Skip to content
Control Stack logo Control Stack
ISM-1304 ASD Information Security Manual (ISM)

Secure Network Devices by Changing Default Credentials

During setup, change or remove default login details for network devices to enhance security.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGovernanceCredentials and secretsNetwork security

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

May 2025

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for networking

Section

Network design and configuration

Topic

Default User Accounts and Credentials for Network Devices
Official control statement
Default user accounts or credentials for network devices, including for any pre-configured user accounts, are changed, disabled or removed during initial setup.

Source: ASD Information Security Manual (ISM)

Plain language

Changing the default username and password on network devices, like routers or modems, is crucial to prevent unauthorised access to your network. If someone with bad intentions finds out these default settings, they could easily get into your system, interfere with operations, or steal sensitive information.

Why it matters

If default device accounts are left unchanged, attackers can log in using known defaults and take control of routers/switches, enabling network compromise and data loss.

Operational notes

During initial setup, change or disable all default and pre-configured accounts on network devices; periodically verify configs and review logs for repeated failed/default-credential attempts.

Implementation tips

  • The IT team should create a checklist for setting up new network devices that includes changing default usernames and passwords. They can do this by consulting the device manuals for default login details and ensuring these are changed to unique, strong credentials immediately during setup.
  • Managers should ensure that the IT team regularly reviews and documents the credentials of all network devices. This can be done by logging the last updated passwords and checking them every few months to make sure they're still secure.
  • Procurement officers should only buy network equipment that includes instructions for changing default credentials. Before purchasing, they can ask suppliers to confirm that easy-to-follow steps are provided for securing the devices.
  • The system owner should arrange for periodic training sessions for staff who handle network equipment. These sessions should cover the importance of changing default settings and provide step-by-step guidance on how to manage device security correctly.
  • Office managers should coordinate with IT to ensure that any devices brought into the office have their default settings changed before being used. They can maintain a log of network devices with dates of when default credentials were updated.

Audit / evidence tips

  • Ask: the network device configuration policy document: Request evidence of an official policy that mandates changing default credentials during setup

    Good: includes clear instructions along with recorded dates and responsible staff

  • Ask: logs or reports showing initial setup records of network devices: Check if the logs indicate when and by whom default credentials were changed

    Good: includes detailed logs showing changes from default to secure credentials for each device

  • Ask: a list of network devices in use: Request a list showing all active network devices in the organisation

  • Ask: training records on security practices for IT staff: Request to see records of training sessions relating to device security

  • Ask: evidence of procurement requirements for network devices: Confirm with procurement policies or checklists that stipulate the need for changing default credentials. Good evidence would be policies or checklists that specifically require suppliers to provide security guidance

Cross-framework mappings

How ISM-1304 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Partially meets (2)
Annex A 8.9 ISM-1304 demands that default accounts or credentials on network devices be changed, disabled, or removed at initial setup
Annex A 8.20 ISM-1304 requires default user accounts or credentials on network devices (including pre-configured accounts) to be changed, disabled or ...

Mapping detail

Mapping

Direction

Controls