ISM-1401 policy ASD Information Security Manual (ISM)

Implement Multi-Factor Authentication for Security

Users need to use multiple identification methods to ensure secure access.

Preventative ML1 ML2 ML3 NC OS P ASD Information Security ManualGuidelines for system hardening authentication mfa

record_voice_over

Plain language

Multi-factor authentication means using more than just a password to log into your systems. It's like adding an extra lock on your door – it makes it much harder for someone to sneak in. If you don't have this, a hacker could easily guess or steal a password and access your sensitive information, causing disruptions and potentially financial loss.

01 — Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Aug 2021

Control Stack last updated

19 Mar 2026

E8 maturity levels

ML1, ML2, ML3

Guideline

Guidelines for system hardening

Section

Authentication hardening

Topic

Multi-factor Authentication

Official control statement

Multi-factor authentication uses either: something users have and something users know, or something users have that is unlocked by something users know or are.

policy ASD Information Security Manual (ISM) ISM-1401

priority_high

Why it matters

Without MFA, stolen credentials can grant unauthorised access, enabling account takeover, data breaches and significant business disruption.

settings

Operational notes

Review MFA enrolment and token/app lifecycle, promptly revoke lost factors, and ensure MFA is enforced for remote and privileged access to reduce takeover risk.

02 — Implement

build

Implementation tips

Business owners should prioritise implementing multi-factor authentication (MFA) by selecting an MFA solution suited for their organisation's needs. Research reputable vendors that offer solutions combining passwords, mobile apps, or biometric confirmation.
IT teams should enable MFA on all critical systems by setting up the necessary infrastructure. This includes configuring systems to require an additional form of verification like a text message code or a fingerprint scan.
HR should communicate and train employees about the MFA process to ensure understanding and compliance. Use easy-to-follow guides and conduct training sessions that demonstrate how to set up and use MFA.
Managers should regularly review and update user access levels and MFA setups. Check in with users to see if any staff have changed roles, ensuring their MFA settings reflect their new responsibilities.
Procurement teams should ensure any new software or technology considers MFA compatibility. When purchasing or subscribing to services, verify they support MFA capabilities as a selection criterion.

03 — Audit

fact_check

Audit / evidence tips

Askthe organisation's multi-factor authentication policy: Review the policy document to ensure it mandates MFA for all critical systems

Goodis a detailed policy that has been recently reviewed and updated
Goodis logs showing consistent MFA activities without gaps
Askuser training records related to MFA: Review attendance records and materials from training sessions on MFA usage

Goodis up-to-date records showing widespread dissemination and understanding of MFA
Aska list of systems with MFA enabled: Review it against inventory records to ensure all critical systems require MFA

Goodis a complete list matching critical systems inventory
Goodis a documented process showing responsive and thorough handling of incidents

04 — Mappings

link

Cross-framework mappings

How ISM-1401 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

E8

Control	Notes	Details
layers Partially meets (3) expand_less

E8-MF-ML1.2	E8-MF-ML1.2 requires multi-factor authentication (MFA) for user access to third-party online services handling the organisation’s sensiti...
E8-MF-ML1.4	E8-MF-ML1.4 requires MFA to be used for authentication to online customer services handling sensitive customer data
E8-MF-ML2.5	E8-MF-ML2.5 requires MFA for system access to be phishing-resistant, focusing on resistance to credential phishing and replay
sync_alt Partially overlaps (2) expand_less

E8-MF-ML3.1	ISM-1401 requires implementing MFA using defined combinations of authentication factors
E8-MF-ML3.2	E8-MF-ML3.2 requires phishing-resistant multi-factor authentication (MFA) for customers using online customer services
handshake Supports (2) expand_less

E8-MF-ML1.1	E8-MF-ML1.1 requires MFA to authenticate users to sensitive online services
E8-MF-ML2.2	E8-MF-ML2.2 requires MFA for unprivileged users to access systems
extension Depends on (2) expand_less

E8-MF-ML1.3	E8-MF-ML1.3 requires organisations to use multi-factor authentication for third-party services that process, store or communicate non-sen...
E8-MF-ML1.5	E8-MF-ML1.5 seeks MFA for third-party online customer services dealing with sensitive customer data
link Related (1) expand_less

E8-MF-ML1.7	E8-MF-ML1.7 requires multi-factor authentication to be implemented using two factors: something users have and something users know, or s...

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.