Skip to content
Control Stack logo Control Stack
ISM-2049 ASD Information Security Manual (ISM)

Enforcing Re-authentication After Permission Changes

Users must log in again if their account permissions change.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGovernanceAccess control

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

May 2025

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for software development

Section

Software development fundamentals

Topic

Secure Software Development
Official control statement
When user permissions or credentials are changed, software forces all impacted users to re-authenticate.

Source: ASD Information Security Manual (ISM)

Plain language

If a user's access levels or passwords change, they have to log in again to confirm their identity. This is important because if someone’s permissions are updated, like giving them more access or changing their username, it could mean a security risk if it’s not really them or their access isn’t needed anymore.

Why it matters

If users aren’t forced to re-authenticate after permission or credential changes, old sessions may retain access and enable unauthorised activity.

Operational notes

Expire sessions and require immediate re-authentication for all affected accounts whenever permissions, roles, passwords or MFA settings change.

Implementation tips

  • The IT team should set up the system to automatically require users to sign in again whenever their access permissions are changed. Use the system's settings or an external application that immediately prompts users to re-enter their credentials, ensuring only authorised people can continue using modified access rights.
  • Managers should regularly review who has access to what within the organisation. This can be done by holding monthly meetings where they confirm that current roles and permissions reflect the team’s present needs, and any changes immediately trigger re-authentication requirements.
  • HR should inform the IT team immediately when there’s a change in employee status, like a promotion or department transfer. This notification can be via an email or a collaboration tool message that includes the details for adjusting access levels and ensuring the proper re-authentication protocols are triggered.
  • Software developers should build functionality into their applications that automatically logs users out upon detecting permission changes. This involves including code that will detect alterations in user profiles and enforce session termination until credentials are verified again.
  • Business leaders should have policies in place outlining the importance of re-confirming user identities after changes in permissions. This can be achieved by drafting clear organisation-wide rules that explain why re-authentication is critical and ensuring all staff is trained on this policy during onboarding.

Audit / evidence tips

  • Ask: a log of recent permission changes and sessions: Request a record showing when permissions were adjusted and corresponding user re-authentication attempts

    Good: is a seamless match between permission change logs and re-authentication entries

  • Ask: a settings overview or system configuration documentation: Request evidence of the system setup enforcing re-authentication on permission changes

    Good: would show documented system settings or configurations that enforce re-login on access changes

  • Ask: user feedback or reports on re-authentication: Request any surveys or incident reports that reflect user experience with re-authentication processes

    Good: shows consistent positive feedback or clear resolutions to any reported problems

  • Ask: IT policies related to account access management: Request the policy documents describing the procedure when user permissions change

    Good: includes a clear policy statement mandating re-authentication and guidelines on how it is handled

  • Ask: training materials or records of staff education on re-authentication: Request evidence that staff are educated on the importance of re-authentication after permission changes

    Good: shows a documented training program with regular updates and broad participation

Cross-framework mappings

How ISM-2049 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Partially meets (1)
Annex A 5.18 ISM-2049 requires that when user permissions or credentials change, all impacted users are forced to re-authenticate so existing sessions...
Partially overlaps (1)
Annex A 8.5 ISM-2049 requires software to invalidate existing authentication state and force re-authentication after permission or credential changes

Mapping detail

Mapping

Direction

Controls