Skip to content
Control Stack logo Control Stack
ISM-1679 ASD Information Security Manual (ISM)

Use Multi-factor Authentication for Third-party Services

Use multiple verification steps for accessing external services with sensitive data.

Preventative ML1 ML2 ML3 Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGuidelines for system hardeningmfathird party risk

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Aug 2023

✏️ Control Stack last updated

19 Mar 2026

🎯 E8 maturity levels

ML1, ML2, ML3

Guideline

Guidelines for system hardening

Section

Authentication hardening

Topic

Multi-factor Authentication
Official control statement
Multi-factor authentication is used to authenticate users to third-party online services that process, store or communicate their organisation's sensitive data.

Source: ASD Information Security Manual (ISM)

Plain language

Using more than one check to log into services that handle your sensitive data is called multi-factor authentication. It matters because it makes it much harder for someone to break into your accounts and steal your important information, especially if they manage to get hold of your password.

Why it matters

Without multi-factor authentication, unauthorised access to third-party services could expose sensitive data and enable compromise or espionage.

Operational notes

Regularly verify MFA is enforced for all third-party accounts, and reassess supported factors after vendor changes to address new threats.

Implementation tips

  • IT Team should identify all third-party services that store or process sensitive data and ensure multi-factor authentication is enabled. Start by listing out all external tools and checking their settings to ensure they offer an option for multi-factor authentication.
  • The Office Manager should work with the IT team to educate all staff on using multi-factor authentication. Secure time for a brief training session where employees are shown how to use authentication apps or receive OTP (one-time passwords) via text.
  • System Owners should review user access to third-party services regularly. Schedule quarterly checks to confirm that all users accessing these services with sensitive data are using multi-factor authentication.
  • Procurement should check with vendors if multi-factor authentication is supported during the purchasing process of new tools. Before signing a contract, ask vendors to confirm the feature via email or in writing and keep a record of their response.
  • HR should include multi-factor authentication usage as part of onboarding and offboarding checklist. When a new employee starts, ensure they understand how to set it up, and when an employee leaves, ensure their access, including authentication factors, is revoked.

Audit / evidence tips

  • Ask: a list of third-party services used by the organisation: Request evidence of all external services the company uses that handle sensitive information

    Good: a complete list with each service marked as having active multi-factor authentication

  • Good: includes recent presentation slides or recorded sessions indicating employee awareness activities

  • Ask: evidence of recent access reviews: Request the outcome reports from the last few checks ensuring only authorised users have access with multi-factor authentication enabled

    Good: is a schedule of regular reviews with verified entries for all current users

  • Good: is written confirmation from vendors (such as emails) that the service supports multi-factor authentication

  • Ask: the HR department's procedural documents that specifically mention multi-factor authentication setup and revocation

    Good: includes documentation that demonstrates mandatory multi-factor authentication processes for new and departing staff

Cross-framework mappings

How ISM-1679 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Partially meets (1)
Annex A 8.5 ISM-1679 specifically requires MFA for users authenticating to third-party online services that process, store, or communicate the organi...

E8

Control Notes Details
Partially overlaps (3)
E8-MF-ML1.1 E8-MF-ML1.1 requires MFA for users authenticating to the organisation’s online services that handle sensitive organisational data
E8-MF-ML1.5 E8-MF-ML1.5 requires multi-factor authentication (MFA) for users accessing third-party online customer services handling sensitive custom...
E8-MF-ML1.7 E8-MF-ML1.7 requires MFA to combine two factors (possession plus knowledge/biometric unlock)
Related (1)
E8-MF-ML1.2 ISM-1679 requires multi-factor authentication (MFA) to be used when authenticating users to third-party online services that process, sto...

Mapping detail

Mapping

Direction

Controls