Restrict Privileged Users from Internet Access
Privileged accounts can't access the internet or web services unless explicitly allowed.
Plain language
This control ensures that user accounts with high levels of access cannot browse the internet or use online services unless they are given special permission. It's important because these accounts have the 'keys to the kingdom,' so if they get hacked while online, it could lead to a major security breach.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1, ML2, ML3
Guideline
Guidelines for personnel securityOfficial control statement
Privileged user accounts (excluding those explicitly authorised to access online services) are prevented from accessing the internet, email and web services.
Why it matters
If privileged users access the internet, they become prime targets for attacks, risking credential theft and major breaches.
Operational notes
Regularly audit privileged accounts to confirm they cannot access the internet, email or web services; remove access and investigate exceptions promptly.
Implementation tips
- IT Team: Identify which accounts have elevated, or 'privileged', access in your systems. You can do this by reviewing current access permissions and roles assigned to user accounts.
- IT Manager: Establish a policy that clearly states privileged accounts are not permitted to access the internet. This policy should be documented and communicated to all users who hold privileged roles.
- System Administrator: Configure network settings or application firewalls to block internet access for these privileged accounts. This could involve setting up network rules that deny internet traffic for specific user roles or groups.
- HR Department: Work with IT to create training materials for staff who hold privileged accounts, emphasising the importance of not using these accounts for casual browsing or personal email.
- Security Officer: Regularly review and update the list of exceptions for privileged users who require internet access for legitimate business needs, ensuring that these privileges are properly authorised.
Audit / evidence tips
-
Askthe privilege access policy: Request the document detailing the restrictions on internet use for privileged accounts
GoodA comprehensive policy that is up to date, endorsed by management, and well-communicated to staff
-
Askthe list of privileged accounts: Request a list of all accounts considered privileged
GoodA list that matches the documented policy and is regularly reviewed
-
Asksystem configurations: Request evidence of network or system configurations that block internet access for privileged accounts
GoodConfiguration files that show rules blocking internet access, matching the policy
-
Askto see training records: Request records showing who has been trained on the use of privileged accounts
GoodTraining completion records for all privileged users, indicating understanding of the restrictions
-
Aska list of exceptions: Request documentation that lists accounts with authorised internet access exceptions and reasons
GoodA list showing granted exceptions with clear, justified reasons and management approval
Cross-framework mappings
How ISM-1175 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.2 | ISM-1175 requires privileged user accounts (unless explicitly authorised) to be prevented from accessing the internet, email and web serv... | |
| link Related (1) expand_less | ||
| Annex A 8.3 | Annex A 8.3 requires restricting access to information and assets per an established access control policy | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-RA-ML1.2 | ISM-1175 requires privileged user accounts to be prevented from accessing the internet, email and web services unless explicitly authorised | |
| link Related (2) expand_less | ||
| E8-RA-ML1.3 | E8-RA-ML1.3 requires privileged accounts (except those explicitly authorised) to be prevented from accessing the internet, email, and web... | |
| E8-RA-ML1.4 | E8-RA-ML1.4 requires privileged accounts authorised for online services to be tightly limited to only what is needed to perform online du... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.