ISM-1385 policy ASD Information Security Manual (ISM)

Segregation of Administrative Infrastructure from Networks

Administrative systems are isolated from the main network and internet to enhance security.

Preventative NC OS P ASD Information Security ManualGuidelines for system management network segmentation access control

record_voice_over

Plain language

This control means keeping the systems that manage your organisation's infrastructure separate from the regular office network and the internet. It's important because if these critical systems are compromised, hackers could gain control over your essential operations, leading to data breaches or disruptions.

01 - Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

May 2023

Control Stack last updated

19 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for system management

Section

System administration

Topic

Administrative Infrastructure

Official control statement

Administrative infrastructure is segregated from the wider network and the internet.

policy ASD Information Security Manual (ISM) ISM-1385

priority_high

Why it matters

If administrative infrastructure is not segregated from the wider network and internet, attackers can reach privileged management systems and pivot into production to disrupt services or exfiltrate sensitive data.

settings

Operational notes

Verify admin segments are isolated via VLANs/routing and strict firewall ACLs; require access via a hardened jump host; confirm no direct internet connectivity or unintended cross-network routes exist.

02 - Implement

build

Implementation tips

IT manager: Separate the network for administrative tasks by building a dedicated network or server that is only used for these activities. This can be done by setting up a separate physical or virtual network that does not connect to the regular networks or the internet.
System administrator: Ensure access to the administrative network is restricted to only authorised personnel. Set up strict user permissions and ensure that only essential staff have the credentials necessary to access these systems.
IT support staff: Use secure methods to connect to the administrative network. Implement a virtual private network (VPN) or direct physical access where necessary, ensuring any remote access is secure and logged.
Security officer: Conduct regular audits and scans of the administrative network to identify any vulnerabilities or unauthorised access attempts. Use security tools to perform these checks and review logs regularly.
Office manager: Ensure any devices that connect to the administrative network are not used for other internet activities. This includes dedicating specific workstations or laptops solely for administrative tasks, reducing the risk of malware from downloaded files or websites.

03 - Audit

fact_check

Audit / evidence tips

AskNetwork topology diagrams: Request a diagram showing how the administrative infrastructure is separated from other networks GoodThe diagram clearly shows a dedicated administrative network that is not directly accessible from the internet or office network
AskAccess control policies: Check for documented procedures around who has access to the administrative network GoodAccess policies list authorised personnel, define their access levels, and include an approvals process with periodic reviews
AskLogs of access to the administrative network: Request logs showing who accessed the network and when GoodLogs indicate access is restricted to authorised users and contain no unauthorised access attempts
AskSecurity scan reports: Request reports from recent security audits or vulnerability scans of the administrative network GoodReports show regular scans conducted with issues promptly addressed and documented fixes
AskTraining records: Request records of training provided to staff who maintain or use the administrative network GoodTraining records show all staff with administrative access have completed security training within the last year

04 - Mappings

link

Cross-framework mappings

How ISM-1385 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
sync_alt Partially overlaps (1) expand_less
Annex A 8.22	Annex A 8.22 requires segregating groups of systems, services and users within organisational networks to limit compromise spread and con...

E8

Control	Notes	Details
handshake Supports (2) expand_less
E8-RA-ML1.3	E8-RA-ML1.3 requires privileged accounts to be prevented from accessing internet, email, and web services, reducing compromise pathways
E8-RA-ML3.2	E8-RA-ML3.2 requires administrative activities to be performed only from Secure Admin Workstations (SAWs)

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.