Disabling Inactive User Access After 45 Days
If a user doesn't use their system access for 45 days, it's disabled to keep the system secure.
Plain language
Every 45 days, if someone hasn't used their access to a system, it gets turned off. This helps protect your organisation by making sure only active and engaged users can access important systems, reducing the risk of unauthorised access if an account is forgotten or abandoned.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
Unprivileged access to systems and their resources are disabled after 45 days of inactivity.
Why it matters
If inactive unprivileged accounts aren’t disabled after 45 days, stale credentials can be exploited for unauthorised access and data compromise.
Operational notes
Review last logon/activity regularly and automatically disable unprivileged user accounts after 45 days of inactivity, with documented reactivation approval.
Implementation tips
- The IT team should set up an automated system to track user activity. Use software that logs user logins and flags any account that hasn't been accessed in 45 days. This helps ensure that inactive accounts can be disabled promptly without manual tracking.
- HR should regularly update the IT team about employee status. Inform the IT team when staff leave or change roles to ensure that access is disabled if it's no longer needed. This coordination helps prevent security gaps when personnel changes occur.
- Managers should communicate the importance of logging in regularly. Encourage employees to access required systems at least once a month to maintain their access. This practice keeps employees engaged and ensures their access rights remain relevant.
- The IT team should develop a procedure for reactivating accounts. Create a simple process for users to request access restoration if needed, including approvals from their manager. This ensures that the system is secure but still responsive to business needs.
- The security officer should train staff annually on secure access habits. Include guidance on logging out after use and using access only when needed. Training reinforces the importance of maintaining secure access controls within the organisation.
Audit / evidence tips
-
Askthe user access report from the IT team
Goodshows all user accounts with a 'last login' date within the last 45 days or a status of 'disabled' if not used
-
Goodprovides evidence of regular deactivations in line with policy
-
Askto see the HR to IT update procedure. Check that there's a documented process for updating user statuses with timelines for communication
Goodincludes clear instructions and demonstrates routine updates
-
Goodshows a documented request and approval for each reactivated account
-
Askrecords of staff training sessions on security
Goodincludes a training schedule, participant lists, and session summaries indicating discussion of access controls
Cross-framework mappings
How ISM-1404 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.15 | ISM-1404 mandates a specific access control rule: disabling unprivileged access after 45 days of inactivity | |
| link Related (1) expand_less | ||
| Annex A 5.18 | Annex A 5.18 requires organisations to remove or adjust access rights in line with policy and business rules, including when access is no... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.