Quarantine Suspicious Files for Review
Files flagged as risky are held until checked and cleared or blocked.
Plain language
This control means that if a file looks suspicious, it gets set aside so someone can take a closer look before it's allowed to continue. This matters because it helps prevent harmful files, like viruses or ransomware, from getting into your computer systems and causing damage or stealing your information.
Framework
ASD Information Security Manual (ISM)
Control effect
Responsive
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Files identified by content filtering checks as suspicious are quarantined until reviewed and subsequently approved or not approved for release.
Why it matters
Without quarantining suspicious files flagged by content filtering, malware (e.g. ransomware) may be released to users, causing outages or data compromise.
Operational notes
Route quarantined files to a defined reviewer queue, set SLAs for review, and only release items after approval; track backlog to avoid business delays.
Implementation tips
- IT team should set up automatic checks: Use security software to automatically identify and set aside files that seem suspicious based on known signs of risky behaviour. Adjust settings to match the types of files your company typically uses and encounters.
- Managers should establish a review process: Design a clear process for someone knowledgeable, like an IT security specialist, to review these quarantined files regularly. Ensure that there's a set timeline for these reviews, and document the outcome of each review.
- IT team should train staff: Conduct training sessions for employees to recognise the types of files that can be suspicious, and explain what to do if they come across such files. Use simple examples that are relevant to your organisation's work environment.
- System owners should update content filtering criteria: Regularly update the rules that determine what gets flagged as suspicious based on new threats, with input from the Australian Cyber Security Centre (ACSC) guidelines and reports.
- Managers should review the process: Every month, review the records of quarantined files and outcomes with the IT team to ensure the process is effective. Make adjustments as necessary based on any new threats identified.
Audit / evidence tips
- AskThe list of quarantined files: Request a report that lists all files that were flagged and quarantined in the past month GoodIs seeing an accurate and comprehensive list with clear reasons for each file's status
- AskDocumentation of the file review process: Request to see the documented process of how quarantined files are reviewed GoodShows a detailed process with specific responsibilities assigned and timelines adhered to
- AskTraining records: Request records of staff training sessions on recognising suspicious files GoodIncludes dates, participant names, and feedback or assessments from attendees
- AskPolicy documents: Request the organisation's content filtering policy GoodShows a regularly updated document with clear reference to current practices
- AskReview meeting minutes: Request records from regular review meetings between managers and IT staff regarding the content filtering process GoodIncludes minutes that detail discussions and any changes made to the process
Cross-framework mappings
How ISM-0652 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.7 | ISM-0652 requires files flagged by content filtering as suspicious to be quarantined until they are reviewed and either approved or not a... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.16 | ISM-0652 requires files identified as suspicious by content filtering to be quarantined pending review and release decision | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.