Use Separate Privileged and Unprivileged Environments
Privileged users should work in distinct environments to increase security and reduce risks.
Plain language
This control means that people who have special access to sensitive information or systems should use separate computers or devices for their daily tasks and their more sensitive work. It's important because if their everyday work environment gets compromised, it won't affect the secure work they do with privileged access. Without this separation, there's a higher risk that a security breach could lead to significant data loss or operational disruptions.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1, ML2, ML3
Guideline
Guidelines for system managementSection
System administrationOfficial control statement
Privileged users use separate privileged and unprivileged operating environments.
Why it matters
Without separate environments, privileged accounts exposed to daily threats can lead to devastating breaches and unauthorised access.
Operational notes
Use a dedicated admin workstation/VM for privileged logons and keep email/web browsing to an unprivileged profile; enforce separate credentials and sessions.
Implementation tips
- The IT team should set up different devices or virtual environments for employees with access to sensitive systems. They can do this by providing a dedicated work laptop for sensitive tasks while maintaining a separate one for general activities.
- Managers should train privileged users on which tasks to perform in each environment. Organise a training session that clearly outlines the type of work that should be done on each device and why it matters for security.
- System administrators should install and configure distinct software on the privileged environment. Only the tools and applications necessary for secure tasks should be installed on the restricted access device to limit vulnerabilities.
- HR should update job descriptions and contracts to reflect the responsibility of using separate environments. They should ensure that all new and current employees acknowledge and understand their specific duties and the reasons behind using separate devices.
- The compliance team should regularly review and monitor usage policies to ensure they are being followed. They should implement a strategy to spot-check log files and activity reports to verify compliance with separate usage guidelines.
Audit / evidence tips
-
Askthe list of employees with privileged access
Goodshows all privileged users have the correct setup assigned
-
Goodshows distinct allocations with security software properly implemented
-
Goodincludes complete attendance records and comprehensive material that reflects training on why and how to use separate environments
-
Askpolicy documents on device usage and data handling specific to privileged access. Examine the guidelines and enforcement actions stated
Goodshows active and clear policies with outlined consequences for non-compliance
-
Goodprovides a clear trail of check results and follow-up actions where irregularities were found
Cross-framework mappings
How ISM-1380 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-RA-ML1.6 | E8-RA-ML1.6 requires that unprivileged accounts are prevented from logging on to privileged operating environments | |
| handshake Supports (3) expand_less | ||
| E8-RA-ML1.3 | ISM-1380 mandates the use of separate environments for privileged activities, whereas E8-RA-ML1.3 supports this separation indirectly by ... | |
| E8-RA-ML1.7 | E8-RA-ML1.7 requires preventing privileged accounts (excluding local administrator accounts) from logging on to unprivileged operating en... | |
| E8-RA-ML2.3 | E8-RA-ML2.3 requires that privileged operating environments are not virtualised within unprivileged operating environments to maintain st... | |
| link Related (1) expand_less | ||
| E8-RA-ML1.5 | E8-RA-ML1.5 requires privileged users to use separate privileged and unprivileged operating environments to isolate admin activity from d... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.