Enforcing Re-authentication After Permission Changes
Users must log in again if their account permissions change.
Plain language
If a user's access levels or passwords change, they have to log in again to confirm their identity. This is important because if someone’s permissions are updated, like giving them more access or changing their username, it could mean a security risk if it’s not really them or their access isn’t needed anymore.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
When user permissions or credentials are changed, software forces all impacted users to re-authenticate.
Why it matters
If users aren’t forced to re-authenticate after permission or credential changes, old sessions may retain access and enable unauthorised activity.
Operational notes
Expire sessions and require immediate re-authentication for all affected accounts whenever permissions, roles, passwords or MFA settings change.
Implementation tips
- The IT team should set up the system to automatically require users to sign in again whenever their access permissions are changed. Use the system's settings or an external application that immediately prompts users to re-enter their credentials, ensuring only authorised people can continue using modified access rights.
- Managers should regularly review who has access to what within the organisation. This can be done by holding monthly meetings where they confirm that current roles and permissions reflect the team’s present needs, and any changes immediately trigger re-authentication requirements.
- HR should inform the IT team immediately when there’s a change in employee status, like a promotion or department transfer. This notification can be via an email or a collaboration tool message that includes the details for adjusting access levels and ensuring the proper re-authentication protocols are triggered.
- Software developers should build functionality into their applications that automatically logs users out upon detecting permission changes. This involves including code that will detect alterations in user profiles and enforce session termination until credentials are verified again.
- Business leaders should have policies in place outlining the importance of re-confirming user identities after changes in permissions. This can be achieved by drafting clear organisation-wide rules that explain why re-authentication is critical and ensuring all staff is trained on this policy during onboarding.
Audit / evidence tips
-
Aska log of recent permission changes and sessions: Request a record showing when permissions were adjusted and corresponding user re-authentication attempts
Goodis a seamless match between permission change logs and re-authentication entries
-
Aska settings overview or system configuration documentation: Request evidence of the system setup enforcing re-authentication on permission changes
Goodwould show documented system settings or configurations that enforce re-login on access changes
-
Askuser feedback or reports on re-authentication: Request any surveys or incident reports that reflect user experience with re-authentication processes
Goodshows consistent positive feedback or clear resolutions to any reported problems
-
AskIT policies related to account access management: Request the policy documents describing the procedure when user permissions change
Goodincludes a clear policy statement mandating re-authentication and guidelines on how it is handled
-
Asktraining materials or records of staff education on re-authentication: Request evidence that staff are educated on the importance of re-authentication after permission changes
Goodshows a documented training program with regular updates and broad participation
Cross-framework mappings
How ISM-2049 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.18 | ISM-2049 requires that when user permissions or credentials change, all impacted users are forced to re-authenticate so existing sessions... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.5 | ISM-2049 requires software to invalidate existing authentication state and force re-authentication after permission or credential changes | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.