Manage Emergency Account Access Changes
Change break glass account passwords after emergency access.
Plain language
In a nutshell, this control is about changing the passwords for special emergency accounts-called 'break glass accounts'-after they've been used by someone other than the person who normally manages them. This is crucial because if passwords aren't updated, it leaves the door open for potential misuse or unauthorised access to sensitive systems, which could lead to data breaches or disruptions.
Framework
ASD Information Security Manual (ISM)
Control effect
Responsive
Classifications
NC, OS, P, S, TS
ISM last updated
July 2020
Control Stack last updated
18 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
Break glass account credentials are changed by the account custodian after they are accessed by any other party.
Why it matters
Without changing break glass credentials after use, prior holders can re-enter systems, increasing the chance of unauthorised access, breaches and disruption.
Operational notes
After any break glass use, the account custodian must reset the password immediately, record the change in logs/tickets, and confirm access is returned to a known state.
Implementation tips
- The IT team should identify all break glass accounts within the organisation. This involves creating a list of these accounts and ensuring they are only used in genuine emergencies. Clarify which systems they provide access to and who is authorised to use them.
- Managers should designate a custodian for each break glass account. This custodian is the go-to person responsible for changing the account's password after every emergency use. Assign someone reliable and ensure they understand their role and responsibilities.
- The custodian should change the password immediately after an emergency access event. This involves logging into the system, updating the credential, and securely storing the new password. Make sure no other activity is conducted until the password change is confirmed.
- The IT team should establish a secure procedure for recording when break glass accounts are used. This could be done through a logbook or digital tracking system that records the date, time, and reason for access.
- Staff training is crucial: Managers should organise regular training sessions for staff to understand when and how break glass accounts should be used and the importance of changing passwords afterwards. Training should include how to recognise a genuine emergency.
Audit / evidence tips
- AskThe log of emergency access events: Request to see records that show when break glass accounts have been used GoodIs a clear and detailed log showing proper documentation of each instance
- AskEvidence of password changes: Check the records for confirmations of password updates after each emergency use GoodIs timely evidence showing passwords were promptly changed post-access
- AskA list of all break glass accounts: Request a current list of all such accounts maintained by the organisation GoodIs a comprehensive list with up-to-date information
- AskAbout staff training records: Request documentation of any training sessions held for staff about using break glass accounts GoodIs records showing regular training sessions with relevant staff attendance
- AskA procedure document: Request the formal procedure for managing break glass accounts GoodIncludes clear steps for maintaining security and evidence of regular procedure reviews
Cross-framework mappings
How ISM-1614 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.17 | ISM-1614 entails changing break glass credentials after emergency access by another party | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.2 | ISM-1614 mandates changing break glass credentials after emergency access to mitigate credential exposure risk | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-RA-ML2.5 | ISM-1614 requires break glass account credentials to be changed by the account custodian after emergency access by any other party | |
| handshake Supports (1) expand_less | ||
| E8-RA-ML2.7 | ISM-1614 requires break glass account credentials to be changed after they are accessed by another party | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.