Notify Organisation of Unauthorised System Access
Service providers must alert organisations if they access systems without permission.
Plain language
This control means if a company that provides services to you accesses your computer systems without permission, they must tell you straight away. It's important because if you're not informed, you might not know that your data could have been tampered with or accessed by someone who shouldn't have been able to see it.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
If an organisation's systems are accessed or administered by a service provider in an unauthorised manner, the organisation is immediately notified.
Why it matters
If unauthorised service-provider access or administration isn’t promptly reported, breaches and misuse may go unnoticed, delaying containment and response.
Operational notes
Require service providers to alert your security contact immediately on any unauthorised access/admin activity; verify via logs and escalation procedures.
Implementation tips
- The IT Manager should establish a communication protocol with all service providers to report any unauthorised access immediately. This can be done by having a clear part of the contract that obligates the provider to notify the company about any such access as soon as it happens.
- The System Administrator should monitor access logs regularly to identify any suspicious activity that service providers might report. They can set up alerts to help notify them of unusual access patterns or activities.
- The Procurement Team should ensure all new contracts with service providers include a clause about the obligation to report unauthorised system access. They can work with legal advisors to create this clause and ensure it’s a standard part of agreements.
- Business Owners should have regular check-ins with service providers to review access logs and confirm they are following the agreed protocols. This could involve quarterly meetings to go over any logged accesses and ensure all reported activities match records.
- System Owners should document each instance of reported unauthorised access and its outcome. They should keep a log detailing the date, time, nature of the access, and what action was taken in response for future audits and reviews.
Audit / evidence tips
-
Askthe incident report log from the IT department: Request documents listing any incidents of unauthorised access reported by service providers
GoodThe log is up-to-date, shows clear records of any incidents, and details the actions taken
-
Askservice provider contracts from the procurement team: Request evidence of contractual obligations for reporting unauthorised access
GoodContracts clearly mandate immediate notification of unauthorised access by service providers
-
Askaccess monitoring records from the system administrator: Request documentation of logs being reviewed for any unauthorised access by service providers
GoodAccess logs are reviewed regularly and match the reports given by service providers
-
Askmeeting minutes or notes from business owners: Request records of meetings held with service providers to review access logs
GoodMinutes show regular meetings with a focus on access reviews
-
Askto see a list of unauthorised access incidents and resolutions kept by system owners: Request to view the detailed log of recorded unauthorised access incidents
GoodEach incident is thoroughly documented with immediate actions and follow-up resolutions
Cross-framework mappings
How ISM-1576 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.19 | ISM-1576 requires that if a service provider accesses or administers an organisation’s systems in an unauthorised manner, the organisatio... | |
| Annex A 5.24 | ISM-1576 requires that an organisation be immediately notified when a service provider performs unauthorised access or administration of ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.