Application control is implemented on non-internet-facing servers
Ensure only approved software can run on internal servers.
Plain language
This control ensures that only software approved by your organisation can run on internal servers that do not face the internet. It matters because unauthorised or harmful software on these servers can lead to data theft, disruptions, or security breaches. Controlling what runs on these servers protects sensitive information and keeps systems secure.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Application control
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Official control statement
Application control is implemented on non-internet-facing servers.
Why it matters
Without application control, unauthorised software on internal servers can lead to data leaks and compromise critical business operations.
Operational notes
Maintain an allow-list for non-internet-facing servers, review it regularly, and alert on any execution outside approved applications.
Implementation tips
- The IT team should create a list of approved software for non-internet-facing servers. To do this, review the software currently used and needed for operations and mark those as approved.
- A system administrator should implement application control software on non-internet-facing servers. This is done by configuring tools like AppLocker or similar to block any software not on the approved list.
- Security officers should regularly review and update the list of approved software. Do this by meeting quarterly with department heads to ensure the list meets current needs and security policies.
- The IT team should set up alerts for any attempts to run unapproved software. Use monitoring tools to ensure notifications are sent immediately to the security team if there is suspicious activity.
Audit / evidence tips
-
AskIs there an approved list of software for non-internet-facing servers?
GoodA comprehensive and current list of approved software should be provided
-
AskHow are application controls configured on non-internet-facing servers?
GoodThe settings should match the list of approved software, blocking all others
-
AskHow often is the list of approved software updated?
GoodEvidence of quarterly reviews and updates to the approved software list should be present
Cross-framework mappings
How E8-AC-ML3.1 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-0955 | ISM-0955 requires application control to be implemented using cryptographic hash, publisher certificate, or path-based rules | |
| sync_alt Partially overlaps (2) expand_less | ||
| ISM-1490 | ISM-1490 requires application control to be implemented on internet-facing servers | |
| ISM-1871 | E8-AC-ML3.1 requires application control to be implemented on non-internet-facing servers so only approved software can execute | |
| handshake Supports (5) expand_less | ||
| ISM-1493 | ISM-1493 requires organisations to maintain and regularly verify software registers for servers and other networked equipment, identifyin... | |
| ISM-1544 | ISM-1544 requires implementation of Microsoft’s recommended application blocklist to stop unauthorised applications from executing | |
| ISM-1657 | E8-AC-ML3.1 requires application control on non-internet-facing servers to ensure only approved software can run | |
| ISM-1658 | E8-AC-ML3.1 requires implementing application control on non-internet-facing servers to restrict execution to approved software | |
| ISM-1926 | ISM-1926 reduces the attack surface of AD servers by ensuring they only perform their intended roles without unrelated services | |
| link Related (1) expand_less | ||
| ISM-1656 | E8-AC-ML3.1 requires application control to be implemented on non-internet-facing servers | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.