Enforce Certificate and User Mapping in AD Services
Ensure certificates are accurately matched to users within Active Directory.
Plain language
This control ensures that the digital certificates used for security in your organisation are correctly matched to the people who need them. It's important because if a certificate isn't linked to the right user, it could lead to unauthorised access or data breaches, where someone might gain access to sensitive information they shouldn't see.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
Strong mapping between certificates and users is enforced.
Why it matters
Mismatched certificates and users can lead to unauthorised access, exposing sensitive data and compromising organisational integrity.
Operational notes
Regularly audit user-certificate mappings in AD; remove stale or misaligned entries to prevent security breaches and ensure compliance.
Implementation tips
- IT team should verify user identities: Before issuing a certificate, the IT team needs to confirm the user's identity. They can do this by cross-referencing employee records and confirming with department heads if necessary.
- Install authentication software: The IT department should install and configure software that automatically links certificates to the user's account in Active Directory. This can be set up by following the software vendor’s guidelines.
- Conduct regular checks: System administrators should regularly audit the certificate mappings. They can set reminders for periodic checks to ensure that certificates are still valid and matched to the correct users.
- Train staff on certificate importance: Managers should organise training sessions to inform staff about how certificates work and why it's crucial they're correctly linked to their accounts. These sessions can be held annually and should be documented.
- Implement an approval process: The IT manager should develop a procedure for certificate approval that involves multiple checks. This could include a step-by-step workflow requiring several team members to sign off before a certificate is issued or renewed.
Audit / evidence tips
-
Askthe certificate issuance process document: Request the official procedure document that delineates how certificates are issued and mapped to users
Goodcontains a comprehensive, step-by-step guide with clear roles and responsibilities
-
Askrecent audit logs: Request logs of recent checks on certificate mappings to users
Goodincludes documented logs showing periodic checks with issues resolved
-
Asktraining session records: Request attendance lists and materials from recent training sessions about certificate use and importance
Goodis sessions held at least once a year with high attendance from relevant staff
-
Askevidence of approval records: Request records that show approvals for certificate issuance
Goodhas multiple sign-offs to ensure thorough vetting
-
Askthe software configuration settings: Request to see the configuration settings of the software responsible for mapping certificates
Goodwould show automated processes with minimal need for manual intervention
Cross-framework mappings
How ISM-1943 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.16 | ISM-1943 requires strong mapping controls to ensure certificates are accurately and securely linked to user identities in Active Directory | |
| Annex A 8.5 | ISM-1943 requires strong, enforced mapping between X.509 certificates and user identities within Active Directory services so certificate... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.17 | ISM-1943 requires enforcing strong mapping between certificates and users in Active Directory to prevent misuse of certificate credential... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.