Document System Access Requirements in Security Plans
System access rules must be documented in each system's security plan to ensure proper access management.
Plain language
In everyday terms, this control is about clearly writing down who can access specific parts of your system and under what conditions. It’s important because if these access rules aren’t properly documented, the wrong people might gain access, leading to data breaches, loss of sensitive information, or system misuse.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
Access requirements for systems and their resources are documented in their system security plan.
Why it matters
If access requirements are not documented in the system security plan, incorrect permissions may be granted, enabling unauthorised access and data compromise.
Operational notes
Review and update the system security plan whenever roles, resources or permissions change, and confirm access requirements map to implemented controls (e.g., RBAC and approvals).
Implementation tips
- The IT manager should create a document outlining system access rules. This involves listing who needs access, what they need access to, and why they need it. Use simple spreadsheets or word documents to write this down and keep it updated.
- System owners should regularly update the security plan with any changes in access needs. Review access rules any time there is a change in staff roles or responsibilities to ensure only the right people have access.
- Managers should work with HR when an employee leaves the organisation. Remove access immediately to prevent unauthorised access. Use a checklist to ensure all their system accounts are closed.
- The IT team should set up alerts for any unusual access attempts. This involves using your existing security tools to notify you if there are multiple failed logins or access from unexpected locations.
- System owners should hold quarterly meetings with IT and security officers to review and update access rules. This ensures all changes are documented and aligns with any new security threats or business needs.
Audit / evidence tips
-
Askthe current system access document
Goodincludes specific names, roles, and what each role can do
-
Askthem what parts of the system they can access and why
Goodmatches the actual access to what’s documented and they understand their access rights
-
Asklogs or alerts from the security system that monitors such events. A healthy system will show few to no alerts, or logs that show proper follow-up action
Cross-framework mappings
How ISM-0432 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.15 | ISM-0432 requires that access requirements for each system and its resources be documented in the system’s security plan | |
| handshake Supports (3) expand_less | ||
| Annex A 5.8 | Annex A 5.8 requires projects to embed information security requirements and checks into project activities | |
| Annex A 5.18 | ISM-0432 requires that system access requirements be documented in the system security plan | |
| Annex A 8.2 | ISM-0432 requires documenting system access requirements, including for sensitive resources, in a system security plan | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-RA-ML1.1 | E8-RA-ML1.1 requires organisations to validate privileged access requests upon initial request | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.