Restrict Privileges for Gateway Administrators
Gateway admins have only the necessary access permissions for their tasks.
Plain language
This guideline is about making sure that people who manage gateway systems have just enough access to do their job and no more. If they have too much access, there's a higher chance of accidental or malicious damage, which could lead to data breaches or loss of service.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
18 May 2026
E8 maturity levels
N/A
Official control statement
System administrators for gateways are assigned the minimum privileges required to perform their duties.
Why it matters
Excess gateway admin privileges can lead to unauthorised data access, increasing the risk of data breaches and service outages.
Operational notes
Regularly review gateway admin accounts and role memberships to confirm only minimum required privileges are assigned, and promptly remove any unnecessary access.
Implementation tips
- The IT manager should create a list of all the tasks that gateway administrators do so they can decide what access is necessary. This involves talking to the administrators about their daily duties and understanding each task's requirements.
- HR and IT should work together to define roles and responsibilities clearly. They should document what access each role needs, and ensure this is reflected in the IT systems by setting permissions accordingly.
- System administrators should regularly review and audit the access levels of gateway administrators to ensure they have only what is necessary. They can do this by running reports on who has access to what and assessing whether it aligns with their current job responsibilities.
- The IT team should use a system that logs and monitors access attempts and activities on gateways. They can set up alerts for unusual access patterns to detect any misuse of privilege.
Audit / evidence tips
- AskA document that lists all gateway administrators and their access levels GoodShows each person has only the permissions required for their role, with unnecessary permissions removed
- GoodIncludes evidence of regular reviews and prompt adjustments
- AskLogs or records of access attempts to the gateways GoodShows that the organisation monitors access continuously and responds to potential threats swiftly
- GoodIs a complete training record with recent updates
- AskAccess change requests documentation GoodA clear process with approvals documented in each instance, demonstrating control over access modifications
Cross-framework mappings
How ISM-0611 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| Annex A 5.15 | ISM-0611 requires that gateway administrators are assigned only the minimum privileges required for their duties | |
| Annex A 8.2 | ISM-0611 requires that gateway system administrators are assigned the minimum privileges required to perform their duties | |
| Annex A 8.3 | ISM-0611 requires gateway administrators to have only the minimum privileges necessary for their duties | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-RA-ML1.4 | E8-RA-ML1.4 requires privileged accounts to have only essential access when using online services | |
| link Related (1) expand_less | ||
| E8-RA-ML3.1 | ISM-0611 requires gateway system administrators to be assigned the minimum privileges necessary to perform their duties | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.