Compliance with System Usage Policies for Access
Employees must agree to follow system rules before they can access it.
Plain language
This control requires that all employees agree to follow certain rules about how they use their work computer systems before they can log in and start using them. It matters because if people don't understand or follow these rules, they could accidentally or intentionally cause security breaches, leading to data loss or other serious problems for the organisation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
Personnel agree to abide by system usage policies before being granted access to systems and their resources.
Why it matters
If users are granted access without agreeing to system usage policies, misuse or policy breaches may go unchallenged, increasing insider risk and incident impact.
Operational notes
Require policy acknowledgement before initial access and at periodic re‑acceptance (e.g., annually); record acceptance, block access if not accepted, and follow up on breaches.
Implementation tips
- Managers should ensure all new employees are briefed on system usage policies during their onboarding process. This can be done by scheduling a dedicated session where the policies are explained clearly, and any questions are answered.
- HR should include a system usage agreement as part of the employment contract paperwork. Employees will need to read and sign this document to confirm they understand and agree to abide by the computer usage rules.
- The IT team should set up a process where user accounts are only activated after the signed usage agreement is received. This involves creating a checklist to ensure this step is completed before granting access.
- The compliance officer should perform regular reviews to ensure all employees have a signed system usage agreement on file. This can be a simple audit to compare user access records with signed agreements once a year.
- IT administrators should set up a notification system to remind employees to review the system usage policies periodically. This could involve an annual email reminder with any updated policies if changes have occurred.
Audit / evidence tips
-
Askthe list of system usage agreements from HR: Request the folder or database where signed agreements are stored
Goodis that all active users have a dated and signed agreement on file
-
Askthe onboarding checklist: This is used during new employee orientation and should include an entry for system usage policy agreement
Goodshows a consistent process with accountability noted
-
Aska sample email or memo sent to employees about system usage policies: This demonstrates reminders are sent regularly
Goodaudit result reveals comprehensive reminders sent at least annually
-
Aska report or log of new account activations: Request documentation showing when new accounts get activated relative to agreement receipt. Verify that activation follows submission and signing of the policy agreement
Goodshows no accounts activated without the agreement on file
-
Askrandom user access records and compare to agreement files: Conduct a spot-check to ensure compliance across a random selection of employees. Verify whether access coincides with having a usage agreement signed
Goodresult indicates no discrepancies in user access and agreement documentation
Cross-framework mappings
How ISM-1865 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (4) expand_less | ||
| Annex A 5.1 | ISM-1865 requires personnel to agree to abide by system usage policies before being granted access to systems and resources | |
| Annex A 5.4 | ISM-1865 requires personnel to agree to follow system usage policies before being granted access | |
| Annex A 5.15 | ISM-1865 requires a precondition for access: personnel must agree to comply with system usage policies before being granted access | |
| Annex A 6.4 | Annex A 6.4 requires a formalised and communicated disciplinary process to take action when personnel or other relevant interested partie... | |
| extension Depends on (1) expand_less | ||
| Annex A 5.10 | ISM-1865 requires personnel to agree to abide by system usage policies before they are granted access to systems and resources | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.