Restricted Use of Break Glass Accounts for Emergencies
Use special accounts only for approved emergency activities to maintain system security.
Plain language
Break glass accounts are special user accounts used only in emergencies, like when there’s a critical system issue, and normal login methods fail. If these accounts are misused, it could lead to security vulnerabilities, as they often bypass normal security checks. Restricting their use helps prevent unauthorised access to sensitive systems.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
July 2020
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
Break glass accounts are only used for specific authorised activities.
Why it matters
Misuse of break glass accounts can bypass normal controls, enabling unauthorised privileged access and increasing the likelihood of serious breaches.
Operational notes
Log and review all break glass account use; restrict to approved emergency activities, require approval, and investigate any unexpected access immediately.
Implementation tips
- IT Managers should create a strict policy for using break glass accounts. This involves drafting a document that outlines when and how these accounts can be used, ensuring all staff understand the emergency nature of these accounts.
- System Owners should limit access to break glass accounts. They can do this by only providing this access to key personnel, storing the account details securely, and ensuring it's not shared unnecessarily.
- IT Teams should set up a monitoring system for break glass account usage. This involves using logging tools to track who accesses the account and when, ensuring that every use is justified and documented.
- HR and Security Teams should regularly train staff on the appropriate use of break glass accounts. Conduct training sessions to explain the risks and procedures associated with these accounts, emphasising their emergency-only use.
- Managers should conduct regular reviews of break glass account policies. Hold quarterly meetings to revisit the policy's effectiveness, update access lists, and ensure compliance with industry standards like those from the Australian Cyber Security Centre (ACSC).
Audit / evidence tips
-
Askthe break glass account usage log: Request the documented records of when these accounts were accessed
Goodrecord will show infrequent, justified use with clear authorisation noted
-
Askthe break glass account policy document: Request the written policy governing the use of these accounts
Goodpolicy is clear, comprehensive, and aligns with organisational security practices
-
Askevidence of secure storage of break glass account credentials: Request details on how credentials are kept secure, such as a password vault
Goodpractice includes encryption and limited access to the vault
-
Asktraining records: Request evidence of training sessions provided to relevant staff about the use of break glass accounts
-
Askpolicy review logs: Request records of the most recent policy review meeting
Cross-framework mappings
How ISM-1612 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| Annex A 5.15 | ISM-1612 requires that break glass accounts are only used for specific authorised activities | |
| Annex A 8.2 | ISM-1612 requires that break glass accounts are only used for specific authorised activities | |
| Annex A 8.3 | ISM-1612 requires that break glass accounts are only used for specific authorised activities | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.18 | ISM-1612 requires that break glass accounts are only used for specific authorised activities | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-RA-ML2.5 | ISM-1612 requires that break glass accounts are only used for specific authorised activities (i.e., emergency-only use with explicit auth... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.