Restrict Write Access to Certificate Templates
Ensure regular users can't change certificate templates to maintain security.
Plain language
This control is about making sure that regular users in your organisation can't change the templates used to create digital certificates. These certificates are crucial for secure communication in your IT systems. If unauthorised people can change them, they might create fake certificates that compromise your security, leading to data breaches or system misuse.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
Unprivileged user accounts do not have write access to certificate templates.
Why it matters
Unauthorised template changes could lead to fraudulent certificates, compromising secure communications and exposing systems to data breaches.
Operational notes
Audit certificate template ACLs and AD CS role assignments regularly so only privileged admins can write or publish templates; remove any unprivileged write access.
Implementation tips
- IT administrators should review the current permissions on certificate templates. Check who currently has the ability to change these templates and adjust settings so only authorised personnel can make changes.
- The IT team should implement role-based access controls specifically for certificate management. Define roles within your organisation, assigning write access to certificate templates only to those who truly need it for their job.
- System owners should ensure any system updates or changes to access policies are documented and communicated clearly to all staff. This ensures that everyone understands who can and cannot change certificate templates.
- Managers should organise regular training sessions for staff involved with certificate management. This training should focus on the importance of maintaining strict access controls and the potential risks of unauthorised changes.
- Security officers should implement a periodic review process for access rights. This involves checking if the listed personnel who can access and modify certificate templates are still valid and required.
Audit / evidence tips
- AskThe list of personnel with write access to certificate templates. Review this list for clarity on roles and individuals involved GoodWill show that only essential personnel, such as senior IT staff, are authorised to make changes
- AskTo see records of changes made to certificate templates over the past year. Check these records for timestamps, user actions, and authorisation notes. A comprehensive log with minimal authorised changes and no suspicious entries is a good sign
- GoodAudit shows all relevant personnel attended and training covered security protocols adequately
Cross-framework mappings
How ISM-1946 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| Annex A 5.15 | ISM-1946 requires organisations to enforce a specific logical access rule: unprivileged users must not be able to write to certificate te... | |
| Annex A 5.18 | ISM-1946 requires preventing unprivileged accounts from having write access to certificate templates to protect certificate issuance conf... | |
| Annex A 8.2 | ISM-1946 requires that unprivileged user accounts do not have write access to certificate templates to prevent unauthorised changes to PK... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.