ISM-1256 policy ASD Information Security Manual (ISM)

Implement File-Based Access Controls for Databases

Use file permissions to safeguard database files from unauthorised access.

Preventative NC OS P ASD Information Security ManualGuidelines for database systems access control identity and access management

record_voice_over

Plain language

This control is about setting special rules for who can see or change your database files. Imagine your database as a filing cabinet full of important documents - if anyone can open it, someone could take sensitive information without you knowing. By using file-based access controls, you limit who has the keys to that cabinet, reducing the chance of a security breach.

01 — Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Aug 2018

Control Stack last updated

19 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for database systems

Section

Databases

Topic

Protecting Databases

Official control statement

File-based access controls are applied to database files.

policy ASD Information Security Manual (ISM) ISM-1256

priority_high

Why it matters

Without file-based controls on database files, attackers can read or modify data, logs or backups, causing leaks and integrity loss.

settings

Operational notes

Audit OS ACLs on database data, log and backup files so only DB service accounts and admins can access them; review after role changes.

02 — Implement

build

Implementation tips

System owners should determine which staff need access to database files. Start by listing all people currently able to access the files and remove those who don't need it. Limit the number to only those who absolutely require it for their job.
IT teams should set specific file permissions on the database files. They can do this by using operating system tools to restrict who can read, write, or delete files. Ensure these permissions are reviewed regularly to stay up to date with staff changes.
Managers should create a process for requesting and granting access to database files. This should include a form that people fill out, which is then approved by a senior staff member before access is given.
The IT department should perform regular checks to ensure file-based access controls are correctly in place. They can use simple scripts or software to report who accessed files and when.
HR should ensure that any changes in staff status, like leaving the company or changing roles, are promptly communicated to IT. This helps in adjusting file access permissions immediately, avoiding lapses in security.

03 — Audit

fact_check

Audit / evidence tips

Askdocumentation on current file access permissions
Askthe latest audit or report on file access reviews. Review how often these checks are done and any findings documented

Goodaudit involves regular review cycles and actions taken on findings
Asksecurity training records related to database access

04 — Mappings

link

Cross-framework mappings

How ISM-1256 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
layers Partially meets (2) expand_less
Annex A 5.15	ISM-1256 requires applying file permissions to database files to protect them from unauthorised access
Annex A 8.3	ISM-1256 requires file-based access controls (e.g

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.