Limit Unprivileged Access to Essential Functions
Users can only access what they need to do their work, nothing extra.
Plain language
This control is about ensuring that employees and software have access only to the systems and information they need to do their jobs—nothing more. If people can access more than they should, it increases the risk of mistakes or intentional harm, like data breaches or loss of sensitive information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
Unprivileged access to systems and their resources is limited to only what is required for users and services to undertake their duties.
Why it matters
Excess access can lead to data breaches or loss by enabling users to retrieve, alter or delete sensitive info beyond their job needs.
Operational notes
Apply least privilege with RBAC: restrict default access, approve exceptions, and review user/service permissions regularly to remove unnecessary rights.
Implementation tips
- Managers should first map out which tasks are essential for each role within the organisation. They can do this by listing all responsibilities and the specific resources needed to complete them, ensuring that access is granted based on necessity.
- The IT team should set up systems to manage access permissions based on the roles defined by managers. They can use built-in features in software tools or network systems to restrict access, ensuring employees can only see or do what is necessary for their role.
- System owners should regularly review access permissions, maybe every quarter, to ensure they still match the job functions as roles or responsibilities change over time. This can be done with a simple checklist or spreadsheet to track who has access to what.
- HR and IT should collaborate when new hires or role changes occur. HR should inform the IT team immediately when an employee changes roles or leaves, so IT can adjust or revoke access accordingly.
- A record should be kept by IT of who has access to what systems and resources. This can be managed through a centralised document or tool. Regular updates and reviews will keep this information accurate and up to date.
Audit / evidence tips
-
Askthe access control list: Request the document that shows who has access to which systems and data
Goodshows precise access levels assigned for each role, with no excessive permissions
-
Goodcontains role descriptions linked to specific system access requirements
-
Askto see the policy for reviewing access permissions: Request records of scheduled permission reviews, including who conducted them
Goodhas recent dates, clear review outcomes, and updates recorded
-
Goodshows recent notifications and updates following these events
-
Askany training or awareness documentation related to access control: Request proof that personnel understand the principles of minimal required access
Goodincludes recent training sessions or materials covering access responsibilities
Cross-framework mappings
How ISM-1852 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-RB-ML1.5 | E8-RB-ML1.5 requires that unprivileged accounts cannot access backups belonging to other accounts | |
| sync_alt Partially overlaps (2) expand_less | ||
| E8-RA-ML1.4 | ISM-1852 requires organisations to restrict unprivileged access to only what is required for users and services to do their jobs | |
| E8-RA-ML3.1 | ISM-1852 requires unprivileged access to systems and resources to be limited to only what users and services need to perform their duties... | |
| handshake Supports (1) expand_less | ||
| E8-RA-ML3.3 | ISM-1852 requires unprivileged access to systems and resources to be limited to only what is needed for duties | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.