner, mover, and leaver procedures. HR, managers, and IT should together outline steps in a document for incorporating access reviews and make sure everyone knows who is responsible for what in these processes.
Audit / evidence tips
-
Ask: to see the access revocation logs: Request logs or documents that track when access is revoked from systems
Good: is a log showing timely revocation for each recorded employee change
-
Ask: how they notify the IT team about role changes or departures
Good: is a description of a clear and consistent daily notification process
-
Good: is that they use a comprehensive checklist and act swiftly once they receive HR's notification
-
Ask: a report on all accounts, including when they were last used
Good: is all inactive accounts are marked or flagged for review
-
Good: is a detailed document listing specific tasks for each group
Cross-framework mappings
How ISM-0430 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (2) | ||
| Annex A 5.16 | ISM-0430 requires organisations to remove or suspend access immediately (same day) when it is no longer required | |
| Annex A 5.18 | ISM-0430 requires organisations to remove or suspend system access the same day a person no longer has a legitimate need for it | |
| Supports (1) | ||
| Annex A 8.4 | Annex A 8.4 requires organisations to appropriately manage read and write access to source code, development tools and software libraries | |