Use Multi-Factor Authentication for Privileged Users
Privileged users must verify their identity using multiple forms of identification to log into systems.
Plain language
Multi-factor authentication means using more than one way to prove who you are when logging into systems, especially for users who can access important areas. This is crucial because if hackers steal a single password, they could cause significant damage by accessing sensitive information, misusing data, or even shutting down systems.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2, ML3
Guideline
Guidelines for system hardeningSection
Authentication hardeningOfficial control statement
Multi-factor authentication is used to authenticate privileged users of systems.
Why it matters
Without MFA for privileged users, a stolen password can enable admin access, leading to system compromise, data loss, and service disruption.
Operational notes
Enforce MFA for all privileged accounts, regularly test MFA login flows, and ensure administrators can use and recover MFA tokens without bypasses.
Implementation tips
- System owners should identify privileged users: Determine which users have access to sensitive parts of the system, like managers or IT staff, and create a list of these users. Review this list regularly to adjust for any changes in roles.
- Managers should enforce multi-factor authentication (MFA): Make sure privileged users use at least two forms of identification to log into systems. Implement this by using MFA apps, sending codes to their phones, or other secure methods provided by your IT services.
- IT teams should configure accounts: Set up each privileged user’s account with MFA to ensure compliance. Use step-by-step guides provided by your security software or service provider to enable MFA features.
- HR should communicate security policies: Ensure all privileged users understand and follow required security practices, focusing on why MFA is mandatory for them. Schedule training sessions or send detailed instructions via email.
- Procurement should verify service providers: When selecting software or security tools, ensure they offer robust MFA options. Include this requirement in supplier checklists and assessments before making purchases.
Audit / evidence tips
- AskThe MFA policy document: Request the organisation's policy that outlines the use of MFA for privileged users GoodHas clear policy details with justified user classification
- AskA user access list: Obtain a list showing which users have been granted privileged access and require MFA GoodIncludes an updated list with confirmed MFA compliance
- AskSystem audit logs: Request logs showing attempted logins by privileged users GoodShows evidence of regular and successful MFA usage
- AskUser feedback or training records: Obtain records of training sessions on MFA use for privileged users GoodIs well-documented proof of training with a positive user uptake
- AskAn incident response report: Request any reports on incidents where MFA prevented unauthorized access GoodIncludes detailed incidents where MFA demonstrably protected systems
Cross-framework mappings
How ISM-1173 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.5 | ISM-1173 requires MFA specifically for privileged users of systems | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-MF-ML1.7 | E8-MF-ML1.7 sets the requirement for what makes MFA valid by prescribing acceptable factor combinations | |
| sync_alt Partially overlaps (3) expand_less | ||
| E8-MF-ML1.5 | E8-MF-ML1.5 requires MFA for users authenticating to third-party online customer services handling sensitive customer data | |
| E8-MF-ML2.5 | E8-MF-ML2.5 requires that MFA for system access is phishing-resistant regardless of user type | |
| E8-MF-ML3.1 | E8-MF-ML3.1 requires MFA for users of data repositories | |
| link Related (1) expand_less | ||
| E8-MF-ML2.1 | E8-MF-ML2.1 requires multi-factor authentication (MFA) to be used to authenticate privileged users of systems | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.