Restrict Privileged Access for Foreign Nationals
Foreign nationals can't access Australian systems with sensitive data privileges.
Plain language
Foreign nationals should not have high-level access to Australian systems that contain sensitive government data. This is important because allowing foreign nationals access could lead to accidental or intentional data breaches that could harm national security or compromise sensitive information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
May 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO or REL data.
Why it matters
Foreign nationals with privileged access could expose or alter AUSTEO/REL data, risking national security and partner trust.
Operational notes
Audit privileged accounts and access logs to confirm foreign nationals have no admin rights on systems handling AUSTEO/REL data.
Implementation tips
- System owners should identify which systems handle AUSTEO or REL data. They can do this by reviewing the data classification of their systems and ensuring they are correctly labelled as containing sensitive information.
- The IT team should set up access controls that specifically block foreign nationals from having privileged access to these sensitive systems. They can achieve this by configuring user accounts and groups to ensure only approved Australian personnel have the necessary permissions.
- HR should confirm the nationality of current employees with access to sensitive systems. They can do this by reviewing personnel files and ensuring only Australians have privileged access based on their records.
- Managers should regularly review access permissions to sensitive systems. They can do this by checking the list of privileged users every quarter and ensuring that no foreign nationals are mistakenly granted access.
- The security team should train staff on the importance of these restrictions. They should conduct regular awareness sessions explaining why privileged access is limited and what the implications are if the control is not followed.
Audit / evidence tips
- AskThe access control list for systems handling AUSTEO or REL data GoodOutcome is a list showing only authorised Australian personnel have elevated access rights
- AskA recent review report of access permissions GoodReport will be dated within the last three months and show no foreign nationals have had privileged access
- AskTo see the HR nationality verification process documents GoodProcess includes verified records of nationality checked against personnel files and signed off by HR
- AskTraining materials related to access control policies
- AskA log of access change requests and approvals GoodLog will show requests are denied and handled in accordance with the control requirements
Cross-framework mappings
How ISM-0446 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| Annex A 5.16 | Annex A 5.16 requires identity lifecycle management so that identity attributes, roles and entitlements are controlled as personnel join,... | |
| Annex A 5.18 | ISM-0446 prohibits foreign nationals from having privileged access to AUSTEO/REL systems | |
| Annex A 8.2 | ISM-0446 requires that foreign nationals (including seconded foreign nationals) are not granted privileged access to systems processing, ... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| E8-RA-ML1.1 | ISM-0446 requires that foreign nationals are not granted privileged access to AUSTEO/REL systems | |
| E8-RA-ML3.1 | ISM-0446 requires blocking privileged access for foreign nationals to systems processing, storing or communicating AUSTEO or REL data | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.