Secure Delivery of User Account Credentials
Credentials are securely delivered to users, or split between users and supervisors if secure delivery is not possible.
Plain language
This control is about making sure sensitive login information, like passwords, is sent to people securely. It's crucial because if these details fall into the wrong hands, it could lead to unauthorised access to your systems and data breaches, which can be costly and damage your reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Authentication hardeningOfficial control statement
Credentials are provided to users via a secure communications channel or, if not possible, split into two parts with one part provided to users and the other part provided to supervisors.
Why it matters
If credentials are sent insecurely, they can be intercepted, enabling unauthorised access and data breaches involving sensitive information.
Operational notes
Use secure channels to issue credentials, or split delivery so one part goes to the user and the other to their supervisor; periodically test the process.
Implementation tips
- IT team should use secure communication tools: Implement tools like encrypted email or secure messaging apps to send login credentials to users, ensuring no one unauthorized can intercept the information.
- Manager should create a backup delivery plan: If secure methods aren't possible, arrange for the credentials to be split, with part going to the user and the other part given to a supervisor. This ensures that full credentials aren't accessible to one person alone.
- HR should provide user education: Conduct brief training sessions to inform employees about the importance of securing their credentials and recognising phishing attempts to steal them.
- System owners should review delivery processes: Regularly check how credentials are sent to identify any vulnerabilities. This might include engaging an external auditor occasionally to ensure compliance with best practices.
- Procurement should choose secure software vendors: When purchasing software systems, ensure they offer secure methods for creating and distributing user credentials, such as through a password manager.
Audit / evidence tips
-
Aska list of communication tools used for delivering credentials: Review the tools to ensure they support encryption. Check documentation to see if they meet best practice standards
Goodincludes recent vendor certificates showing encryption details
-
Asktraining records on credential security: Ensure employees have attended sessions on maintaining secure credentials and recognising threats
GoodSigned attendance sheets or digital logs with dates
-
Askevidence of a split delivery plan: Request written procedures outlining how credentials are split between user and supervisor when secure delivery can't occur. Review the details to ensure clarity and practicality
GoodAn approved procedure document noting responsible parties and steps
-
Askaudit reports on credential delivery
GoodReport with documented issues followed by corrective actions taken
-
Askvendor agreements regarding secure features: Check agreements with software providers to ensure they commit to secure credential delivery options
GoodContractual commitments to ongoing security updates and compliance
Cross-framework mappings
How ISM-1594 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.14 | ISM-1594 requires credentials to be delivered to users via a secure communications channel, or split into two parts with one part provide... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.