ISM-1610 ASD Information Security Manual (ISM)

Document and Test Emergency System Access Procedures

Ensure emergency access to IT systems is documented and tested during major IT changes.

Proactive Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGuidelines for personnel security crisis operations disaster recovery

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Proactive

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

May 2025

✏️ Control Stack last updated

19 Mar 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for personnel security

Section

Access to systems and their resources

Topic

Emergency Access to Systems

Official control statement

A method of emergency access to systems and their resources is documented and tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur.

Source: ASD Information Security Manual (ISM)

Plain language

This control is about making sure there are clear and tested procedures for getting into your computer systems in an emergency, like if a critical IT system crashes during a big change. It matters because if you can't access your systems when things go wrong, you could face extended downtime, loss of business, or even a compromise of security.

Why it matters

Without documented and tested emergency access, outages during major IT changes can delay recovery and increase risk of unauthorised access or data loss.

Operational notes

Document emergency access steps, roles, approvals and break-glass accounts; test on initial implementation and after fundamental infrastructure changes, recording outcomes and updates.

Implementation tips

System owners should work with the IT team to document emergency access procedures. Start by listing the systems that need these procedures, what roles require access during emergencies, and how to quickly achieve this access. Put this information in an easy-to-understand document stored in a safe but accessible location.
The IT team should schedule regular tests of these emergency access procedures. Conduct a mock drill, where someone tries to follow the procedure to access the system during a simulated crisis. Note any difficulties and refine the procedure as needed.
Managers should ensure staff training includes these emergency procedures. Hold a session where the relevant staff are walked through these processes. Allow them to ask questions and practice the steps in a controlled environment.
IT managers should integrate emergency access plans with major system updates. Each time there is a significant update, like a new system or software change, review and test the emergency access plan to ensure it still works.
The security team should document when and how the emergency access procedures are tested. Use a simple report template that records the date of testing, who conducted it, any issues found, and the actions taken to address them.

Audit / evidence tips

Ask: the documented emergency access procedures: Request to see the document outlining these steps for all critical systems

Good: includes clear, specific actions and contact details for responsible persons
Ask: records of emergency access tests: Request documentation on past tests, including dates and participants

Good: is a log showing consistent and timely testing activities
Ask: feedback or modifications on emergency procedures: Request any documents showing updates or improvements made from test results

Good: shows clear, dated updates improving the emergency procedures
Ask: to see staff training records on emergency procedures: Request evidence that relevant staff have been trained

Good: is documented evidence of regular, thorough training sessions
Ask: documentation of system updates related to emergency access: Request records on major changes with related emergency plan updates

Good: shows consistent alignment of plans to system changes

Cross-framework mappings

How ISM-1610 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control	Notes	Details
Partially meets (1)
Annex A 5.30	ISM-1610 requires a method of emergency access to systems and resources to be documented and tested on initial implementation and after f...
Supports (1)
Annex A 8.32	ISM-1610 mandates the documentation and testing of emergency system access procedures during initial implementation and after infrastruct...