Secure Network API Client Authentication and Authorisation
Ensure clients using network APIs for data changes are authenticated and authorised, especially if not internet-accessible.
Plain language
When a client, like a software application or a device, uses a network API (which is a way for different software to communicate), it's crucial to make sure it's the right client and that it's allowed to do what it's trying to do. This prevents unauthorised changes to your data that could harm your business or leak sensitive information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
Feb 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for physical securitySection
Facilities and systemsOfficial control statement
Unauthorised medical devices are not brought into SECRET and TOP SECRET areas.
Why it matters
Unauthorised medical devices entering SECRET/TOP SECRET areas could record or transmit classified information, causing data compromise and policy breaches.
Operational notes
Maintain a register of approved medical devices for SECRET/TOP SECRET zones, conduct entry checks, and remove/quarantine any unauthorised devices immediately.
Implementation tips
- The IT team should identify which clients need access to the API and create a list of authorised clients. They can do this by analysing which devices or applications interact with the system and ensuring they are legitimate and necessary.
- System administrators should set up authentication methods for each client. This might involve creating usernames and passwords or using digital certificates that function like special ID cards showing who the client is.
- IT security staff should implement authorisation checks to control what actions each client can perform. They can do this by setting up rules or permissions that specify what data a client can modify or access.
- The IT team should regularly review and update the list of authorised clients. They can organise quarterly meetings to discuss if any new clients need access or if any current clients should have their access revoked.
- Managers should ensure training is provided for anyone managing or overseeing these APIs so they understand why authentication and authorisation are important. Training sessions can use real scenarios to demonstrate potential risks and the benefits of control compliance.
Audit / evidence tips
- AskA list of all clients authorised to use the API GoodIs a list showing clients with a clear justification for their access
- GoodEnsures authentication methods align with industry standards
- AskRecords of any recently removed or added clients. Check these records to verify that appropriate changes were made following a structured approval process GoodRecord shows clear documentation of who approved the changes and when
- GoodIncludes rule sets that are detailed and specific to each client's role and function
- AskEvidence of training sessions provided to staff responsible for API management GoodShows up-to-date, relevant training materials and a list of attendees
Cross-framework mappings
How ISM-2009 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.3 | ISM-2009 requires authenticated and authorised API clients for network API operations that modify data, enforcing least-privilege access ... | |
| Annex A 8.5 | ISM-2009 requires that any client invoking a network API that can change data is authenticated and authorised at the API boundary, includ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.