Regularly Change Compromised Credentials
Change computer account passwords every 30 days or if they're compromised or suspected to be.
Plain language
This rule is about regularly changing your computer account passwords, especially if they're compromised or might be. It's important because if someone else gets your password, they could access all your sensitive information and misuse it before you even realise there's a problem.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Authentication hardeningTopic
Changing CredentialsOfficial control statement
Credentials for computer accounts are changed if they are compromised, they are suspected of being compromised or they have not been changed in the past 30 days.
Why it matters
Failure to change compromised or stale computer account credentials can enable unauthorised access, data breaches and service misuse within days.
Operational notes
Change computer account credentials immediately on suspected/confirmed compromise, and enforce rotation so they are changed at least every 30 days (e.g., scheduled tasks with alerts).
Implementation tips
- The IT team should set up an automatic reminder system: Use calendar alerts or an email reminder system for people to change their passwords every 30 days. Send these reminders a few days before passwords are due to be changed to ensure timely updates.
- The IT manager should maintain a compromised credentials policy: Set clear steps on how to promptly change passwords when there's a suspicion or confirmation of a breach. Make this process simple and easy for all staff to follow, including who to contact and what to do immediately.
- Office managers should conduct regular training: Ensure staff understand how to recognise signs that a password might be compromised, like receiving password reset emails they didn't request. Provide practical examples in training sessions to make this relatable.
- HR departments should handle new and departing employees: Make sure new staff know how to set up secure passwords and understand the change policy upon joining. For departing staff, ensure accounts are immediately locked and passwords changed.
- Team leaders should encourage password managers: Recommend using a password manager to make frequent password changes easier for everyone. Explain how these tools can securely store multiple passwords and generate strong ones automatically.
Audit / evidence tips
-
Askpassword change alerts: Request evidence of the email or calendar reminders used to notify staff about password changes
Goodwould be records showing timely notifications sent to all employees
-
Askthe compromised credentials policy: Request the document that outlines the procedure for when passwords are suspected of being compromised
Goodis a concise, step-by-step policy document easily accessible by staff
-
Asktraining materials or records: Request copies of recent training session outlines or attendance records
Goodincludes regular sessions with up-to-date content tailored to organisational needs
-
Askonboarding and offboarding procedures: Request evidence of standard procedures for new and departing employees related to password management
Goodincludes clear steps for creating and removing access, and timely password resets
-
Askpassword manager usage policy: Request information or guidelines provided to staff on using password managers
Goodshows an endorsed list of password managers and user guides available to staff
Cross-framework mappings
How ISM-1955 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.17 | Annex A 5.17 requires organisations to control the allocation and management of authentication information through a defined process, inc... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.26 | ISM-1955 requires organisations to promptly change computer account credentials when compromise is suspected/confirmed, as well as on a 3... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.