Application control is implemented on workstations.
Make sure only approved software can run on office computers.
Plain language
This control is about making sure that only approved software can run on the computers people use for work. Without this, you risk having harmful programs, like viruses or ransomware, sneak in and cause trouble by stealing data or locking you out of your systems.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Application control
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
Application control is implemented on workstations.
Why it matters
Without application control, unauthorised software can execute, leading to data breaches or ransomware attacks that disrupt operations.
Operational notes
Review and update workstation allow lists regularly, approving required apps and blocking unauthorised executables, installers and scripts.
Implementation tips
- IT team should create a list of approved software. They can do this by reviewing all current software used in the organisation and deciding what is necessary and safe.
- System administrators should configure application control software. This involves setting up tools like AppLocker to only allow the approved software list to run on workstations.
- Security officers should regularly review and update the approved software list. They should consider adding new software when it becomes necessary and removing any that are outdated or risky.
- IT team should conduct regular checks to ensure application control is working. They can do this by trying to run unapproved software and confirming it is blocked by the system.
Audit / evidence tips
-
AskWhat process is in place to approve software for use within the organisation?
-
GoodThere is a clear, documented process for approving software, and the application control settings match the approved list
-
AskHow frequently is the list of approved software reviewed and updated?
-
GoodRegular review records show the list is updated at least quarterly or after any major software changes
Cross-framework mappings
How E8-AC-ML1.1 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| ISM-1657 | E8-AC-ML1.1 requires implementing application control on workstations to restrict what software can execute | |
| ISM-1658 | E8-AC-ML1.1 requires application control on workstations to ensure only approved software runs | |
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-1235 | E8-AC-ML1.1 requires application control on workstations to ensure only approved software can run | |
| ISM-1490 | ISM-1490 requires application control to be implemented on internet-facing servers to reduce the attack surface on externally exposed ser... | |
| ISM-1656 | ISM-1656 requires application control on non-internet-facing servers to prevent unauthorised application execution in secure server contexts | |
| handshake Supports (5) expand_less | ||
| ISM-0846 | E8-AC-ML1.1 requires application control to be implemented on workstations | |
| ISM-0955 | E8-AC-ML1.1 requires application control to be implemented on workstations to prevent unauthorised software execution | |
| ISM-1493 | ISM-1493 requires organisations to maintain and regularly verify software registers across devices, creating visibility of what executabl... | |
| ISM-1544 | E8-AC-ML1.1 requires application control on workstations so that only approved applications can run | |
| ISM-2023 | ISM-2023 requires an organisation to establish and maintain an authoritative, trusted source for obtaining software | |
| link Related (1) expand_less | ||
| ISM-0843 | E8-AC-ML1.1 requires organisations to implement application control on workstations so only approved software can run | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.