Annual Training for Privileged Users
Privileged users receive yearly customised cyber security training.
Plain language
Privileged users, like IT administrators, need to get special security training every year. This is important because these users can access sensitive parts of systems, and without proper training, they could accidentally or unintentionally expose the organisation to cyber threats.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2020
Control Stack last updated
19 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
Tailored privileged user training is undertaken annually by all privileged users.
Why it matters
If privileged users skip annual training, misconfiguration and misuse of elevated access increases, raising likelihood of insider incidents and major compromise.
Operational notes
Update privileged user training yearly for new threats/tools; record completion for all admin accounts and follow up on non-completions before access review.
Implementation tips
- The Human Resources (HR) team should schedule the annual training for privileged users. They can do this by setting up a calendar reminder each year to plan and invite the relevant staff to a customised training session.
- IT managers should identify which team members are considered privileged users. They can do this by reviewing user roles and access permissions within the company's IT systems to determine who has admin-level access.
- The training coordinator must ensure that the cybersecurity training is tailored to the specific systems and access levels of privileged users. They can achieve this by consulting with IT specialists to understand the unique risks associated with the company's systems and develop scenario-based training materials.
- The compliance officer should track attendance and completion of the training sessions. They can do this by maintaining a log of attendees and ensuring each privileged user signs an attendance sheet or completes an online course module with a time-stamped certificate.
- Executives should periodically review the effectiveness of the training program. They can do this by gathering feedback from participants and consulting with cyber security advisors to ensure the training addresses current threats and organisational needs.
Audit / evidence tips
- AskThe training schedule: Request to see a document or calendar showing when trainings for privileged users are planned GoodWould show dates set at least once a year with participant lists
- GoodRecord would list all privileged users who completed the training with dates and signatures or completion certifications
- AskTraining materials: Request to see the content covered in the training sessions
- AskA review report: Request a document summarising the annual review of the training program GoodReport will detail assessment methods, findings, and actions planned or taken
Cross-framework mappings
How ISM-1565 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 6.3 | ISM-1565 requires all privileged users to complete tailored privileged user cyber security training annually | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.