Web browsers are hardened with the most restrictive guidance
Harden web browsers using the strictest security settings from ASD or vendor guides.
🏛️ Framework
ASD Essential Eight
🧭 Control effect
Proactive
🛠️ E8 mitigation strategy
Application hardening
🔐 Classifications
N/A
🗓️ Official last update
N/A
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
ML2
Web browsers are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.
Source: ASD Essential Eight
Plain language
Securing web browsers with strict settings is like locking all the doors and windows to keep your house safe. Without this control, cybercriminals could easily sneak in through those open doors and cause harm, such as stealing sensitive information or installing malware.
Why it matters
Without hardened web browsers (ASD/vendor baseline), insecure settings and add-ons increase drive-by compromise risk, enabling malware and credential theft.
Operational notes
Weekly verify browser policies match ASD and vendor hardening baselines; when guidance conflicts, implement the most restrictive setting and document exceptions.
Implementation tips
- IT team should review current web browser settings using vendor and ASD guides to identify the most restrictive security options.
- System administrator should apply the strictest security settings by accessing group policies for all company web browsers and updating them.
- Security officer should regularly check for updates in security guidance from vendors and the ASD to ensure the organisation stays protected.
- IT team should disable or remove weaker browsers like Internet Explorer 11 to prevent vulnerabilities.
Audit / evidence tips
-
Ask: How is web browser hardening configured in the organisation?
-
Good: Group policy settings should show that the most restrictive security configurations are applied uniformly across all browsers
-
Ask: Are users able to change security settings in their web browsers?
-
Good: The browser settings should be locked down with no ability for users to alter them
Cross-framework mappings
How E8-AH-ML2.1 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially meets (2) | ||
| ISM-1485 | ISM-1485 requires one specific hardening setting: preventing browsers from processing web advertisements from the internet | |
| ISM-1486 | ISM-1486 requires that web browsers do not process Java from the internet | |
| Partially overlaps (2) | ||
| ISM-1235 | E8-AH-ML2.1 mandates the hardening of web browsers, applying the most restrictive settings available | |
| ISM-1470 | E8-AH-ML2.1 focusses on hardening web browsers using the most restrictive guidance | |
| Supports (2) | ||
| ISM-0290 | ISM-0290 requires high assurance IT equipment to be configured and operated in an evaluated configuration consistent with ASD guidance | |
| ISM-1585 | ISM-1585 requires that web browser security settings cannot be changed by users | |
| Related (4) | ||
| ISM-1246 | ISM-1246 requires server applications to be hardened using ASD and vendor hardening guidance, applying the most restrictive requirement w... | |
| ISM-1412 | E8-AH-ML2.1 requires web browsers to be hardened using ASD and vendor hardening guidance, applying the most restrictive settings where gu... | |
| ISM-1798 | ISM-1798 requires secure configuration guidance to be produced and made available to consumers | |
| ISM-1858 | ISM-1858 mandates hardening of IT equipment using ASD and vendor guidance, taking the most restrictive position when guidance conflicts | |