Skip to content
Control Stack logo Control Stack
ISM-1955 ASD Information Security Manual (ISM)

Regularly Change Compromised Credentials

Change computer account passwords every 30 days or if they're compromised or suspected to be.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGovernanceCredentials and secrets

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Nov 2025

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for system hardening

Section

Authentication hardening

Topic

Changing Credentials
Official control statement
Credentials for computer accounts are changed if they are compromised, they are suspected of being compromised or they have not been changed in the past 30 days.

Source: ASD Information Security Manual (ISM)

Plain language

This rule is about regularly changing your computer account passwords, especially if they're compromised or might be. It's important because if someone else gets your password, they could access all your sensitive information and misuse it before you even realise there's a problem.

Why it matters

Failure to change compromised or stale computer account credentials can enable unauthorised access, data breaches and service misuse within days.

Operational notes

Change computer account credentials immediately on suspected/confirmed compromise, and enforce rotation so they are changed at least every 30 days (e.g., scheduled tasks with alerts).

Implementation tips

  • The IT team should set up an automatic reminder system: Use calendar alerts or an email reminder system for people to change their passwords every 30 days. Send these reminders a few days before passwords are due to be changed to ensure timely updates.
  • The IT manager should maintain a compromised credentials policy: Set clear steps on how to promptly change passwords when there's a suspicion or confirmation of a breach. Make this process simple and easy for all staff to follow, including who to contact and what to do immediately.
  • Office managers should conduct regular training: Ensure staff understand how to recognise signs that a password might be compromised, like receiving password reset emails they didn't request. Provide practical examples in training sessions to make this relatable.
  • HR departments should handle new and departing employees: Make sure new staff know how to set up secure passwords and understand the change policy upon joining. For departing staff, ensure accounts are immediately locked and passwords changed.
  • Team leaders should encourage password managers: Recommend using a password manager to make frequent password changes easier for everyone. Explain how these tools can securely store multiple passwords and generate strong ones automatically.

Audit / evidence tips

  • Ask: password change alerts: Request evidence of the email or calendar reminders used to notify staff about password changes

    Good: would be records showing timely notifications sent to all employees

  • Ask: the compromised credentials policy: Request the document that outlines the procedure for when passwords are suspected of being compromised

    Good: is a concise, step-by-step policy document easily accessible by staff

  • Ask: training materials or records: Request copies of recent training session outlines or attendance records

    Good: includes regular sessions with up-to-date content tailored to organisational needs

  • Ask: onboarding and offboarding procedures: Request evidence of standard procedures for new and departing employees related to password management

    Good: includes clear steps for creating and removing access, and timely password resets

  • Ask: password manager usage policy: Request information or guidelines provided to staff on using password managers

    Good: shows an endorsed list of password managers and user guides available to staff

Cross-framework mappings

How ISM-1955 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Partially meets (1)
Annex A 5.17 ISM-1955 requires organisations to change computer account credentials when they are compromised/suspected compromised, and at least ever...
Supports (1)
Annex A 5.26 ISM-1955 requires organisations to promptly change computer account credentials when compromise is suspected/confirmed, as well as on a 3...

Mapping detail

Mapping

Direction

Controls