Ensure only approved applications and scripts can run
Allow only company-approved applications and scripts to run on work computers.
Plain language
This control is about ensuring that only the applications and scripts specifically approved by your business can run on work computers. It’s essential because if unauthorised programs manage to run, they could be harmful, like malicious software or viruses, putting your data and your business at risk.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Application control
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set.
Why it matters
If applications and scripts are not allowlisted, malware can run, leading to data compromise and operational disruption.
Operational notes
Maintain application control rules for executables, DLLs and scripts; review events and update allowlists promptly when approved tools change.
Implementation tips
- The IT team should identify a list of approved applications and scripts necessary for business operations and regularly update this list to ensure it covers any changes in business requirements.
- The system administrator should implement application control software, such as AppLocker for Windows systems, to enforce the list of approved applications. This ensures that only software on the approved list can be executed.
- Security officers should conduct regular reviews of application usage logs to identify and evaluate any attempts to run unauthorised applications. This can help to spot potential threats early.
- IT staff should provide training for employees about the importance of this control and how sticking to approved applications helps keep the organisation's data safe.
- The system administrator should ensure that application control policies are applied not just system-wide, but also specifically to user profile directories and temporary folders, as these are common targets for malicious activity.
Audit / evidence tips
-
AskHas an application control solution been implemented on all workstations?
-
GoodThe organisation has a documented policy and a report showing application control is active on all workstations
-
AskAre application control policies applied to user profiles and temporary folders?
-
GoodLogs demonstrate enforcement of application control policies in sensitive file directories, preventing unauthorised file execution
Cross-framework mappings
How E8-AC-ML1.3 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.18 | Annex A 8.18 requires restricting and tightly controlling utilities that can override system and application controls to prevent unauthor... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| ISM-0863 | ISM-0863 requires that provisioned mobile devices prevent personnel from installing non-approved mobile applications | |
| ISM-1491 | ISM-1491 requires organisations to prevent unprivileged users from running specific script execution engines (such as PowerShell, cmd.exe... | |
| sync_alt Partially overlaps (5) expand_less | ||
| ISM-0341 | ISM-0341 requires disabling automatic execution features for removable media to stop automatic program launch on insertion | |
| ISM-1235 | E8-AC-ML1.3 requires preventing unapproved execution by allowing only an organisation-approved set of applications and scripts to run | |
| ISM-1592 | ISM-1592 requires that unprivileged users cannot install unapproved applications | |
| ISM-1622 | ISM-1622 requires PowerShell to run in Constrained Language Mode to limit what PowerShell scripts and commands can do | |
| ISM-1668 | ISM-1668 requires Microsoft Office to be blocked from creating executable content | |
| handshake Supports (5) expand_less | ||
| ISM-0843 | ISM-0843 requires application control to be implemented on workstations | |
| ISM-0846 | E8-AC-ML1.3 requires restricting execution to an organisation-approved set through application control | |
| ISM-0955 | E8-AC-ML1.3 requires that only approved applications and scripts can run using application control | |
| ISM-1392 | E8-AC-ML1.3 requires application control to restrict execution to an organisation-approved set | |
| ISM-1471 | ISM-1471 requires that when implementing application control using publisher certificate rules, organisations use publisher names and pro... | |
| extension Depends on (1) expand_less | ||
| ISM-1870 | ISM-1870 requires application control coverage specifically for user profiles and temporary folders used by operating systems, web browse... | |
| link Related (2) expand_less | ||
| ISM-1657 | E8-AC-ML1.3 requires application control to restrict execution of executables, libraries, scripts, installers, and similar content to an ... | |
| ISM-1658 | E8-AC-ML1.3 mandates application control so that only organisation-approved applications and scripts, including executables and libraries... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.