Application control is implemented on workstations.
Make sure only approved software can run on office computers.
🏛️ Framework
ASD Essential Eight
🧭 Control effect
Preventative
🛠️ E8 mitigation strategy
Application control
🔐 Classifications
N/A
🗓️ Official last update
N/A
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
ML1
Application control is implemented on workstations.
Source: ASD Essential Eight
Plain language
This control is about making sure that only approved software can run on the computers people use for work. Without this, you risk having harmful programs, like viruses or ransomware, sneak in and cause trouble by stealing data or locking you out of your systems.
Why it matters
Without application control, unauthorised software can execute, leading to data breaches or ransomware attacks that disrupt operations.
Operational notes
Review and update workstation allow lists regularly, approving required apps and blocking unauthorised executables, installers and scripts.
Implementation tips
- IT team should create a list of approved software. They can do this by reviewing all current software used in the organisation and deciding what is necessary and safe.
- System administrators should configure application control software. This involves setting up tools like AppLocker to only allow the approved software list to run on workstations.
- Security officers should regularly review and update the approved software list. They should consider adding new software when it becomes necessary and removing any that are outdated or risky.
- IT team should conduct regular checks to ensure application control is working. They can do this by trying to run unapproved software and confirming it is blocked by the system.
Audit / evidence tips
-
Ask: What process is in place to approve software for use within the organisation?
-
Good: There is a clear, documented process for approving software, and the application control settings match the approved list
-
Ask: How frequently is the list of approved software reviewed and updated?
-
Good: Regular review records show the list is updated at least quarterly or after any major software changes
Cross-framework mappings
How E8-AC-ML1.1 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially meets (3) | ||
| ISM-0955 | ISM-0955 requires organisations to implement application control using hash, publisher certificate, or path rules | |
| ISM-1657 | E8-AC-ML1.1 requires implementing application control on workstations to prevent unauthorised software execution | |
| ISM-1658 | E8-AC-ML1.1 requires application control on workstations to ensure only approved software runs | |
| Partially overlaps (2) | ||
| ISM-1490 | ISM-1490 requires application control to be implemented on internet-facing servers to reduce the attack surface on externally exposed ser... | |
| ISM-1656 | ISM-1656 requires application control on non-internet-facing servers to prevent unauthorised application execution in secure server contexts | |
| Supports (4) | ||
| ISM-0846 | E8-AC-ML1.1 requires application control to be implemented on workstations to stop unapproved code running | |
| ISM-1493 | ISM-1493 requires organisations to maintain and regularly verify software registers across devices, creating visibility of what executabl... | |
| ISM-1544 | ISM-1544 requires organisations to implement Microsoft’s recommended application blocklist to prevent unauthorised applications from running | |
| ISM-2023 | ISM-2023 requires an organisation to establish and maintain an authoritative, trusted source for obtaining software | |
| Related (1) | ||
| ISM-0843 | E8-AC-ML1.1 requires application control to be implemented on workstations so only approved software can execute | |