ISM-1893 ASD Information Security Manual (ISM)

Enforcing Multi-Factor Authentication for User Security

Users must use multi-factor authentication to access third-party services handling sensitive data.

Preventative ML1 ML2 ML3 Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security Manual Governance Authentication Multi factor authentication

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Nov 2023

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

ML1, ML2, ML3

Guideline

Guidelines for system hardening

Section

Authentication hardening

Topic

Multi-factor Authentication

Official control statement

Multi-factor authentication is used to authenticate users to third-party online customer services that process, store or communicate their organisation's sensitive customer data.

Source: ASD Information Security Manual (ISM)

Plain language

This control means you need to add an extra layer of security when accessing online services that handle important customer data. This matters because if someone tries to hack into these systems, multi-factor authentication makes it much harder for them to succeed, protecting your sensitive information from theft or misuse.

Why it matters

Without MFA on third-party customer services, attackers can take over accounts and access or exfiltrate sensitive customer data, causing a breach.

Operational notes

Enforce MFA on all third-party customer services handling sensitive customer data; review MFA settings and logs after changes and user onboarding.

Implementation tips

Business owners should ensure that all employees understand the importance of using multi-factor authentication. Hold a brief training session explaining how it works, like entering a code from their phone in addition to their password when logging in.
IT staff should set up multi-factor authentication on all accounts that access external services with customer data. They can do this by enabling settings in account management systems, often with simple step-by-step guides provided by the service.
Managers should regularly check that multi-factor authentication is actively being used by all team members. Conduct periodic checks at meetings and remind staff why it's important to keep it enabled.
The authorising officer of each department should ensure new software or services require multi-factor authentication before being approved for use. They can do this by making it part of the software approval checklist process.
HR teams should include multi-factor authentication instructions in the onboarding process for new hires. Provide new employees with clear, written instructions on setting it up as part of their initial training.

Audit / evidence tips

Ask: the list of third-party services in use: Request a document showing all the services used that require handling customer data with multi-factor authentication enabled

Good: will be a list of services where each entry confirms multi-factor authentication is active
Good: is a record of training sessions with dates and a summary of the content covered, showing ongoing training
Ask: IT configuration checklists: Request documentation showing the setup of multi-factor authentication for services

Good: includes clear evidence showing that these settings are checked regularly and are current
Good: is a dated report showing the date, services checked, and any follow-up actions taken
Ask: user feedback reports

Good: is a summary showing that most users have set it up successfully with few reporting difficulties

Cross-framework mappings

How ISM-1893 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control	Notes	Details
Partially meets (1)
Annex A 8.5	ISM-1893 requires MFA for a specific authentication scenario: users accessing third-party online customer services handling the organisat...
Supports (2)
Annex A 5.17	ISM-1893 requires MFA to be used for user authentication to third-party online customer services handling sensitive customer data
Annex A 5.22	ISM-1893 requires MFA for users authenticating to third-party online customer services that handle sensitive customer data
Depends on (1)
Annex A 5.12	ISM-1893 requires MFA to be used for access to third-party online customer services that process, store or communicate the organisation’s...

E8

Control	Notes	Details
Partially meets (1)

E8-MF-ML1.1	ISM-1893 requires MFA for users accessing third-party online customer services that handle the organisation’s sensitive customer data
Partially overlaps (5)

E8-MF-ML1.2	E8-MF-ML1.2 requires multi-factor authentication (MFA) for users accessing third-party online services that process, store or communicate...
E8-MF-ML1.4	ISM-1893 requires MFA for users authenticating to third-party online customer services that handle the organisation’s sensitive customer ...
E8-MF-ML1.6	E8-MF-ML1.6 requires multi-factor authentication (MFA) for customers accessing online customer services that process, store or communicat...
E8-MF-ML1.7	E8-MF-ML1.7 defines what constitutes MFA by requiring two factors (possession + knowledge, or possession unlocked by knowledge/biometric)
E8-MF-ML2.2	ISM-1893 requires MFA for users accessing third-party online customer services that handle sensitive customer data
Supports (3)

E8-MF-ML2.3	ISM-1893 requires MFA for users authenticating to third-party online customer services that process, store or communicate the organisatio...
E8-MF-ML2.5	ISM-1893 requires MFA for users accessing third-party online customer services that process, store or communicate sensitive customer data
E8-MF-ML2.6	ISM-1893 requires the use of MFA for users accessing third-party online customer services that process, store or communicate sensitive cu...
Related (1)

E8-MF-ML1.5	E8-MF-ML1.5 requires MFA for users accessing third-party online customer services handling sensitive customer data