Skip to content
arrow_back
ISM-1953
search
ISM-1953 policy ASD Information Security Manual (ISM)

Ensure Strong Management of Admin Account Credentials

Make sure admin account passwords in each domain are long, unique, and securely managed.

Preventative NC OS P ASD Information Security ManualGuidelines for system hardeningcredentialsadmin accounts
record_voice_over

Plain language

This control is about making sure the administrator accounts used to run your computer networks have passwords that are long, unique, and handled securely. This matters because weak or shared passwords make it easy for hackers to break into your systems, potentially leading to theft of sensitive information or disruption of services.

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Aug 2024

Control Stack last updated

19 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for system hardening

Section

Authentication hardening

Topic

Setting Credentials for Built-in Administrator Accounts, Break Glass Accounts, Local Administrator Accounts and Service Accounts

Official control statement

Credentials for the built-in Administrator account in each domain are long, unique, unpredictable and managed.
policy ASD Information Security Manual (ISM) ISM-1953
priority_high

Why it matters

Weak or reused built-in domain Administrator credentials enable domain compromise, privilege escalation and widespread service disruption.

settings

Operational notes

Ensure each domain’s built-in Administrator password is long, unique and stored in a vault; rotate regularly and after suspected compromise.

build

Implementation tips

  • The IT team should create strong passwords for admin accounts. They can do this by using password management software to generate long and unique passwords that aren't easy to guess.
  • System owners need to ensure each admin account is tied to a specific person rather than using generic accounts. This involves assigning admin accounts by individual names and ensuring they are only used by authorised personnel.
  • Managers should review who has access to admin accounts regularly. To do this, schedule quarterly meetings with the IT team to review user access logs and make sure only the right people have access.
  • HR, along with the IT team, should implement a process to immediately update passwords when staff leave. This can be achieved by integrating account update tasks into the employee exit process.
  • The IT team should use multi-factor authentication (MFA) for admin accounts. This means setting up an additional step when logging in, like a mobile app code, besides the password itself.
fact_check

Audit / evidence tips

  • AskThe password policy document: Request the official policy on password requirements for admin accounts GoodPolicy will have a clear requirement for long, complex passwords that are changed regularly
  • AskA recent admin user list with access dates: Check when each admin last changed their password. Good practice is shown by recent password changes that comply with the organisation's policy
  • AskA record of MFA implementation for admin accounts: Review documents showing which admin accounts have MFA enabled
  • AskAccess audit logs: Review logs detailing who accessed admin accounts and when. Good logs show regular reviews of who is accessing sensitive accounts and any unusual login attempts
  • AskThe process document for handling admin account changes post-employment: Check that this process includes steps for promptly changing passwords when someone leaves. Good practice means all admin accounts have updated passwords within a day of employee departure
link

Cross-framework mappings

How ISM-1953 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control Notes Details
layers Partially meets (1) expand_less
Annex A 5.17 ISM-1953 mandates that credentials for the built-in Administrator account in each domain are long, unique, unpredictable and managed

E8

Control Notes Details
sync_alt Partially overlaps (1) expand_less
E8-RA-ML2.5 ISM-1953 requires credentials for the built-in Administrator account in each domain to be long, unique, unpredictable and managed
handshake Supports (2) expand_less
E8-RA-ML2.7 ISM-1953 focuses on ensuring the built-in domain Administrator credentials are strong (long, unique, unpredictable) and properly managed
E8-RA-ML3.2 ISM-1953 requires strong, unique and managed credentials for the built-in Administrator account in each domain

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

Mapping detail

Mapping

Direction

Controls