Requirement for Gateway System Administrators Nationality
Only Australian nationals can manage gateways to certain secure networks.
Plain language
This control means that only Australian citizens are allowed to manage certain critical communication networks, such as those exclusive to Australia or shared securely with specific partners. This matters because using non-citizens might expose these sensitive networks to greater risks, like espionage or unauthorised access, which could harm national security.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
System administrators for gateways that connect to Australian Eyes Only or Releasable To networks are Australian nationals.
Why it matters
If gateway admins are not Australian nationals, AEO/REL networks may be exposed to foreign influence and unauthorised access, increasing espionage and data compromise risk.
Operational notes
Verify gateway administrators are Australian nationals before granting admin access; record evidence, review periodically, and maintain a vetted Australian-national backup roster for rapid replacement.
Implementation tips
- HR should verify citizenship: Before hiring system administrators for these roles, HR must ensure candidates are Australian citizens by checking their birth certificate or passport. This step verifies legality for managing secure networks.
- System owners should update job descriptions: Clearly state the requirement for Australian citizenship in job ads for administration roles on these networks. This helps to filter applicants and sets expectations early.
- IT managers should conduct regular reviews: Every six months, IT managers should audit the list of current system administrators to ensure all meet the Australian nationality requirement. Use citizenship documents to verify compliance.
- Leadership must provide training: Offer training to all team leaders on the importance of this control and national security. This training can include workshops and online courses to enhance awareness among staff.
- Procurement should consult legal experts: When contracting outside administrators, procurement teams should consult legal advisors to ensure compliance with the control and Australian privacy laws. This ensures contractors understand the rule and its importance.
Audit / evidence tips
- AskThe HR recruitment checklist GoodA document showing these positions require Australian citizenship verification
- AskThe list of current system administrators GoodEvery administrator having a verified Australian citizenship document on file
- AskTo see recent internal audits of administrator roles GoodFindings reviewed, actions taken for non-compliance, and signed acknowledgments by IT managers
- AskTraining records: Request details of training sessions conducted for team leaders on the importance of this control GoodAttendance lists and training materials showing focus on national security restrictions
- AskContractor management policies GoodA signed contract clause explicitly requiring personnel to be Australian citizens
Cross-framework mappings
How ISM-0613 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.2 | ISM-0613 sets a specific staffing requirement for a defined privileged role: gateway system administrators for certain classified/releasa... | |
| Annex A 6.1 | ISM-0613 requires that system administrators for gateways connecting to Australian Eyes Only or Releasable To networks are Australian nat... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.