Ensuring Limited Access for Temporary System Use
When given temporary system access, personnel can only see data needed for their job.
Plain language
This control ensures that when someone is given temporary access to a system, they can only see the information needed to do their job. It's important because if access isn't limited, people might accidentally see sensitive information that isn't relevant to them, leading to data breaches or misuse.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
When personnel are granted temporary access to systems and their resources, effective controls are put in place to restrict their access to only data required for them to undertake their duties.
Why it matters
If temporary access is not tightly limited to duty-related data, personnel may view or extract sensitive information, causing breaches, legal action and reputational harm.
Operational notes
Grant temporary access on a time-bound basis with defined expiry, least-privilege roles and data scoping. Review logs during access and revoke promptly when tasks are complete.
Implementation tips
- Managers should identify specific tasks that require temporary system access. They should list what information is absolutely necessary for each task so access can be tailored appropriately.
- The IT team should configure user accounts with limited permissions. They can do this by creating temporary user profiles that restrict access to only the required system areas.
- HR should coordinate with IT to ensure that staff who need temporary access have completed all required security training before granting them access.
- System owners should set up automated systems to disable temporary access after a certain period. This ensures nobody accidentally retains access longer than needed.
- Supervisors should routinely check that temporary access is being used properly. They can do this by reviewing logs that show who accessed what and when.
Audit / evidence tips
-
Askthe access request forms: Check that forms specify the exact system and information access needed
Goodincludes clear records showing approved access and dates
-
Askthem to demonstrate how they set up and remove temporary access
Goods describe clear processes for both setup and removal, with reference to documented procedures
Cross-framework mappings
How ISM-0441 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.15 | ISM-0441 requires controls to ensure temporary system access is limited to only the data required for duties | |
| handshake Supports (1) expand_less | ||
| Annex A 8.22 | ISM-0441 requires that temporary users' access is restricted data for their duties | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| E8-RA-ML1.4 | ISM-0441 requires limiting what temporarily authorised personnel can access to only the data required for their duties | |
| E8-RA-ML3.1 | E8-RA-ML3.1 requires privileged access to be limited to what is necessary for duties | |
| handshake Supports (1) expand_less | ||
| E8-RA-ML3.3 | E8-RA-ML3.3 requires organisations to grant administrative access only when needed and for limited periods via just-in-time administration | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.