Application control restricts driver execution to an approved set
Ensure only approved drivers can run to prevent malicious code execution.
Plain language
Think of drivers as the software that helps your computer talk to various hardware like printers and monitors. If these drivers are not approved or checked, they might contain harmful code that could let someone take control of your computer. This control limits which drivers can run to prevent any sneaky actions and keep your systems safe.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Application control
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Official control statement
Application control restricts the execution of drivers to an organisation-approved set.
Why it matters
Unapproved drivers can execute kernel-level code, enabling attackers to bypass security controls, persist, or destabilise systems.
Operational notes
Maintain a driver allow-list, block unsigned/unapproved drivers, and review new or updated vendor drivers before adding them.
Implementation tips
- IT team should identify all necessary drivers used by the organisation and list them for approval. This ensures only safe, needed drivers are considered for use.
- System administrators should update system policies to prevent unapproved drivers from running. This can be done using the operating system's built-in tools like AppLocker.
- Security officers should conduct regular reviews of the approved driver list to ensure it stays current and only contains safe drivers. These reviews should involve checking for any vendors that might have been compromised.
- IT team should remove any drivers that are no longer needed from computers. This can be done during regular maintenance checks or when updating hardware.
- System administrators should configure systems to use Microsoft's vulnerable driver blocklist. This can be implemented through the system's security settings to block known risky drivers automatically.
Audit / evidence tips
-
AskCan you show me the list of approved drivers for your organisation?
-
GoodThe list is detailed, up-to-date, and includes recent reviews
-
AskHow are unauthorised drivers prevented from running on company systems?
-
GoodPolicies are in place that effectively block non-approved drivers and are regularly reviewed
Cross-framework mappings
How E8-AC-ML3.2 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.19 | E8-AC-ML3.2 requires application control to restrict driver execution to an organisation-approved set | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.18 | Annex A 8.18 requires restricting and tightly controlling utilities that can override system and application controls, which includes lim... | |
| handshake Supports (1) expand_less | ||
| Annex A 8.9 | E8-AC-ML3.2 requires restricting driver execution to an organisation‑approved set through application control | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| ISM-0955 | ISM-0955 requires application control to be implemented using cryptographic hash, publisher certificate, or path rules | |
| extension Depends on (2) expand_less | ||
| ISM-1392 | E8-AC-ML3.2 requires application control to restrict driver execution to an approved set, which is only effective if the allow-list canno... | |
| ISM-1746 | E8-AC-ML3.2 requires restricting driver execution through application control to an organisation-approved set | |
| link Related (3) expand_less | ||
| ISM-1656 | E8-AC-ML3.2 requires application control to restrict the execution of drivers to an organisation‑approved set to prevent unauthorised cod... | |
| ISM-1657 | ISM-1657 requires restricting execution to an organisation-approved set for a wide range of application artefacts (executables, libraries... | |
| ISM-1658 | ISM-1658 requires application control to restrict the execution of drivers to an organisation-approved set | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.