ISM-2014 policy ASD Information Security Manual (ISM)

Ensure API Client Authentication and Authorisation

Check and confirm who can use certain non-internet APIs to access restricted data.

Preventative NC OS P ASD Information Security ManualGuidelines for software development authentication Access control

record_voice_over

Plain language

This control is about making sure that only the right people and systems can access your business data through internal APIs, which are tools for letting different software programs talk to each other. If this isn't done properly, unauthorised users might gain access to sensitive data, leading to data breaches or leaks that could harm your business reputation and financial health.

01 - Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Feb 2025

Control Stack last updated

19 May 2026

E8 maturity levels

N/A

Guideline

Guidelines for software development

Section

Software development fundamentals

Topic

Network Application Programming Interfaces

Official control statement

Authentication and authorisation of clients is performed when clients call network APIs that facilitate access to data not authorised for release into the public domain but are not accessible over the internet.

policy ASD Information Security Manual (ISM) ISM-2014

priority_high

Why it matters

Weak API client authentication/authorisation can allow unauthorised internal callers to access non-public data via network APIs, causing disclosure and compromise.

settings

Operational notes

Enforce strong client authentication (e.g., mTLS/OAuth), validate scopes/roles per API, and regularly review access logs for unauthorised internal API calls.

02 - Implement

build

Implementation tips

IT team should set up authentication mechanisms: This means establishing a process that verifies the identity of each API user. Use methods like unique usernames and passwords or digital certificates to confirm who is accessing your data through APIs.
Managers should collaborate with the IT team: Ensure that there are clear guidelines on who should have access to specific data via APIs. This might involve creating a list of roles within the company that require access and sharing this with the IT team for implementation.
System administrators should regularly audit API access: Periodically review logs and access records to ensure only authorised users are accessing the APIs. This involves checking for any unusual access patterns or failed login attempts which might indicate a security issue.
Business leaders should conduct awareness sessions: Educate staff about the importance of protecting data accessed via APIs, making sure they understand the need for secure password practices and how to report any suspicious activity related to API usage.
Procurement should ensure new software tools comply: When acquiring new software, check that it supports secure authentication and authorisation practices for API use. This can involve checking that the vendor follows best practices outlined by the Australian Cyber Security Centre (ACSC).

03 - Audit

fact_check

Audit / evidence tips

AskThe API access policy document: Request to see the official company policy on how API access is managed GoodIncludes clearly defined roles, responsibilities, and a list of authorised APIs
AskAccess logs from the API management tool: Examine the logs for entries that track who accessed the APIs and when GoodIs comprehensive logs with no irregular access patterns
AskTraining records on API security: Request records of any training provided to staff about API use and security GoodIs a schedule of past training sessions with attendee lists and feedback
AskUser access reviews: Request reports or meeting notes from regular reviews of user access privileges for APIs GoodIs records of reviews with documented actions taken
AskSoftware acquisition checklists: Request to see documentation from recent software purchases that show API security compliance was considered GoodShows the checklist was actively used with all items reviewed

04 - Mappings

link

Cross-framework mappings

How ISM-2014 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
layers Partially meets (3) expand_less
Annex A 5.15	ISM-2014 focuses on enforcing client authentication and authorisation when internal network APIs are called to access non-public data
Annex A 8.3	ISM-2014 requires organisations to authenticate and authorise clients calling internal network APIs that expose non-public data
Annex A 8.5	ISM-2014 requires authentication and authorisation of clients when they call internal (non-internet) network APIs that provide access to ...

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.