Implement Just-in-Time Administration for System Access
Use just-in-time methods to manage who can access system resources, ensuring enhanced security.
Plain language
This control is about giving people temporary access to computer systems only when they need it. This matters because if someone always has full access, it makes it easier for mistakes or attacks to happen, putting sensitive information at risk.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Guideline
Guidelines for personnel securityOfficial control statement
Just-in-time administration is used for the administration of systems and their resources.
Why it matters
Without just-in-time admin access, persistent privileges expand the attack window, enabling credential misuse, privilege escalation and broader system compromise.
Operational notes
Use time-bound admin elevation only when needed; log and review approvals, monitor activity, and automatically revoke elevated access immediately after task completion.
Implementation tips
- The IT manager should set up a system where special access is given only when it's needed. They can do this by using tools that allow temporary permission, ensuring staff can't get in unless it's required for a task.
- Business owners should work with their IT team to identify which tasks need special system access. Discuss specific job roles and tasks, deciding which require just-in-time access and ensure everyone understands the process.
- HR should coordinate training sessions for staff on why just-in-time access is important. Use easy-to-understand examples about risks of always-on access and how to request temporary access when needed.
- Procurement managers should ensure any new software supports just-in-time access features. This can be done by adding it as a requirement in software purchases and checking features during vendor demonstrations.
- System administrators should audit current access permissions and remove permanent rights that aren't necessary. This involves reviewing who has access to sensitive systems and switching to a just-in-time model with the right tools.
Audit / evidence tips
- AskAccess logs for critical systems: Request logs showing when staff were granted special access. Look to see if access is temporary and linked to specific tasks GoodWill show time-limited access tied to documented business needs
- AskA list of who has privileged system access: Request a list from the IT team of employees with special access rights GoodWill show only necessary individuals have time-limited access based on current tasks
- AskTraining records on just-in-time access: Request documents or records showing staff attended relevant training GoodWill show recent completion of training by all relevant staff
- AskDocumentation of software procurement: Request reports from the procurement team showing software purchases with just-in-time access features. Look to see if this was a requirement in request documents GoodWill include vendor commitments to these features
- AskTo see records of access reviews: Request documentation of regular access reviews by system administrators GoodWill show regular, documented checks and necessary adjustments
Cross-framework mappings
How ISM-1649 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (4) expand_less | ||
| Annex A 5.15 | ISM-1649 requires organisations to use just-in-time administration to control when administrative access is granted for system administra... | |
| Annex A 5.18 | ISM-1649 requires just-in-time administration to control the granting and use of administrative access for systems and resources | |
| Annex A 8.2 | ISM-1649 requires the use of just-in-time administration for system administration, reducing persistent privileged access | |
| Annex A 8.3 | ISM-1649 requires just-in-time administration to restrict administrative access temporally for systems and resources | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| E8-RA-ML1.7 | E8-RA-ML1.7 requires blocking privileged accounts from logging on to unprivileged operating environments | |
| E8-RA-ML2.1 | E8-RA-ML2.1 requires privileged access to be disabled after 12 months unless revalidated | |
| link Related (1) expand_less | ||
| E8-RA-ML3.3 | E8-RA-ML3.3 requires just-in-time (JIT) administration to be used when administering systems and applications, limiting high-level access... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.