Implement Multi-factor Authentication for Data Repositories
Require multi-factor authentication for accessing data storage to enhance security.
Plain language
This control means that when people try to access your important data storage systems, they have to pass an extra layer of security called multi-factor authentication. It matters because if someone steals a password, this extra step can prevent them from getting into your systems and stealing sensitive information or causing other harm.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Guideline
Guidelines for system hardeningSection
Authentication hardeningOfficial control statement
Multi-factor authentication is used to authenticate users of data repositories.
Why it matters
Without MFA for data repositories, stolen credentials can enable unauthorised access to sensitive data, causing breach, disruption and reputational harm.
Operational notes
Monitor repository sign-in and MFA logs for failures or anomalies; enforce enrolment, test MFA regularly, and promptly remediate accounts not using MFA.
Implementation tips
- The IT team should enable multi-factor authentication on all systems storing critical data. This can be done by adding a requirement for users to enter a code sent to their mobile phone or use a fingerprint scan after entering their password.
- Managers should ensure all staff are trained in how to use multi-factor authentication. They can organise training sessions that demonstrate how to set up their mobile phones or other devices to receive authentication codes.
- The procurement office should consider multi-factor authentication capabilities as a requirement when purchasing new software. When evaluating options, they should look for solutions that offer easy-to-use authentication features.
- The HR department should incorporate multi-factor authentication into their onboarding process. This involves setting up new employees with accounts that require this extra security step right from the start.
- The IT team should regularly review the effectiveness of the multi-factor authentication system. Periodically test the system by attempting to access it using only a password to ensure the extra layer is functioning.
Audit / evidence tips
-
Askthe list of data repositories that have multi-factor authentication enabled
Goodshows all major systems used for sensitive data are protected by multi-factor authentication
-
Goodshows frequent usage, indicating that employees are regularly using this system
-
Askto see records of staff training on multi-factor authentication
Gooddetails recent training events attended by most, if not all, applicable staff members
-
Askevidence of security tests conducted on the multi-factor setup
Goodincludes regular testing reports with successful blocking results
-
Askto see the onboarding checklist for new employees
Goodensures this step is included and routinely completed for new hires
Cross-framework mappings
How ISM-1505 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.15 | ISM-1505 requires MFA to be used to authenticate users of data repositories | |
| Annex A 8.5 | ISM-1505 requires MFA to be used to authenticate users of data repositories | |
| handshake Supports (1) expand_less | ||
| Annex A 5.17 | ISM-1505 requires MFA for authenticating users of data repositories | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| sync_alt Partially overlaps (4) expand_less | ||
| handshake Supports (1) expand_less | ||
| link Related (1) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.