Mandate Credential Changes Upon Compromise
Change user account credentials if they're compromised or potentially insecure.
Plain language
This control is about making sure that sensitive information used to access systems—like passwords—gets changed if it's thought to be compromised or not secure. This is important because if someone else gets access to these credentials, they could pretend to be an authorised user and breach your systems, leading to data loss or other serious problems.
Framework
ASD Information Security Manual (ISM)
Control effect
Responsive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Authentication hardeningTopic
Changing CredentialsOfficial control statement
Credentials for user accounts are changed if: - they are compromised - they are suspected of being compromised - they are discovered stored on networks in the clear - they are discovered being transferred across networks in the clear - membership of a shared user account changes.
Why it matters
Not changing credentials after compromise, suspected compromise, cleartext exposure, or shared account membership changes can enable unauthorised access and data breaches.
Operational notes
Monitor for credential compromise indicators (alerts, leaked passwords), cleartext storage/transfer, and shared account membership changes; reset affected credentials immediately.
Implementation tips
- System administrators should monitor for any signs of a data breach or suspicious activity. Regularly check logs for unusual login attempts or access patterns that could indicate compromised credentials.
- Managers should ensure that there's a procedure for changing credentials immediately if they're compromised. This means having simple steps ready so staff know who to contact and what to do if they suspect a password is insecure.
- IT teams need to enforce password policies that make sure all user credentials are stored and transferred securely. Avoid using simple methods like emails to send passwords; instead, use secure password managers.
- Training coordinators should regularly educate employees about recognising phishing scams or suspicious requests for credentials. Organise workshops or short awareness sessions that explain how these threats work and what to do if they're encountered.
- HR should make sure that when staff leave the organisation, their access to any shared accounts is promptly removed and passwords are updated immediately. Liaise with IT to make this part of the exit process checklist.
Audit / evidence tips
-
Askincident response records: Request documentation of any recent security incidents
-
Askpassword policy documents: Review the current policy on password security measures
-
Askemployee training logs: Request records of security training sessions held in the past year
-
Askstaff exit checklists: Review the process documentation for when employees leave
Goodchecklist is comprehensive and ensures access is promptly revoked
-
Askaccess logs: Examine logs showing activities related to credential usage
Cross-framework mappings
How ISM-1590 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-RA-ML2.5 | ISM-1590 requires organisations to change user account credentials when compromise is confirmed or suspected, when credentials are expose... | |
| handshake Supports (2) expand_less | ||
| E8-RA-ML1.2 | ISM-1590 requires organisations to change user account credentials when they are compromised or suspected of compromise, including for sh... | |
| E8-RA-ML3.7 | ISM-1590 requires organisations to change credentials when compromise is suspected or when credentials are exposed in the clear over netw... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.