Ensure API Client Authentication and Authorization
Check and confirm who can use certain non-internet APIs to access restricted data.
Plain language
This control is about making sure that only the right people and systems can access your business data through internal APIs, which are tools for letting different software programs talk to each other. If this isn't done properly, unauthorised users might gain access to sensitive data, leading to data breaches or leaks that could harm your business reputation and financial health.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
Authentication and authorisation of clients is performed when clients call network APIs that facilitate access to data not authorised for release into the public domain but are not accessible over the internet.
Why it matters
Weak API client authentication/authorisation can allow unauthorised internal callers to access non-public data via network APIs, causing disclosure and compromise.
Operational notes
Enforce strong client authentication (e.g., mTLS/OAuth), validate scopes/roles per API, and regularly review access logs for unauthorised internal API calls.
Implementation tips
- IT team should set up authentication mechanisms: This means establishing a process that verifies the identity of each API user. Use methods like unique usernames and passwords or digital certificates to confirm who is accessing your data through APIs.
- Managers should collaborate with the IT team: Ensure that there are clear guidelines on who should have access to specific data via APIs. This might involve creating a list of roles within the company that require access and sharing this with the IT team for implementation.
- System administrators should regularly audit API access: Periodically review logs and access records to ensure only authorised users are accessing the APIs. This involves checking for any unusual access patterns or failed login attempts which might indicate a security issue.
- Business leaders should conduct awareness sessions: Educate staff about the importance of protecting data accessed via APIs, making sure they understand the need for secure password practices and how to report any suspicious activity related to API usage.
- Procurement should ensure new software tools comply: When acquiring new software, check that it supports secure authentication and authorisation practices for API use. This can involve checking that the vendor follows best practices outlined by the Australian Cyber Security Centre (ACSC).
Audit / evidence tips
-
Askthe API access policy document: Request to see the official company policy on how API access is managed
Goodincludes clearly defined roles, responsibilities, and a list of authorised APIs
-
Askaccess logs from the API management tool: Examine the logs for entries that track who accessed the APIs and when
Goodis comprehensive logs with no irregular access patterns
-
Asktraining records on API security: Request records of any training provided to staff about API use and security
Goodis a schedule of past training sessions with attendee lists and feedback
-
Askuser access reviews: Request reports or meeting notes from regular reviews of user access privileges for APIs
Goodis records of reviews with documented actions taken
-
Asksoftware acquisition checklists: Request to see documentation from recent software purchases that show API security compliance was considered
Goodshows the checklist was actively used with all items reviewed
Cross-framework mappings
How ISM-2014 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| Annex A 5.15 | ISM-2014 focuses on enforcing client authentication and authorisation when internal network APIs are called to access non-public data | |
| Annex A 8.3 | ISM-2014 requires organisations to authenticate and authorise clients calling internal network APIs that expose non-public data | |
| Annex A 8.5 | ISM-2014 requires authentication and authorisation of clients when they call internal (non-internet) network APIs that provide access to ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.