ISM-0445 policy ASD Information Security Manual (ISM)

Dedicated Accounts for Privileged User Activities

Privileged users must have separate accounts for administrative tasks to enhance security.

Preventative ML1 ML2 ML3 NC OS P ASD Information Security ManualGuidelines for personnel security admin accounts identity and access management roles segregation duties

record_voice_over

Plain language

This control is about making sure that people who manage important computer systems use special, dedicated accounts only for tasks that require high-level access. This matters because if these special accounts are misused or compromised, a hacker could gain control of critical systems, leading to data theft, system outages, or financial loss.

01 - Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Aug 2024

Control Stack last updated

19 Mar 2026

E8 maturity levels

ML1, ML2, ML3

Guideline

Guidelines for personnel security

Section

Access to systems and their resources

Topic

Privileged Access to Systems

Official control statement

Privileged users are assigned a dedicated privileged user account to be used solely for duties requiring privileged access.

policy ASD Information Security Manual (ISM) ISM-0445

priority_high

Why it matters

Without dedicated privileged accounts, a compromised standard user account can be abused for admin actions, enabling data exfiltration and service disruption.

settings

Operational notes

Use separate privileged accounts only for admin tasks; block email/web use on them and monitor logons to detect unauthorised privileged use.

02 - Implement

build

Implementation tips

IT team should create separate accounts: They need to set up dedicated admin accounts for each user who needs to perform privileged tasks. This can be done by going into the user management settings of your systems and creating new, distinct accounts specifically for admin purposes.
Managers should establish guidelines: Managers should develop clear usage policies for these privileged accounts. This involves writing down when and how these accounts should be used and sharing this information with those who have access.
HR should monitor privileged account access: HR should keep a list of which employees have access to privileged accounts and review this regularly. This can be done by conducting a periodic check of access logs and making sure that only the appropriate people have admin access.
System Owners should review account activity: They need to regularly check the logs to see what activities are done using these accounts. This can be achieved by using logging features within the system to scrutinise account activities and flagging unusual patterns.
Security team should train staff: They should conduct training sessions to educate users on the importance of using the dedicated accounts properly. This might involve running workshops or using online courses to highlight potential risks and correct behaviours.

03 - Audit

fact_check

Audit / evidence tips

AskThe list of privileged accounts: Request a document that details all privileged accounts and their purpose GoodIs a list that clearly shows which accounts are specifically set aside for admin tasks
AskThe written policies governing the use of these accounts GoodIs a policy document that has recent review dates and clear usage instructions
AskTo see recent access logs: Request logs showing activities performed using privileged accounts over the last few months GoodIs a set of logs showing regular activity checks and no unexplained access issues
AskA staff training record: Request proof that users have been trained on privileged account use GoodIncludes participant lists and training materials focused on account security
AskNotes from any recent review meeting regarding privileged account usage GoodWould include meeting notes with clear actions and results

04 - Mappings

link

Cross-framework mappings

How ISM-0445 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
layers Partially meets (1) expand_less
Annex A 8.2	ISM-0445 requires organisations to assign privileged users a dedicated privileged account used solely for privileged activities
sync_alt Partially overlaps (1) expand_less
Annex A 5.3	Annex A 5.3 requires segregation of conflicting duties so a person cannot perform incompatible activities without detection or independen...

E8

Control	Notes	Details
sync_alt Partially overlaps (3) expand_less

E8-RA-ML2.4	ISM-0445 requires privileged users to use a dedicated privileged account only when performing privileged duties
E8-RA-ML3.2	ISM-0445 requires privileged users to have a dedicated privileged account used only for privileged tasks
E8-RA-ML3.3	ISM-0445 requires privileged users to be issued a dedicated privileged account used only for privileged duties
handshake Supports (5) expand_less

E8-RA-ML1.3	ISM-0445 requires privileged users to have a dedicated privileged account used solely for privileged duties
E8-RA-ML1.4	E8-RA-ML1.4 requires privileged accounts authorised for online services to have only the minimum access needed to perform online duties
E8-RA-ML1.5	ISM-0445 requires privileged users to use a dedicated privileged account solely for privileged activities
E8-RA-ML1.7	ISM-0445 requires dedicated privileged accounts to be used only for duties requiring privileged access
E8-RA-ML2.2	ISM-0445 requires separate privileged accounts so that privileged access is only used when necessary for administrative duties
link Related (1) expand_less

E8-RA-ML1.2	E8-RA-ML1.2 requires privileged users to have a dedicated privileged account used solely for tasks requiring privileged access

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.