Disable Privileged Access After 12 Months
Privileged system access is disabled if not revalidated within a year.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
May 2025
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
ML2, ML3
Guideline
Guidelines for personnel securityPrivileged access to systems and their resources are disabled after 12 months unless revalidated.
Source: ASD Information Security Manual (ISM)
Plain language
This control means that if someone has special access to important systems or resources, it needs to be checked and confirmed at least once a year. If it's not reviewed and confirmed, their access is turned off. This is crucial to ensure that only the right people can access sensitive information and systems, preventing potential misuse or accidental damage.
Why it matters
Failing to regularly revalidate privileged access risks unauthorised access, leading to data breaches or system misuse by former employees.
Operational notes
Run a 12‑monthly review of privileged accounts; disable any not revalidated, record approvals, and remove access promptly when staff change roles or leave.
Implementation tips
- HR and IT Managers should create a schedule: Establish a calendar to review who has privileged access every year. Use reminders to prompt reviews a month in advance to make sure nothing slips through the cracks.
- The IT team should maintain an access register: Keep an updated list of who has privileged access. Make this list easily accessible to ensure reviews can be conducted efficiently.
- System owners should conduct access reviews: Meet individually with team members who have privileged access to confirm they still need it. Document these reviews and any changes to access rights.
- Train staff about access responsibilities: The manager should ensure everyone with privileged access understands the importance of annual reviews and the risks if access is not properly managed.
- Set up automatic alerts: The IT team should use software tools to automatically flag privileged access accounts due for review, ensuring that no access goes unchecked.
Audit / evidence tips
-
Ask: the privileged access review schedule: Request the schedule that outlines when access reviews are due and completed
Good: schedule shows all reviews completed on time and includes planned review dates
-
Ask: the access register: Request the document listing all individuals with privileged access. Check for completeness and regular updates
Good: register is up-to-date and accurately reflects current access levels
-
Ask: meeting records: Request minutes or notes from access review meetings
Good: record includes detailed actions and confirmations of access need
-
Ask: to see training records: Request evidence of training sessions on access management
-
Ask: system alerts: Have the IT team demonstrate the alerts set up for overdue reviews
Good: system will have a log showing timely interventions when reviews are overdue
Cross-framework mappings
How ISM-1647 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (2) | ||
| Annex A 5.18 | ISM-1647 requires privileged access to be disabled after 12 months unless revalidated, which is an access-rights review and removal mecha... | |
| Annex A 8.2 | ISM-1647 requires a specific lifecycle rule: privileged access must be disabled after 12 months unless revalidated | |
E8
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (2) | ||
| E8-RA-ML1.1 | E8-RA-ML1.1 requires organisations to validate privileged access requests when first requested to ensure only legitimate admin access is ... | |
| E8-RA-ML2.2 | E8-RA-ML2.2 requires privileged access to systems and applications to be disabled after 45 days of inactivity | |
| Supports (1) | ||
| E8-RA-ML1.4 | E8-RA-ML1.4 requires limiting privileged accounts’ online service access to only what is required for duties | |
| Related (1) | ||
| E8-RA-ML2.1 | E8-RA-ML2.1 requires privileged access to be disabled after 12 months unless it is revalidated | |