Eligibility Criteria for Gateway System Administrators
Only Australian or seconded foreign nationals can manage government-only network gateways in Australia.
Plain language
This control ensures that only Australian citizens or foreign nationals working under a specific agreement with the Australian Government manage the gateways to government-only networks. This matters because having unauthorised individuals manage these critical gateways could lead to security breaches, putting sensitive government information at risk.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
System administrators for gateways that connect to Australian Government Access Only networks are Australian nationals or seconded foreign nationals.
Why it matters
Allowing non-eligible administrators to manage gateways to Access Only networks increases the risk of unauthorised access and national security compromise.
Operational notes
Maintain evidence that gateway administrators are Australian nationals or currently seconded foreign nationals; review citizenship/secondment status at onboarding and at least quarterly.
Implementation tips
- The HR department should verify the citizenship status of all current and prospective system administrators who will manage government network gateways. This can be done by requesting and storing a copy of each individual's Australian passport or appropriate visa documentation.
- The IT manager should maintain a list of authorised system administrators, ensuring only eligible personnel have access to manage the government network gateways. This can be maintained in a secure digital document with regular updates every six months.
- The security officer should conduct orientation sessions for new system administrators, emphasising the importance of maintaining eligibility criteria such as citizenship for managing government network gateways. This can be a formal meeting or digital briefing.
- The compliance team should set up annual reviews to ensure that all system administrators remain eligible under current regulations. This involves checking their continued status as Australian citizens or their current assignment under a government agreement.
- The network manager should implement access controls in the management tools used for the gateways to prevent unauthorised personnel from gaining access. This includes setting permissions based on current eligibility status and regularly auditing access logs.
Audit / evidence tips
-
Askthe list of current system administrators managing government network gateways
Goodincludes all administrators having verified Australian citizenship or documented secondment agreements
-
Goodshows a complete and up-to-date file for each administrator
-
Askthe last six-monthly update of the authorised personnel list from the IT manager
Goodwill be a list no more than six months old with detailed, accurate records
-
Goodshows all personnel participated in such briefings within the last year
-
Askaccess log records from the network management tools
Goodshows restricted and monitored access corresponding with the authorised personnel list
Cross-framework mappings
How ISM-1773 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.2 | Annex A 5.2 requires information security roles and responsibilities to be defined and allocated according to organisational needs | |
| handshake Supports (3) expand_less | ||
| Annex A 5.15 | ISM-1773 mandates national eligibility for administering specific gateways | |
| Annex A 6.1 | ISM-1773 mandates that gateway system administrators for Australian Government Access Only networks be Australian nationals or seconded f... | |
| Annex A 6.2 | ISM-1773 restricts gateway system administrator roles to Australian nationals or seconded foreign nationals | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.