Document and Test Emergency System Access Procedures
Ensure emergency access to IT systems is documented and tested during major IT changes.
Plain language
This control is about making sure there are clear and tested procedures for getting into your computer systems in an emergency, like if a critical IT system crashes during a big change. It matters because if you can't access your systems when things go wrong, you could face extended downtime, loss of business, or even a compromise of security.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
A method of emergency access to systems and their resources is documented and tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur.
Why it matters
Without documented and tested emergency access, outages during major IT changes can delay recovery and increase risk of unauthorised access or data loss.
Operational notes
Document emergency access steps, roles, approvals and break-glass accounts; test on initial implementation and after fundamental infrastructure changes, recording outcomes and updates.
Implementation tips
- System owners should work with the IT team to document emergency access procedures. Start by listing the systems that need these procedures, what roles require access during emergencies, and how to quickly achieve this access. Put this information in an easy-to-understand document stored in a safe but accessible location.
- The IT team should schedule regular tests of these emergency access procedures. Conduct a mock drill, where someone tries to follow the procedure to access the system during a simulated crisis. Note any difficulties and refine the procedure as needed.
- Managers should ensure staff training includes these emergency procedures. Hold a session where the relevant staff are walked through these processes. Allow them to ask questions and practice the steps in a controlled environment.
- IT managers should integrate emergency access plans with major system updates. Each time there is a significant update, like a new system or software change, review and test the emergency access plan to ensure it still works.
- The security team should document when and how the emergency access procedures are tested. Use a simple report template that records the date of testing, who conducted it, any issues found, and the actions taken to address them.
Audit / evidence tips
-
Askthe documented emergency access procedures: Request to see the document outlining these steps for all critical systems
Goodincludes clear, specific actions and contact details for responsible persons
-
Askrecords of emergency access tests: Request documentation on past tests, including dates and participants
Goodis a log showing consistent and timely testing activities
-
Askfeedback or modifications on emergency procedures: Request any documents showing updates or improvements made from test results
Goodshows clear, dated updates improving the emergency procedures
-
Askto see staff training records on emergency procedures: Request evidence that relevant staff have been trained
Goodis documented evidence of regular, thorough training sessions
-
Askdocumentation of system updates related to emergency access: Request records on major changes with related emergency plan updates
Goodshows consistent alignment of plans to system changes
Cross-framework mappings
How ISM-1610 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.30 | ISM-1610 requires a method of emergency access to systems and resources to be documented and tested on initial implementation and after f... | |
| handshake Supports (1) expand_less | ||
| Annex A 8.32 | ISM-1610 mandates the documentation and testing of emergency system access procedures during initial implementation and after infrastruct... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.