Implement Multi-factor Authentication
Users need multiple forms of ID to access sensitive online services, enhancing security.
Plain language
Multi-factor authentication means using more than just a password to log into important online services. It’s like needing both a key and a swipe card to get into a building. This matters because if someone only needs a password, they could break into your sensitive data if they steal or guess it. Using multiple forms of ID makes it much harder for them to do that.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1, ML2, ML3
Guideline
Guidelines for system hardeningSection
Authentication hardeningOfficial control statement
Multi-factor authentication is used to authenticate users to their organisation's online services that process, store or communicate their organisation's sensitive data.
Why it matters
Without multi-factor authentication, attackers can use stolen or guessed passwords to access sensitive online services, leading to data theft or unauthorised changes.
Operational notes
Monitor MFA enrolment and failures; remove legacy exceptions; test break-glass access; and review factor strength for sensitive online services.
Implementation tips
- IT staff should set up multi-factor authentication (MFA) for all systems storing sensitive data. This can be done by installing an app like an authenticator on staff members' phones that generates a unique code needed to log in.
- Managers should ensure that all employees understand why MFA is important. Organise a short training session explaining how it protects their personal and work data from being easily accessed by unauthorised people.
- The IT team should regularly review and update the list of systems that require MFA. Check for any new services or changes in how data is accessed and ensure MFA is applied.
- HR should incorporate MFA requirements into onboarding processes for new staff. When setting up employees' access to systems, ensure they are shown how to set up and use their second form of ID.
-
Askvendors whether their systems support MFA and select products that help safeguard your organisation’s data
Audit / evidence tips
-
Askthe MFA setup documentation for online services: Request the specific configuration or system guide that outlines how MFA is implemented
Gooddocument will clearly indicate that MFA is set up for all relevant high-risk services
-
AskHR for records of MFA training: Request the training logs or materials given to staff about MFA
-
Aska recent audit report detailing MFA checks: Request the latest internal or external audit that reviews MFA usage across sensitive systems
-
Askevidence of regular MFA reviews: Request any reports or meeting minutes discussing MFA assessments
Goodreview process is scheduled regularly and contains insights into improving security
-
Askto see procurement records for any new software: Request documents showing the inclusion of MFA requirements in purchasing
Cross-framework mappings
How ISM-1504 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.5 | ISM-1504 requires MFA for authenticating users to the organisation’s online services that process, store or communicate sensitive data | |
| link Related (1) expand_less | ||
| Annex A 6.7 | Annex A 6.7 requires organisations to implement security measures to protect information accessed, processed or stored while personnel wo... | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| sync_alt Partially overlaps (5) expand_less | ||
| handshake Supports (3) expand_less | ||
| link Related (1) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.