Secure Delivery of User Account Credentials
Credentials are securely delivered to users, or split between users and supervisors if secure delivery is not possible.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Feb 2022
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Authentication hardeningCredentials are provided to users via a secure communications channel or, if not possible, split into two parts with one part provided to users and the other part provided to supervisors.
Source: ASD Information Security Manual (ISM)
Plain language
This control is about making sure sensitive login information, like passwords, is sent to people securely. It's crucial because if these details fall into the wrong hands, it could lead to unauthorised access to your systems and data breaches, which can be costly and damage your reputation.
Why it matters
If credentials are sent insecurely, they can be intercepted, enabling unauthorised access and data breaches involving sensitive information.
Operational notes
Use secure channels to issue credentials, or split delivery so one part goes to the user and the other to their supervisor; periodically test the process.
Implementation tips
- IT team should use secure communication tools: Implement tools like encrypted email or secure messaging apps to send login credentials to users, ensuring no one unauthorized can intercept the information.
- Manager should create a backup delivery plan: If secure methods aren't possible, arrange for the credentials to be split, with part going to the user and the other part given to a supervisor. This ensures that full credentials aren't accessible to one person alone.
- HR should provide user education: Conduct brief training sessions to inform employees about the importance of securing their credentials and recognising phishing attempts to steal them.
- System owners should review delivery processes: Regularly check how credentials are sent to identify any vulnerabilities. This might include engaging an external auditor occasionally to ensure compliance with best practices.
- Procurement should choose secure software vendors: When purchasing software systems, ensure they offer secure methods for creating and distributing user credentials, such as through a password manager.
Audit / evidence tips
-
Ask: a list of communication tools used for delivering credentials: Review the tools to ensure they support encryption. Check documentation to see if they meet best practice standards
Good: includes recent vendor certificates showing encryption details
-
Ask: training records on credential security: Ensure employees have attended sessions on maintaining secure credentials and recognising threats
Good: Signed attendance sheets or digital logs with dates
-
Ask: evidence of a split delivery plan: Request written procedures outlining how credentials are split between user and supervisor when secure delivery can't occur. Review the details to ensure clarity and practicality
Good: An approved procedure document noting responsible parties and steps
-
Ask: audit reports on credential delivery
Good: Report with documented issues followed by corrective actions taken
-
Ask: vendor agreements regarding secure features: Check agreements with software providers to ensure they commit to secure credential delivery options
Good: Contractual commitments to ongoing security updates and compliance
Cross-framework mappings
How ISM-1594 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 5.14 | ISM-1594 requires credentials to be delivered to users via a secure communications channel, or split into two parts with one part provide... | |