Restrict Privileged Environment Access
Users without privileges cannot access systems meant for privileged users.
Plain language
The idea here is that ordinary users, who don't need wide-ranging access, should not be allowed into areas of your computer systems reserved for people with special permissions. If these restrictions aren't in place, someone without the proper controls could accidentally or intentionally mess with sensitive parts of your systems, leading to data breaches or system disruptions.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1, ML2, ML3
Guideline
Guidelines for system managementSection
System administrationOfficial control statement
Unprivileged user accounts cannot logon to privileged operating environments.
Why it matters
If unprivileged users can log on to privileged operating environments, they may gain elevated access, change configurations, and expose sensitive data.
Operational notes
Audit privileged environment logon rights regularly; ensure only privileged accounts can sign in and remove access immediately when users change roles.
Implementation tips
- The IT team should identify which systems or parts of your network require special privileges. They can do this by reviewing the roles in your organisation and matching them to the systems access needs, ensuring only those with specific roles can access privileged environments.
- System administrators need to set up access controls that specifically block unprivileged users from logging into these environments. They can implement user groups and permissions settings in your systems to ensure that only authorised personnel have the necessary access.
- HR and IT should collaborate during onboarding to ensure that new employees are only given the access necessary for their roles. They should implement a process where access permissions are clearly based on job requirements, avoiding overstretching access rights.
- Managers must regularly review the list of employees with privileged access to ensure it is still necessary for their current roles. This can be done by setting up quarterly reviews where managers discuss access needs with each team member.
- The compliance officer should ensure there are regular audits of access logs to check for any unauthorised attempts to access privileged environments. This involves the use of system logging tools that record and notify of failed access attempts, which can then be reviewed during monthly meetings.
Audit / evidence tips
-
Askaccess control policies: Request the documents outlining access control policies that define who gets access to privileged environments
Goodshows roles clearly defined with permissions that match job requirements
-
Aska user access list: Request a current list of all users with privileged access
Goodlist will be current, with annotations of reviewed dates and approved changes by authorised personnel
-
Askaccess log reports: Request log reports showing attempts to access privileged environments, both successful and unsuccessful
Goodincludes logs with minimal unauthorised attempts and follow-up actions for any issues
-
Aska list of recent changes to access controls: Request records of recent modifications to access permissions
Goodincludes change logs with clear, documented rationales and authorised approvals
-
Askevidence of access review meetings: Request minutes or summaries of recent meetings where access was reviewed
Goodcontains meeting records with action items on access modification and follow-up dates
Cross-framework mappings
How ISM-1688 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.2 | ISM-1688 requires that unprivileged user accounts cannot log on to privileged operating environments | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-RA-ML1.7 | ISM-1688 requires that unprivileged user accounts cannot log on to privileged operating environments | |
| handshake Supports (1) expand_less | ||
| E8-RA-ML3.3 | E8-RA-ML3.3 requires just-in-time (JIT) administration so privileged access is only granted when needed and for limited periods | |
| link Related (1) expand_less | ||
| E8-RA-ML1.6 | E8-RA-ML1.6 requires that unprivileged accounts are prevented from logging on to privileged operating environments | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.