Pre-Access Briefings for System Resources
Staff must be briefed before accessing system resources.
Plain language
This control is about making sure that staff get the right information before they use company systems. If people jump in without a briefing, they might not know how to use the system safely, which could lead to data breaches or other security problems.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
Personnel receive any necessary briefings before being granted access to systems and their resources.
Why it matters
Failure to conduct pre-access briefings can lead to staff mishandling sensitive data or exploiting privileged access, risking data breaches.
Operational notes
Ensure briefings cover system usage policies and access protocols; maintain records of briefings as part of access control audits.
Implementation tips
- Managers should ensure that new staff members receive a briefing on system access during their onboarding process. This can be done by including a session in the induction program that covers the do’s and don'ts of system use and security.
- HR should create and maintain a checklist of topics to cover in pre-access briefings. This checklist should include things like password security, recognising suspicious emails, and data protection basics.
- The IT team should provide specific training materials suited to the systems staff will use. These could be in the form of guides, online courses, or videos that explain how to securely access and use the systems.
- System owners should periodically review and update the briefing materials to ensure they reflect any changes in the system or its security requirements. They can do this by setting a regular check-in schedule, perhaps every 6 months, to update the content.
- Team leaders should perform regular checks to ensure all staff who access the systems have received the briefings. They could schedule quick catch-ups or send out surveys to confirm that their team members understand the key security protocols.
Audit / evidence tips
- AskThe onboarding program materials: Request documents or presentation slides used during staff induction GoodIs up-to-date materials with clear information on the security practices required before access is granted
- AskThem what they were told about system access and security during their induction GoodIs their ability to explain basic security practices and threats discussed in their briefings
- AskBriefing attendance records: Request logs or sign-off sheets indicating who attended the briefings. Look to confirm that all new staff have participated before accessing systems GoodIs a complete log showing all new hires, the date of attendance, and the topics covered
- GoodIs a structured session that engages participants and uses understandable language
- AskA review schedule: Request documents that show when briefing materials are reviewed and updated GoodIs a documented schedule or records showing regular content review and updates following system changes
Cross-framework mappings
How ISM-0435 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 6.3 | ISM-0435 requires personnel to receive any necessary briefings before being granted access to systems and their resources | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.