Suspend User Access for Malicious Activity
Remove or pause access immediately if someone is found doing harmful activities on the system.
Plain language
If someone in your organisation is doing something harmful or malicious on your computer systems, you need to stop their access as soon as possible. This is crucial because if you don't act quickly, they could steal sensitive information or cause significant damage to your business operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Responsive
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
18 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
Access to systems and their resources are removed or suspended as soon as practicable when personnel are detected undertaking malicious activities.
Why it matters
If access isn’t suspended promptly after malicious activity is detected, attackers can retain footholds, exfiltrate data, and disrupt operations.
Operational notes
Define a rapid offboarding playbook: on malicious-activity alerts, immediately disable accounts, revoke sessions/tokens, and document approvals and timing.
Implementation tips
- The IT team should monitor system activity logs for unusual or suspicious behaviour that might suggest malicious activity. They can do this by regularly reviewing the logs for patterns that don’t match normal operations.
- Managers need to define a clear process for suspending user access quickly when necessary. This can be done by setting up a checklist to follow whenever suspicious activity is reported.
- HR should work with the IT department to maintain an updated list of authorised users. They can achieve this by coordinating when employees join or leave the organisation and ensuring their access is adjusted accordingly.
- System owners should implement automated alerts for potential security breaches. They can work with their IT support to set up email notifications or messages whenever a red flag activity is detected on the system.
- All staff should be trained on how to report suspicious activities. Conduct regular training sessions where employees learn the types of activities to watch for and the proper channels to report these concerns.
Audit / evidence tips
- AskThe current user access review policy: This document should outline the procedures for detecting and responding to malicious activity GoodIncludes detailed response timelines and criteria for suspending access
- GoodIs logs showing timely detection and response
- AskRecords of training sessions conducted for staff on identifying and reporting suspicious activities: Check the attendance and topics covered GoodIncludes regular training with high attendance rates
- GoodFeatures regular, documented updates and changes in access permissions
- AskAlerts set up in the system for detecting unusual behaviour: Review how these alerts are configured and who receives them GoodIncludes automated alerts sent to responsible parties with clearly defined thresholds for action
Cross-framework mappings
How ISM-1591 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.16 | ISM-1591 requires organisations to remove or suspend access as soon as practicable when a user is detected performing malicious activity | |
| Annex A 5.18 | ISM-1591 requires user access to systems and resources to be removed or suspended as soon as practicable when malicious activity is detected | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.2 | ISM-1591 requires suspension or removal of access when malicious activity is detected to contain harm quickly | |
| handshake Supports (1) expand_less | ||
| Annex A 5.26 | Annex A 5.26 mandates incident responses adhere to documented procedures | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.