Ensure Workstation Security with Application Control
Application control is used to secure workstations by managing which programs can run.
Plain language
Application control means keeping a tight lid on which software programs are allowed to run on your office computers. This matters because if unapproved or malicious software runs, it can lead to data loss, privacy breaches, or even bring your business operations to a halt.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1, ML2, ML3
Guideline
Guidelines for system hardeningSection
Operating system hardeningTopic
Application ControlOfficial control statement
Application control is implemented on workstations.
Why it matters
Without application control on workstations, unauthorised or malicious software can run, enabling malware, data theft and service disruption.
Operational notes
Maintain workstation application control by reviewing allow/deny rules and updating authorised application lists after patches, installs and business changes.
Implementation tips
- IT team should develop a list of approved applications: Create and maintain an up-to-date list of software that is permitted to run on workstations. Engage with team leaders to identify necessary software and consider officially receiving confirmations from department heads for accuracy.
- System administrators should deploy application control software: Use specific security tools or settings to ensure only the approved applications from the list can run. Follow vendor guides or seek external expertise for the setting up to cover all user devices properly.
- Managers should conduct regular software audits: Periodically review the software installed on workstations compared to the approved list to ensure compliance. This can be done quarterly by scheduling a meeting to go over installed applications and updating the list if needed.
- Procurement officers should involve IT in software purchases: Ensure any new software purchases are reviewed and approved by the IT team to prevent unauthorised applications from being used. Establish a process where all purchasing requests need IT approval before proceeding.
- Training coordinators should organise staff awareness sessions: Educate staff about the importance of using only approved software and how to request new software if needed. Run annual sessions or include this information in onboarding training, providing clear instructions for requesting new applications.
Audit / evidence tips
-
Askthe list of approved applications: Request the official document that details all software allowed for use
Goodlist is up-to-date, aligns with current company needs, and is reviewed regularly
-
Askthe application control policy: Request the document that outlines how application control is managed within the organisation
-
Askrecords of software audits: Request reports or logs from the most recent software audits
Goodrecord will show frequent audits and any discrepancies noted and actions taken
-
Askevidence of staff training sessions: Request attendance records or materials used for recent training sessions on application control
-
Askprocurement records involving IT sign-off: Request purchase orders or approval forms showing IT involvement in software acquisition decisions
Cross-framework mappings
How ISM-0843 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (4) expand_less | ||
| handshake Supports (4) expand_less | ||
| extension Depends on (1) expand_less | ||
| link Related (1) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.