Ensure User Authentication Before System Access
Verify user identities before they can access any system.
Plain language
This control is about making sure that every person trying to access a system is who they say they are. It’s like checking IDs at the door of a club. If someone unverified gets in, they might cause harm, like accessing sensitive information or disrupting operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
July 2019
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Authentication hardeningOfficial control statement
Users are authenticated before they are granted access to a system and its resources.
Why it matters
Without strong user authentication, attackers can impersonate users to access systems and resources, leading to data compromise and unauthorised actions.
Operational notes
Enforce MFA for interactive and remote access, review authentication logs for repeated failures, and promptly disable or lock accounts showing suspicious activity.
Implementation tips
- The IT team should implement user authentication measures. They can use passwords or passphrases, ensuring they are strong and follow your organisation's guidelines.
- System administrators should set up multi-factor authentication (MFA). This means users will need to provide two or more pieces of evidence to verify their identity, like a password and a code sent to their phone.
- HR should ensure onboarding includes user authentication training. Employees need to understand why it’s important to protect their login information and how to use authentication systems properly.
- The IT team should regularly update authentication software. This includes applying patches and updates to make sure the system is secure against known vulnerabilities.
- Managers should periodically review access logs. They can look for any unusual login attempts or patterns that might suggest an unauthorised access attempt.
Audit / evidence tips
-
Askthe organisation's authentication policy document: Request the document that outlines how users are authenticated before accessing systems
Goodshows clear guidelines that meet the organisation's security needs
-
Aska list of users with access to critical systems: Ensure there is a register of who is granted access and what level they have
Goodis an up-to-date list that matches current staff roles
-
Askrecent training records on authentication procedures: Request evidence of employee training on access control
Goodincludes attendees' names, dates, and clear instruction content
-
Goodincludes timestamps, user IDs, and IP addresses for relevant access attempts, with no unexplained anomalies
-
Askrecent incident reports related to unauthorised access attempts
Goodincludes documented reports with dates, the nature of each incident, and the resolutions or lessons learned
Cross-framework mappings
How ISM-1546 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.5 | ISM-1546 requires users to be authenticated before they are granted access to a system and its resources | |
| handshake Supports (1) expand_less | ||
| Annex A 5.17 | ISM-1546 requires users to be authenticated before they are granted access to a system and its resources | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| E8-MF-ML1.1 | ISM-1546 requires users to be authenticated before they are granted access | |
| E8-MF-ML1.7 | E8-MF-ML1.7 requires a specific form of user authentication: MFA with two factors | |
| E8-MF-ML3.2 | E8-MF-ML3.2 requires phishing-resistant MFA for customers of online customer services | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.