Skip to content
arrow_back
ISM-1688
search
ISM-1688 policy ASD Information Security Manual (ISM)

Restrict Privileged Environment Access

Users without privileges cannot access systems meant for privileged users.

Preventative ML1 ML2 ML3 NC OS P ASD Information Security ManualGuidelines for system managementaccess controlprivileged access
record_voice_over

Plain language

The idea here is that ordinary users, who don't need wide-ranging access, should not be allowed into areas of your computer systems reserved for people with special permissions. If these restrictions aren't in place, someone without the proper controls could accidentally or intentionally mess with sensitive parts of your systems, leading to data breaches or system disruptions.

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Aug 2024

Control Stack last updated

19 Mar 2026

E8 maturity levels

ML1, ML2, ML3

Guideline

Guidelines for system management

Section

System administration

Topic

Separate Privileged Operating Environments

Official control statement

Unprivileged user accounts cannot logon to privileged operating environments.
policy ASD Information Security Manual (ISM) ISM-1688
priority_high

Why it matters

If unprivileged users can log on to privileged operating environments, they may gain elevated access, change configurations, and expose sensitive data.

settings

Operational notes

Audit privileged environment logon rights regularly; ensure only privileged accounts can sign in and remove access immediately when users change roles.

build

Implementation tips

  • The IT team should identify which systems or parts of your network require special privileges. They can do this by reviewing the roles in your organisation and matching them to the systems access needs, ensuring only those with specific roles can access privileged environments.
  • System administrators need to set up access controls that specifically block unprivileged users from logging into these environments. They can implement user groups and permissions settings in your systems to ensure that only authorised personnel have the necessary access.
  • HR and IT should collaborate during onboarding to ensure that new employees are only given the access necessary for their roles. They should implement a process where access permissions are clearly based on job requirements, avoiding overstretching access rights.
  • Managers must regularly review the list of employees with privileged access to ensure it is still necessary for their current roles. This can be done by setting up quarterly reviews where managers discuss access needs with each team member.
  • The compliance officer should ensure there are regular audits of access logs to check for any unauthorised attempts to access privileged environments. This involves the use of system logging tools that record and notify of failed access attempts, which can then be reviewed during monthly meetings.
fact_check

Audit / evidence tips

  • AskAccess control policies: Request the documents outlining access control policies that define who gets access to privileged environments GoodShows roles clearly defined with permissions that match job requirements
  • AskA user access list: Request a current list of all users with privileged access GoodList will be current, with annotations of reviewed dates and approved changes by authorised personnel
  • AskAccess log reports: Request log reports showing attempts to access privileged environments, both successful and unsuccessful GoodIncludes logs with minimal unauthorised attempts and follow-up actions for any issues
  • AskA list of recent changes to access controls: Request records of recent modifications to access permissions GoodIncludes change logs with clear, documented rationales and authorised approvals
  • AskEvidence of access review meetings: Request minutes or summaries of recent meetings where access was reviewed GoodContains meeting records with action items on access modification and follow-up dates
link

Cross-framework mappings

How ISM-1688 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control Notes Details
layers Partially meets (1) expand_less
Annex A 8.2 ISM-1688 requires that unprivileged user accounts cannot log on to privileged operating environments

E8

Control Notes Details
sync_alt Partially overlaps (1) expand_less
E8-RA-ML1.7 ISM-1688 requires that unprivileged user accounts cannot log on to privileged operating environments
handshake Supports (1) expand_less
E8-RA-ML3.3 E8-RA-ML3.3 requires just-in-time (JIT) administration so privileged access is only granted when needed and for limited periods
link Related (1) expand_less
E8-RA-ML1.6 E8-RA-ML1.6 requires that unprivileged accounts are prevented from logging on to privileged operating environments

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

Mapping detail

Mapping

Direction

Controls