Verifying User Identity for New Credentials
Users need to show proof of who they are before getting new login details.
Plain language
Before giving someone new login details, it's important to ensure they are who they say they are. This prevents strangers or criminals from pretending to be someone else to access sensitive information or systems.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Authentication hardeningOfficial control statement
Users provide sufficient evidence to verify their identity when requesting new credentials.
Why it matters
If user identity is not verified before issuing new credentials, attackers can impersonate staff and gain unauthorised access to systems and data.
Operational notes
Verify identity before issuing new credentials using HR confirmation and photo ID checks; record evidence and approvals to prevent impersonation and account takeover.
Implementation tips
- Front desk staff should check identification: When someone requests new login details, the staff should ask for a government-issued ID (like a driver's licence or passport) and compare it to the person in front of them to confirm their identity.
- HR team should verify new employee requests: When a new employee joins, HR should confirm their identity through official documents, like a job offer letter and a form of ID, before requesting IT to create credentials.
- IT team should have a strict process: The IT team should require a request to reset or create login details to come from an authorised department head via email. They should call back using a known contact number to verify the request.
- Managers should review unusual requests: Managers need to be alert to requests that seem out of the ordinary, such as claiming forgotten passwords multiple times, and should personally verify these with the individual involved before approving.
- Provide training for all staff: Conduct regular training sessions on how to check identity documents and why this process is crucial in protecting the organisation from fraudulent access attempts.
Audit / evidence tips
-
Askthe procedure document for identity verification: Request the written procedure that outlines the steps for verifying a user's identity before issuing new credentials
Goodincludes detailed identity verification steps and a list of acceptable identification documents
-
Askto see records of identity verification checks: Review logs or forms that show identity was checked when new credentials were given
Gooddemonstrates consistent verification evidence for every credential issued
-
Asktraining records on identity verification: Request records of staff training sessions focused on identity checks
Goodincludes recent training events attended by all relevant staff
-
Askexamples of rejected requests: Inquire about instances where requests for credentials were denied due to failed identity verification
Goodshows honest tracking of failed attempts, preventing potential security breaches
-
Askto review exception handling processes: Request documentation on how exceptions (such as remote identity verification) are handled
Goodincludes alternative identity verification methods and approvals needed
Cross-framework mappings
How ISM-1593 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.16 | ISM-1593 mandates that users provide sufficient evidence to verify their identity upon requesting new credentials, such as during issuanc... | |
| handshake Supports (2) expand_less | ||
| Annex A 5.18 | ISM-1593 requires verification of user identity with sufficient evidence before issuing new credentials | |
| Annex A 8.2 | ISM-1593 requires verifying a person's identity before issuing new credentials to reduce risks of illegitimate privileged access | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.