Blocking Access to Unapproved Webmail Services
Prevent access to webmail services that haven't been approved by the organisation.
Plain language
This control is about stopping people in your business from using email services that your organisation hasn't approved. It matters because using unapproved email services can increase the risk of sensitive information leaking out, which can lead to data breaches and damage to your organisation's reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2019
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Access to non-approved webmail services is blocked.
Why it matters
Unapproved webmail can expose sensitive data to unauthorised entities, leading to data breaches and reputational damage.
Operational notes
Maintain an approved webmail allowlist and enforce blocks via proxy/DNS/firewall; review logs regularly and update rules as services change.
Implementation tips
- The IT team should identify all webmail services that staff are using by checking internet logs or asking staff. Make a list of these services and highlight the ones that are not approved.
- The IT manager should decide which webmail services are safe and suitable for your organisation. This involves checking each service's security features and your organisation's needs.
- The IT team must configure your network firewall or internet filters to block access to unapproved webmail sites. This can be done by adding the specific webmail URLs to a block list in these devices.
- Managers should inform staff about the decision to block these services and explain why it is important. This communication should be clear and provide alternatives that have been approved for use.
- The IT staff should regularly check for any attempts to access blocked webmail services. This can be done by monitoring network logs for any suspicious activity and ensuring that the blocking measures remain effective.
Audit / evidence tips
-
Askthe list of approved webmail services: Request the document or email where the approved services are listed
Goodshows a defined list with a clear approval date and authorisation
-
Aska demonstration of the configuration
Goodshows the targeted URLs aligned with the unapproved list and that blocking is active
-
Askthem to explain how webmail services are selected for approval
Goodincludes criteria for approval, who is involved in the decision, and how often this is reviewed
-
Askto see how attempts to access blocked services are detected
Goodshows clear and working detection mechanisms
-
Askemails or memos regarding the blocking policy
Goodincludes positive staff feedback and clear instructions on what to use instead
Cross-framework mappings
How ISM-0267 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| Annex A 8.3 | ISM-0267 requires blocking access to non-approved webmail services | |
| Annex A 8.20 | ISM-0267 requires blocking access to non-approved webmail services to reduce data exfiltration and shadow IT use via external webmail | |
| Annex A 8.23 | ISM-0267 requires organisations to block user access to non-approved webmail services | |
| handshake Supports (1) expand_less | ||
| Annex A 8.12 | ISM-0267 requires blocking access to non-approved webmail services | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.