Segregation of Administrative Infrastructure from Networks
Administrative systems are isolated from the main network and internet to enhance security.
Plain language
This control means keeping the systems that manage your organisation's infrastructure separate from the regular office network and the internet. It's important because if these critical systems are compromised, hackers could gain control over your essential operations, leading to data breaches or disruptions.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system managementSection
System administrationOfficial control statement
Administrative infrastructure is segregated from the wider network and the internet.
Why it matters
If administrative infrastructure is not segregated from the wider network and internet, attackers can reach privileged management systems and pivot into production to disrupt services or exfiltrate sensitive data.
Operational notes
Verify admin segments are isolated via VLANs/routing and strict firewall ACLs; require access via a hardened jump host; confirm no direct internet connectivity or unintended cross-network routes exist.
Implementation tips
- IT manager: Separate the network for administrative tasks by building a dedicated network or server that is only used for these activities. This can be done by setting up a separate physical or virtual network that does not connect to the regular networks or the internet.
- System administrator: Ensure access to the administrative network is restricted to only authorised personnel. Set up strict user permissions and ensure that only essential staff have the credentials necessary to access these systems.
- IT support staff: Use secure methods to connect to the administrative network. Implement a virtual private network (VPN) or direct physical access where necessary, ensuring any remote access is secure and logged.
- Security officer: Conduct regular audits and scans of the administrative network to identify any vulnerabilities or unauthorised access attempts. Use security tools to perform these checks and review logs regularly.
- Office manager: Ensure any devices that connect to the administrative network are not used for other internet activities. This includes dedicating specific workstations or laptops solely for administrative tasks, reducing the risk of malware from downloaded files or websites.
Audit / evidence tips
-
Asknetwork topology diagrams: Request a diagram showing how the administrative infrastructure is separated from other networks
GoodThe diagram clearly shows a dedicated administrative network that is not directly accessible from the internet or office network
-
Askaccess control policies: Check for documented procedures around who has access to the administrative network
GoodAccess policies list authorised personnel, define their access levels, and include an approvals process with periodic reviews
-
Asklogs of access to the administrative network: Request logs showing who accessed the network and when
GoodLogs indicate access is restricted to authorised users and contain no unauthorised access attempts
-
Asksecurity scan reports: Request reports from recent security audits or vulnerability scans of the administrative network
GoodReports show regular scans conducted with issues promptly addressed and documented fixes
-
Asktraining records: Request records of training provided to staff who maintain or use the administrative network
GoodTraining records show all staff with administrative access have completed security training within the last year
Cross-framework mappings
How ISM-1385 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.22 | Annex A 8.22 requires segregating groups of systems, services and users within organisational networks to limit compromise spread and con... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| E8-RA-ML1.3 | E8-RA-ML1.3 requires privileged accounts to be prevented from accessing internet, email, and web services, reducing compromise pathways | |
| E8-RA-ML3.2 | E8-RA-ML3.2 requires administrative activities to be performed only from Secure Admin Workstations (SAWs) | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.