ISM-1380 ASD Information Security Manual (ISM)

Use Separate Privileged and Unprivileged Environments

Privileged users should work in distinct environments to increase security and reduce risks.

Preventative ML1 ML2 ML3 Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security Manual Governance Environment separation Privileged access

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Aug 2021

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

ML1, ML2, ML3

Guideline

Guidelines for system management

Section

System administration

Topic

Separate Privileged Operating Environments

Official control statement

Privileged users use separate privileged and unprivileged operating environments.

Source: ASD Information Security Manual (ISM)

Plain language

This control means that people who have special access to sensitive information or systems should use separate computers or devices for their daily tasks and their more sensitive work. It's important because if their everyday work environment gets compromised, it won't affect the secure work they do with privileged access. Without this separation, there's a higher risk that a security breach could lead to significant data loss or operational disruptions.

Why it matters

Without separate environments, privileged accounts exposed to daily threats can lead to devastating breaches and unauthorised access.

Operational notes

Use a dedicated admin workstation/VM for privileged logons and keep email/web browsing to an unprivileged profile; enforce separate credentials and sessions.

Implementation tips

The IT team should set up different devices or virtual environments for employees with access to sensitive systems. They can do this by providing a dedicated work laptop for sensitive tasks while maintaining a separate one for general activities.
Managers should train privileged users on which tasks to perform in each environment. Organise a training session that clearly outlines the type of work that should be done on each device and why it matters for security.
System administrators should install and configure distinct software on the privileged environment. Only the tools and applications necessary for secure tasks should be installed on the restricted access device to limit vulnerabilities.
HR should update job descriptions and contracts to reflect the responsibility of using separate environments. They should ensure that all new and current employees acknowledge and understand their specific duties and the reasons behind using separate devices.
The compliance team should regularly review and monitor usage policies to ensure they are being followed. They should implement a strategy to spot-check log files and activity reports to verify compliance with separate usage guidelines.

Audit / evidence tips

Ask: the list of employees with privileged access

Good: shows all privileged users have the correct setup assigned
Good: shows distinct allocations with security software properly implemented
Good: includes complete attendance records and comprehensive material that reflects training on why and how to use separate environments
Ask: policy documents on device usage and data handling specific to privileged access. Examine the guidelines and enforcement actions stated

Good: shows active and clear policies with outlined consequences for non-compliance
Good: provides a clear trail of check results and follow-up actions where irregularities were found

Cross-framework mappings

How ISM-1380 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

E8

Control	Notes	Details
Partially overlaps (2)
E8-RA-ML1.7	E8-RA-ML1.7 requires that privileged accounts cannot log on to unprivileged operating environments, enforcing separation of where privile...
E8-RA-ML2.3	E8-RA-ML2.3 requires that privileged operating environments are not virtualised within unprivileged ones
Supports (2)
E8-RA-ML1.3	ISM-1380 mandates the use of separate environments for privileged activities, whereas E8-RA-ML1.3 supports this separation indirectly by ...
E8-RA-ML1.6	E8-RA-ML1.6 requires that unprivileged accounts cannot logon to privileged operating environments
Related (1)
E8-RA-ML1.5	E8-RA-ML1.5 requires privileged users to use separate privileged and unprivileged operating environments for administrative versus routin...