Annual validation of application control rulesets
Check once a year or more that rules for allowing or blocking software are accurate.
Plain language
Once a year or more often, it's essential to check that the rules for which software can run on your organisation's computers are still correct. This is important because if you don't, malicious or unapproved software could run and cause significant harm, like stealing sensitive information or damaging files.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Application control
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Application control rulesets are validated on an annual or more frequent basis.
Why it matters
If application control rulesets aren’t validated at least annually, outdated allow rules may permit malicious executables, enabling compromise, data theft or system damage.
Operational notes
Validate application control rulesets at least annually: review allow/deny rules, remove obsolete entries, confirm business apps still function, and update rules to reflect current software and threats.
Implementation tips
- The IT manager should schedule an annual review of all the application control rules to ensure they are up-to-date.
- The IT team should use a tool, like Microsoft's AppLocker, to export and review current rulesets against approved applications.
- The system administrator should update the ruleset to include any new approved applications and remove those that are no longer necessary.
- The security officer should document any changes made to the application control rules as part of the organisation's security policy.
- The IT team should conduct training for employees to inform them about any changes to the software they are allowed to use.
Audit / evidence tips
- AskWhen was the last time the application control ruleset was reviewed?
- GoodReviews have been conducted at least annually, with records showing the dates and any updates made
- AskHow does the organisation verify that only approved applications are running?
- GoodLogs show that only approved applications have been executed over the past year
Cross-framework mappings
How E8-AC-ML2.4 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| ISM-1676 | E8-AC-ML2.4 requires organisations to validate their application control rulesets annually or more frequently | |
| handshake Supports (6) expand_less | ||
| ISM-0843 | E8-AC-ML2.4 requires application control rulesets to be validated at least annually to ensure allow/deny rules remain accurate and effective | |
| ISM-0955 | E8-AC-ML2.4 requires application control rulesets to be validated on an annual or more frequent basis to confirm the allow/block logic re... | |
| ISM-1471 | ISM-1471 requires using publisher and product names in publisher certificate rules as part of implementing application control | |
| ISM-1657 | ISM-1657 requires restricting application execution to an organisation-approved set, which depends on the quality and currency of the all... | |
| ISM-1658 | ISM-1658 requires application control to restrict the execution of drivers to an organisation-approved set | |
| ISM-1660 | E8-AC-ML2.4 requires application control rulesets to be validated annually or more frequently to ensure rules remain correct | |
| link Related (1) expand_less | ||
| ISM-1582 | ISM-1582 requires application control rulesets to be validated on an annual or more frequent basis | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.