Central Logging of Break Glass Account Usage
Logging is used to track and monitor the use of emergency access accounts.
Plain language
This control is about keeping track of when and how emergency access accounts, also known as 'break glass accounts', are used. This is important because these accounts have high-level access to your systems, which, if misused, could lead to serious security breaches or data loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
Use of break glass accounts is centrally logged.
Why it matters
Without central logging of break glass account use, misuse may go undetected, delaying incident response and enabling data breaches and unauthorised changes.
Operational notes
Centrally log all break glass use to the SIEM; alert on use, capture timestamp, account, source and actions, and review records after each event.
Implementation tips
- IT team should establish a logging system: Set up a centralised logging mechanism that records any use of emergency access accounts. Use accessible tools like a logging service that captures each login attempt and the actions taken.
- System administrators should notify staff: Ensure that any employees who might need to use these accounts understand that their actions will be logged. Provide training that highlights the importance of this control in protecting the organisation.
-
Look atany unauthorised or unusual activities and address any concerns immediately
- Managers should ensure documentation: Confirm that all use of break glass accounts is documented with justifications for access. Ensure that these documents are stored securely and made available for review when needed.
- Executives should establish clear policies: Develop policies that outline when and how break glass accounts are to be used in emergencies. Ensure that these policies are communicated across the entire business.
Audit / evidence tips
-
Askaccess logs: Request the central log files or reports that record when break glass accounts were accessed
Goodis a well-organised log showing regular entries with no unexplained gaps
-
Asktraining records: Request documentation of staff training sessions that include break glass account use
-
Askpolicy documents: Request to see the policies surrounding emergency access account use. Examine how detailed these policies are and whether they cover key aspects like justification and review processes
Goodpolicy is comprehensive and covers all necessary steps
-
Askreview records: Request records of the regular log reviews conducted by IT
Goodis a detailed report noting any anomalies and actions taken
-
Askdocumentation of access justifications: Request written justifications for each use of the break glass accounts
Goodis a clear, authorised document for each access event
Cross-framework mappings
How ISM-1613 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.15 | ISM-1613 requires central logging specifically for break glass account usage | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-RA-ML2.6 | E8-RA-ML2.6 requires organisations to centrally log privileged access events to support detection of misuse | |
| sync_alt Partially overlaps (1) expand_less | ||
| E8-RA-ML2.7 | ISM-1613 requires that use of break glass accounts is centrally logged | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.