Restrict Privileged Access for Foreign Nationals
Foreign nationals can't have privileged access to systems handling AGAO data except if seconded.
Plain language
This rule means that foreign nationals aren't allowed to have special access to important systems that handle sensitive Australian Government data, unless they are temporarily working as part of an agreement. This is crucial because if those who aren't local don't have the right checks or trust, they could accidentally or intentionally harm the systems or data, leading to data theft, system failure, or breaches.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
May 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO data.
Why it matters
If foreign nationals have privileged access, AGAO data may be exposed or altered, increasing risk of unauthorised disclosure and national security harm.
Operational notes
Maintain a register of privileged accounts and verify holders are not foreign nationals (except seconded). Review access and revoke exceptions promptly.
Implementation tips
- HR and management should establish a clear policy on who qualifies as a 'seconded foreign national' for this purpose. They should outline the criteria and document the process for how foreign nationals can be seconded to ensure everyone follows the same guidelines.
- Managers should update system access policies to clearly specify that only local personnel or seconded foreign nationals can have privileged access. This can be done by revising existing policies and training staff to understand and implement these rules.
- The IT team should implement an access control process that includes checking nationality status before granting privileged access. This might involve adding a nationality verification step into the user access request forms and ensuring that all IT staff are trained to follow it.
- System owners should conduct regular reviews of access privileges to ensure compliance with this control. They should create a schedule for checking and revoking privileged access from foreign nationals who are not seconded.
- HR should work closely with system administrators to maintain an up-to-date record of all secondments involving foreign nationals. This involves keeping a list of all seconded staff with privileged access, including their start and end dates, and ensuring the list is reviewed regularly.
Audit / evidence tips
- AskThe access control policy documents regarding foreign nationals GoodThe policy explicitly includes these restrictions and references organisational approval processes for secondments
- GoodAll foreign nationals with privileged access are listed as seconded in the records
- AskRecent access review reports GoodReports demonstrate timely reviews with actions taken to correct any issues
- GoodThe logs show that nationality is checked before any privileged access is granted
- AskRecords of staff training on the access control policy GoodTraining records show that relevant staff have been educated on the policy and understand the restrictions
Cross-framework mappings
How ISM-0447 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.2 | ISM-0447 requires that foreign nationals (except seconded foreign nationals) are not granted privileged access to systems that process, s... | |
| link Related (1) expand_less | ||
| Annex A 5.15 | Annex A 5.15 requires organisations to establish and implement rules and procedures to control logical and physical access to information... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.