Develop and Maintain a Database Register
Create and regularly check a list of databases to keep them organised and up-to-date.
Plain language
This control is about setting up and maintaining a list of all your organisation's databases. It's crucial because without keeping track of your databases, you risk them becoming outdated or vulnerable, which could lead to data loss or unauthorised access.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
A database register is developed, implemented, maintained and verified on a regular basis.
Why it matters
Without a maintained database register, orphaned databases may remain unsecured, increasing risk of data loss or unauthorised access.
Operational notes
Regularly update the database register to reflect additions, decommissions, and access changes. Automate reminders for quarterly reviews.
Implementation tips
- The IT manager should take charge of creating an initial list of all the databases the organisation uses. This can be done by talking to different departments and gathering information on what databases they use, whether for customer information, payroll, or sales data.
- Assign a person, like a database administrator, to regularly update the database register. They should schedule monthly checks to confirm that new databases are added and old ones that are no longer in use are removed from the register.
- Department heads should inform the IT team whenever they start using a new database. They should provide details like who manages it, its purpose, and where it's hosted, to ensure it's accurately reflected in the register.
- Hold a quarterly meeting with key stakeholders such as IT, finance, and HR to review the database register. Discuss any changes and future needs to ensure all information stays current and relevant.
- Set up a process for approval of changes to the database register. The process should involve IT and management who will verify that the changes align with the organisation’s security and operational policies.
Audit / evidence tips
-
Askthe latest database register document: Ask the IT department to provide the current version of the database register
GoodA document that lists all databases with a date within the last 30 days
-
Askevidence of the update schedule: Request the schedule or calendar showing planned updates and checks of the database register
GoodA schedule showing monthly checks with completion ticks
-
GoodMeeting minutes showing participation from all key departments with clear action points
-
Askrecords of database approvals: Check if records show who approved each new database addition
GoodSigned approval forms from authorised personnel linked to each new database entry
-
Askto see evidence of communication from department heads
GoodAn email trail or memo documentation showing communication about database changes
Cross-framework mappings
How ISM-1243 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.9 | Annex A 5.9 requires an inventory of information and associated assets, including ownership | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.