Access Restrictions for AUSTEO and AGAO Data
AUSTEO and AGAO data is only accessible via government-controlled systems within authorised facilities.
Plain language
AUSTEO (Australian Eyes Only) and AGAO (Australian Government Access Only) data must be accessed only through government-controlled systems within approved locations. This is crucial because if this sensitive data falls into the wrong hands, it could threaten national security or harm diplomatic relations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
AUSTEO and AGAO data can only be accessed from systems under the sole control of the Australian Government that are located within facilities authorised by the Australian Government.
Why it matters
If AUSTEO and AGAO data is accessed outside authorised systems, it risks exposure to unauthorised entities, undermining national security.
Operational notes
Audit access logs to confirm AUSTEO/AGAO data is only accessed from Australian Government-controlled systems in authorised facilities.
Implementation tips
- IT managers should ensure systems that store or access AUSTEO or AGAO data are physically located within government-approved facilities. They can do this by conducting regular audits of the data storage locations and verifying if they meet government standards.
- System administrators need to set up strict permissions on government systems that handle AUSTEO or AGAO data. They should use a checklist provided by the Australian Cyber Security Centre (ACSC) to ensure only authorised personnel have access.
- Facility managers must confirm that physical security controls, like surveillance and access badges, are in place at locations handling sensitive data. They should regularly inspect these controls to ensure they are functioning correctly.
- Compliance officers should work closely with government agencies to keep updated on authorised facilities. This involves checking with the Australian Signals Directorate (ASD) for any changes in facility authorisation.
- Human Resources should train staff on the importance of using only authorised systems and facilities for AUSTEO and AGAO data. This can be done through regular workshops and mandatory security training sessions.
Audit / evidence tips
-
Askthe list of systems authorised to handle AUSTEO/AGAO data: Request documentation from IT showing which systems are used
GoodAll systems are within authorised facilities with government-controlled access permissions
-
Askfacility authorisation records: Request proof that facilities storing or accessing the data are approved by the government
GoodRecords are current and signed by the relevant government authority
-
Askaccess logs for systems used for AUSTEO/AGAO data: Request system logs from IT to see who accessed the data
GoodOnly authorised users accessed data, and logs show consistent patterns with no anomalies
-
Asksecurity training records: Request evidence of security training for personnel accessing AUSTEO/AGAO data
GoodComprehensive training was conducted regularly, and all staff attended
-
Askphysical security inspection reports: Request records of physical security checks for facilities with sensitive data
GoodRegular inspections were conducted, showing all security measures are in place and functional
Cross-framework mappings
How ISM-0854 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.15 | ISM-0854 sets a strict rule about where and on what systems AUSTEO and AGAO data may be accessed (Australian Government solely controlled... | |
| Annex A 8.3 | ISM-0854 requires that access to AUSTEO and AGAO data is restricted to Australian Government solely controlled systems located in authori... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.