Client Authentication for Network API Access
Ensure clients are verified before they change data through network APIs on the internet.
Plain language
This control ensures that only verified users can change important data when using network applications visible on the internet. If this isn't done, unauthorised people or hackers could alter your data, leading to loss of trust, potential financial loss, and damage to your reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
Authentication and authorisation of clients is performed when clients call network APIs that facilitate modification of data and are accessible over the internet.
Why it matters
Without client authentication for internet-accessible APIs that modify data, unauthorised parties could change records, causing breaches, financial loss and reputational damage.
Operational notes
Review API logs for failed tokens and unusual client IDs; ensure only authenticated, authorised clients can call internet-facing data-modifying endpoints.
Implementation tips
- System owners should work with their IT team to establish clear client authentication processes. This can be done by setting up user accounts with passwords or other verification methods like email confirmations before allowing any data changes.
- IT teams need to develop and implement robust verification checks for network APIs. This can include requiring users to log in with a username and password or using digital certificates to confirm identity.
- Managers should ensure that training for staff includes information about secure data management practices. This can include basic tips on creating strong passwords and recognising phishing attacks.
- IT staff should regularly update authentication methods to stay ahead of potential security threats. This might involve implementing new software updates or changing user authentication methods regularly.
- A designated security officer should review and monitor user access logs to detect any unusual activity. This involves regularly checking the logs to ensure only authorised users are making changes to data.
Audit / evidence tips
- AskThe documentation outlining the client authentication process for network APIs GoodWill detail specific methods, such as password protection or digital verification, and how they are enforced
- AskIT to demonstrate the authentication process live or through recorded sessions GoodDemonstration will include easy-to-follow procedures with clear, secure verification steps
- GoodWill include comprehensive, up-to-date security training relevant to client authentication
- AskRecords of regular security updates or changes to authentication methods and protocols GoodRecord will clearly document the date, nature of updates, and responsible personnel
Cross-framework mappings
How ISM-1818 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.5 | ISM-1818 requires authentication and authorisation of clients when they call internet-accessible network APIs that can modify data | |
| handshake Supports (1) expand_less | ||
| Annex A 5.17 | ISM-1818 requires that API clients are authenticated and authorised before they can perform internet-accessible API calls that modify data | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.