Ensure Requests for Privileged Access are Verified
Requests for special system access are checked before approval to prevent unauthorized use.
Plain language
This control ensures that when someone requests special access to important parts of a computer system, their request is checked to make sure they should have that access. This matters because if people get access they shouldn't, they could misuse or damage the system, leading to data leaks, financial loss, or harm to the business's reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1, ML2, ML3
Guideline
Guidelines for personnel securityOfficial control statement
Requests for privileged access to systems and their resources are validated when first requested.
Why it matters
Unverified privileged access requests can enable unauthorised access, data exposure or system compromise, leading to financial loss and reputational damage.
Operational notes
Verify each privileged access request at first request (identity, business need, approvals), record evidence, and review logged approvals regularly to detect misuse.
Implementation tips
- The IT manager should set up a process where all requests for special access are submitted using a standardised form. This ensures that no request is missed and each one is recorded for review before access is granted.
- HR should work with department heads to identify which roles need special system access and document these roles clearly. This helps the IT team know which requests are legitimate based on job needs.
- System administrators should verify each access request against this documented list of roles needing special access. They can do this by checking the request against the role requirements before granting access.
- A nominated security officer should conduct a review of recent access requests monthly. They should check that each request had the necessary approval and matches documented roles.
- The IT team should implement a system that automatically alerts them when a request for special access is made. This technology can help flag requests that need urgent attention or verification.
Audit / evidence tips
-
Askthe log of all privileged access requests: Check the log to see if each request is recorded with the requestor's details and purpose
Goodincludes a comprehensive log with names, date of request, and reason for access
-
Askdocumentation of roles and their access needs: Ensure this document shows what access levels are required for different job roles. Good documentation will list all roles and their corresponding access requirements and approvals
-
Askrecent approved access requests: Compare these to the role requirements document. Good compliance is when every request aligns with an authorised role requirement
-
Askto see the process documentation for checking requests: Verify that the steps include checking each request against a pre-approved list and obtaining the necessary managerial authorisations
Goodshows a clear, consistent, and easily accessible process
-
Askmonthly review reports done by the security officer: Look to see if these reports detail inaccuracies or improper requests, and any steps taken to rectify issues. Good reports will list identified issues and documented actions taken
Cross-framework mappings
How ISM-1507 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.2 | ISM-1507 requires organisations to verify (validate) privileged access requests when they are first raised, focusing on the authorisation... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| E8-RA-ML2.1 | ISM-1507 requires privileged access requests to be validated when first requested, ensuring initial approval is legitimate and authorised | |
| E8-RA-ML3.1 | ISM-1507 requires validation of privileged access requests at the time of initial request to prevent unauthorised elevation | |
| handshake Supports (1) expand_less | ||
| E8-RA-ML1.4 | E8-RA-ML1.4 requires that privileged accounts authorised for online service access are strictly limited to what is necessary | |
| link Related (1) expand_less | ||
| E8-RA-ML1.1 | ISM-1507 requires that requests for privileged access to systems and resources are validated at the time they are first requested | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.