Restrict Privileged Access to Necessary Service Duties
Only necessary access is allowed for users to perform their duties online.
Plain language
This control means that only people who need special access to important parts of your online services to do their job should have it. It’s important because too many people with access can lead to mistakes or intentional harm, like data theft or system damage, which can cost money and damage your reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1, ML2, ML3
Guideline
Guidelines for personnel securityOfficial control statement
Privileged user accounts explicitly authorised to access online services are strictly limited to only what is required for users and services to undertake their duties.
Why it matters
Over-privileged accounts for online services increase misuse and compromise risk, enabling unauthorised changes or data access beyond service duties.
Operational notes
Regularly review privileged access for online services and remove unneeded roles/permissions so accounts only have access required for service duties.
Implementation tips
- System owners should evaluate which team members truly need privileged account access based on their job roles. List key tasks that require such access and match them with specific individuals. Only those fulfilling these roles should be granted access, keeping it strictly on a 'need-to-have' basis.
- Managers should regularly review the list of privileged accounts. Set a monthly reminder to verify that current access aligns with team needs. Disable unnecessary accounts to reduce risk and document any changes for accountability.
- IT teams should implement a system for logging and monitoring access to sensitive areas. Use existing tools to keep a record of who accessed what, and set up alerts for unusual or unauthorised access attempts. Ensure that logs are reviewed weekly.
- Human Resources should work with IT to ensure that access rights are updated when an employee's role changes. Include a checklist in the onboarding and offboarding process to add or remove privileged access as needed. Regularly communicate with IT to synchronise changes.
- The security officer should conduct an annual audit of all privileged accounts. Schedule a session to compare access registers against role descriptions to ensure compliance. Document findings, focusing on any discrepancies or security improvements needed.
Audit / evidence tips
-
Askthe current list of privileged accounts: Request a document that lists all users with privileged access
Goodincludes a recent list showing only current, authorised users with a clear expiration for temporary access
-
Askaccess review meeting records: Request minutes or outcomes from the last access review meeting
Goodshows clear documentation of decisions and follow-up tasks
-
Askaccess logs for the past six months: Request logs from the IT team showing access actions
Goodshows consistent log entries that match authorised activity with no unexplained access
-
Aska record of role changes impacting access: Request documentation of how updates in employee roles affected access privileges
Goodincludes a clear workflow for managing role-based access adjustments
-
Askevidence of alert configuration: Request documentation or screenshots of alerts configured for unusual access attempts
Gooddemonstrates proactive measures in place to detect and respond to suspicious activities
Cross-framework mappings
How ISM-1883 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.2 | ISM-1883 requires privileged accounts authorised to access online services to be strictly limited to what is necessary for duties | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-RA-ML3.1 | ISM-1883 requires that privileged user accounts authorised to access online services are limited to only what is required for duties | |
| sync_alt Partially overlaps (2) expand_less | ||
| E8-RA-ML1.1 | E8-RA-ML1.1 requires organisations to validate privileged access requests at the point they are first raised | |
| E8-RA-ML1.3 | E8-RA-ML1.3 requires blocking privileged accounts from accessing the internet, email, and web services unless explicitly authorised | |
| handshake Supports (1) expand_less | ||
| E8-RA-ML1.2 | ISM-1883 requires that privileged accounts authorised to access online services are limited to what is necessary to perform duties | |
| link Related (1) expand_less | ||
| E8-RA-ML1.4 | ISM-1883 requires that privileged user accounts authorised to access online services are limited to only what is necessary to perform duties | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.