Secure API Access with Authentication and Authorisation
Ensure only authorised clients can access sensitive data via network APIs over the internet.
Plain language
This control ensures that only people who are supposed to access certain sensitive information through internet-based systems can do so. It's like having a bouncer at the door of a club, checking IDs to make sure only the right people get in. If this isn't done, unauthorised access could lead to data leaks or breaches, damaging a business's reputation and finances.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
Authentication and authorisation of clients is performed when clients call network APIs that facilitate access to data not authorised for release into the public domain and are accessible over the internet.
Why it matters
If API clients are not authenticated and authorised, internet-exposed APIs may leak non-public data to unauthorised users, causing breaches and loss of trust.
Operational notes
Implement strong client authentication and authorisation (e.g., OAuth2/OIDC, JWT validation). Review scopes/claims, rotate keys, and monitor internet-facing API access.
Implementation tips
- System owners should identify critical data accessed through their network APIs. They can do this by reviewing what data is handled by each system and determining what needs special protection.
- The IT team should implement authentication measures that verify the identity of users before they can access sensitive data. This can include setting up usernames and passwords or using tools that send a code to a user's phone for additional security.
- Managers should ensure that there are clear policies about who is authorised to access sensitive data. They can work with HR to define roles and responsibilities, so only certain job positions have access to certain information.
- IT personnel should routinely check logs of who accesses sensitive data to ensure only authorised users have gained access. This can be done by setting up alerts for any unusual access patterns.
- The office manager should organise regular training sessions for all staff about the importance of protecting sensitive data accessed over the internet. This can involve inviting a cyber security expert to explain the basics in simple terms.
Audit / evidence tips
-
Aska list of users who have access to the system's sensitive data: Examine the list to ensure it matches authorised user roles
Goodis a list that aligns with documented roles and permissions
-
Goodwould be a comprehensive policy that includes username/password requirements and multifactor authentication for added security
-
Asklogs or records of access requests to sensitive data: Review these logs to see if any unauthorised access attempts were stopped
Goodis a log showing all access attempts and how unauthorised ones were denied or challenged
-
Goodincludes documented attendance of key staff roles, especially those dealing with sensitive data
-
Asksystem testing reports or security assessments on network APIs: Check these reports to ensure tests are conducted regularly and cover potential vulnerabilities
Goodis a detailed and dated report showing recent security tests and their outcomes
Cross-framework mappings
How ISM-1817 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.3 | ISM-1817 requires that API clients are authenticated and authorised when calling internet-accessible APIs that expose non-public data | |
| Annex A 8.5 | ISM-1817 requires authentication and authorisation of clients when they call internet-accessible APIs that provide access to non-public data | |
| handshake Supports (1) expand_less | ||
| Annex A 5.17 | ISM-1817 requires authenticating and authorising API clients for internet-accessible APIs that expose non-public data | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.