Disable Privileged Access After 12 Months
Privileged system access is disabled if not revalidated within a year.
Plain language
This control means that if someone has special access to important systems or resources, it needs to be checked and confirmed at least once a year. If it's not reviewed and confirmed, their access is turned off. This is crucial to ensure that only the right people can access sensitive information and systems, preventing potential misuse or accidental damage.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2, ML3
Guideline
Guidelines for personnel securityOfficial control statement
Privileged access to systems and their resources are disabled after 12 months unless revalidated.
Why it matters
Failing to regularly revalidate privileged access risks unauthorised access, leading to data breaches or system misuse by former employees.
Operational notes
Run a 12‑monthly review of privileged accounts; disable any not revalidated, record approvals, and remove access promptly when staff change roles or leave.
Implementation tips
- HR and IT Managers should create a schedule: Establish a calendar to review who has privileged access every year. Use reminders to prompt reviews a month in advance to make sure nothing slips through the cracks.
- The IT team should maintain an access register: Keep an updated list of who has privileged access. Make this list easily accessible to ensure reviews can be conducted efficiently.
- System owners should conduct access reviews: Meet individually with team members who have privileged access to confirm they still need it. Document these reviews and any changes to access rights.
- Train staff about access responsibilities: The manager should ensure everyone with privileged access understands the importance of annual reviews and the risks if access is not properly managed.
- Set up automatic alerts: The IT team should use software tools to automatically flag privileged access accounts due for review, ensuring that no access goes unchecked.
Audit / evidence tips
- AskThe privileged access review schedule: Request the schedule that outlines when access reviews are due and completed GoodSchedule shows all reviews completed on time and includes planned review dates
- AskThe access register: Request the document listing all individuals with privileged access. Check for completeness and regular updates GoodRegister is up-to-date and accurately reflects current access levels
- AskMeeting records: Request minutes or notes from access review meetings GoodRecord includes detailed actions and confirmations of access need
- AskTo see training records: Request evidence of training sessions on access management
- AskSystem alerts: Have the IT team demonstrate the alerts set up for overdue reviews GoodSystem will have a log showing timely interventions when reviews are overdue
Cross-framework mappings
How ISM-1647 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.18 | ISM-1647 requires privileged access to be disabled after 12 months unless revalidated, which is an access-rights review and removal mecha... | |
| link Related (1) expand_less | ||
| Annex A 8.2 | Annex A 8.2 requires privileged access rights to be restricted and managed through their lifecycle | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| E8-RA-ML1.1 | E8-RA-ML1.1 requires organisations to validate privileged access requests when first requested to ensure only legitimate admin access is ... | |
| E8-RA-ML2.2 | E8-RA-ML2.2 requires privileged access to be disabled after 45 days of inactivity | |
| handshake Supports (1) expand_less | ||
| E8-RA-ML1.4 | E8-RA-ML1.4 requires limiting privileged accounts’ online service access to only what is required for duties | |
| link Related (1) expand_less | ||
| E8-RA-ML2.1 | E8-RA-ML2.1 requires privileged access to be disabled after 12 months unless it is revalidated | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.