Employment Screening for Gateway Administrators
Ensure appropriate screening and security clearance for gateway admins based on system sensitivity.
Plain language
This control is about making sure that people who manage important parts of your computer systems, called gateways, are properly checked out before they’re hired. It's crucial because if someone untrustworthy gets access, they could cause serious harm by stealing data, disrupting services, or exposing sensitive information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
System administrators for gateways undergo appropriate employment screening, and where necessary hold an appropriate security clearance, based on the sensitivity or classification of gateways.
Why it matters
Inadequate screening of gateway administrators can enable unauthorised privileged access, leading to data compromise and disruption of gateway services.
Operational notes
Maintain evidence of screening and required clearances for gateway admins; re-screen and reassess clearances when gateway sensitivity/classification or admin duties change.
Implementation tips
- HR should ensure robust employment screening: Conduct background checks on potential system administrators to verify their credentials and past employment. This can be done by contacting previous employers and checking qualifications with issuing institutions.
- System owners should determine sensitivity levels: Assess the sensitivity and classification of your gateways to know which admin roles require higher security clearance. Organise a meeting with IT and security staff to rate each system based on the data it handles.
- IT managers should implement security clearance workflows: Establish a clear process for obtaining and verifying security clearances for admin roles. Work with HR to integrate this process into hiring protocols, ensuring it's not skipped.
- HR should educate about clearance importance: Provide training sessions for recruiters and managers to explain why security clearances are needed and how to discern when a role demands one. Use real-world examples to illustrate potential risks.
- System owners and IT leads should maintain a clearance register: Keep an up-to-date record of current gateway administrators and their security clearances. Use a simple spreadsheet or secure database for tracking and ensure it's regularly reviewed.
Audit / evidence tips
-
Askthe employment screening policy: Request documentation that outlines the employment screening practices for gateway administrators
Goodincludes a detailed process with clear steps for verifying credentials
-
Askto see the list of gateway admins and their clearances: Request the current registry of administrators managing gateways, along with their security clearances. Check for alignment between sensitive gateways and clearance levels
Goodis a complete and up-to-date list that links each admin with their respective clearance
-
Askabout training records for HR personnel: Request documentation of training sessions provided to HR and hiring managers on security clearance importance
Goodincludes regular training sessions reflected in meeting minutes or signed attendance sheets
-
Askto see incident response records: Request past records of incidents involving unauthorised access to gateways
Goodwould show no incidents, or steps taken to prevent recurrences are documented
-
Askabout the clearance renewal process: Request information on how often security clearances are reviewed and renewed
Goodincludes a defined process with regular intervals for renewal and review outcomes documented
Cross-framework mappings
How ISM-1520 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 6.1 | ISM-1520 requires gateway system administrators to undergo appropriate employment screening and, where necessary, hold an appropriate sec... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.