ISM-1402 ASD Information Security Manual (ISM)

Protecting Stored Credentials with Security Measures

Store credentials securely using a password manager, hardware module, or by enhancing them with techniques before saving.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security Manual Governance Credentials and secrets Cryptography

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Feb 2022

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for system hardening

Section

Authentication hardening

Topic

Protecting Credentials

Official control statement

Credentials stored on systems are protected by a password manager; a hardware security module; or by salting, hashing and stretching them before storage within a database.

Source: ASD Information Security Manual (ISM)

Plain language

Storing credentials safely is like locking away your most important keys and passwords so only you can access them. If this isn't done, your sensitive information like bank details or personal data could be at risk of being stolen, leading to potential financial loss or identity theft.

Why it matters

If credentials aren’t stored in a password manager, HSM, or salted/hashed/stretched in a database, attackers can recover passwords and gain unauthorised access.

Operational notes

Ensure stored credentials are only kept in an approved password manager or HSM; for databases, verify salting plus strong hashing and stretching parameters and review them periodically.

Implementation tips

The IT team should implement a password manager to store credentials securely. They can do this by researching and selecting a reputable password manager and ensuring all staff are trained on how to use it effectively.
System administrators should use a hardware security module to enhance the protection of stored credentials. This involves setting up the hardware module to work with your existing systems and ensuring it is configured to encrypt sensitive information.
Managers should ensure that stored passwords and credentials are protected through techniques like salting and hashing before they go into a database. This means using software tools to transform the credentials so they are not stored in their original form.
The IT department should stretch passwords in databases to make them stronger against attacks. They can accomplish this by applying algorithms that increase the time it takes for passwords to be cracked by unauthorized users.
HR and IT should collaborate to periodically review and update the way credentials are stored to adapt to new security threats. They should schedule regular check-ins to audit credential storage practices and make improvements as needed.

Audit / evidence tips

Ask: a demonstration of the password manager software in use: Check that all critical systems use the selected password manager and that staff are trained on it

Good: would be seeing a list of all active accounts with updated credentials securely stored within the manager
Good: result shows that all necessary systems integrate with the module, with logs indicating regular use
Good: would include detailed records of the implemented techniques and their effective use
Good: will include documentation on the applied methods and any testing results showing increased password resilience
Ask: to see evidence of regular credential storage reviews: Review meeting records to ensure they show any identified weaknesses and proposed improvements

Good: is a documented record of continuous improvements with assigned actions and completion dates

Cross-framework mappings

How ISM-1402 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control	Notes	Details
Partially overlaps (1)
Annex A 5.17	ISM-1402 requires organisations to protect stored credentials using password managers, HSMs, or secure hashing methods before storage
Related (1)
Annex A 8.24	ISM-1402 requires secure protection of stored credentials, including the use of HSMs and cryptographic techniques such as salting, hashin...

E8

Control	Notes	Details
Supports (2)
E8-RA-ML3.5	ISM-1402 requires organisations to protect stored credentials using secure storage mechanisms (e.g., password managers, HSMs, or robust h...
E8-RA-ML3.6	ISM-1402 requires credentials stored on systems to be protected using mechanisms such as password managers, hardware security modules, or...