ISM-0843 policy ASD Information Security Manual (ISM)

Ensure Workstation Security with Application Control

Application control is used to secure workstations by managing which programs can run.

Preventative ML1 ML2 ML3 NC OS P ASD Information Security ManualGuidelines for system hardening application security endpoints

record_voice_over

Plain language

Application control means keeping a tight lid on which software programs are allowed to run on your office computers. This matters because if unapproved or malicious software runs, it can lead to data loss, privacy breaches, or even bring your business operations to a halt.

01 — Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Aug 2021

Control Stack last updated

19 Mar 2026

E8 maturity levels

ML1, ML2, ML3

Guideline

Guidelines for system hardening

Section

Operating system hardening

Topic

Application Control

Official control statement

Application control is implemented on workstations.

policy ASD Information Security Manual (ISM) ISM-0843

priority_high

Why it matters

Without application control on workstations, unauthorised or malicious software can run, enabling malware, data theft and service disruption.

settings

Operational notes

Maintain workstation application control by reviewing allow/deny rules and updating authorised application lists after patches, installs and business changes.

02 — Implement

build

Implementation tips

IT team should develop a list of approved applications: Create and maintain an up-to-date list of software that is permitted to run on workstations. Engage with team leaders to identify necessary software and consider officially receiving confirmations from department heads for accuracy.
System administrators should deploy application control software: Use specific security tools or settings to ensure only the approved applications from the list can run. Follow vendor guides or seek external expertise for the setting up to cover all user devices properly.
Managers should conduct regular software audits: Periodically review the software installed on workstations compared to the approved list to ensure compliance. This can be done quarterly by scheduling a meeting to go over installed applications and updating the list if needed.
Procurement officers should involve IT in software purchases: Ensure any new software purchases are reviewed and approved by the IT team to prevent unauthorised applications from being used. Establish a process where all purchasing requests need IT approval before proceeding.
Training coordinators should organise staff awareness sessions: Educate staff about the importance of using only approved software and how to request new software if needed. Run annual sessions or include this information in onboarding training, providing clear instructions for requesting new applications.

03 — Audit

fact_check

Audit / evidence tips

Askthe list of approved applications: Request the official document that details all software allowed for use

Goodlist is up-to-date, aligns with current company needs, and is reviewed regularly
Askthe application control policy: Request the document that outlines how application control is managed within the organisation
Askrecords of software audits: Request reports or logs from the most recent software audits

Goodrecord will show frequent audits and any discrepancies noted and actions taken
Askevidence of staff training sessions: Request attendance records or materials used for recent training sessions on application control
Askprocurement records involving IT sign-off: Request purchase orders or approval forms showing IT involvement in software acquisition decisions

04 — Mappings

link

Cross-framework mappings

How ISM-0843 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

E8

Control	Notes	Details
layers Partially meets (4) expand_less

E8-AC-ML1.2	E8-AC-ML1.2 requires organisations to apply application control specifically to user profiles and temporary folders used by operating sys...
E8-AC-ML2.2	E8-AC-ML2.2 requires application control to be applied across system locations, explicitly excluding user profiles and temporary folders ...
E8-AC-ML2.3	E8-AC-ML2.3 requires implementing Microsoft’s recommended application blocklist as part of controlling what can run in the environment

E8-AH-ML2.2	E8-AH-ML2.2 requires a specific application control hardening rule: blocking Microsoft Office from creating child processes
handshake Supports (4) expand_less

E8-AC-ML1.3	ISM-0843 requires application control to be implemented on workstations
E8-AC-ML2.4	ISM-0843 requires application control to be implemented on workstations

E8-AH-ML2.8	E8-AH-ML2.8 requires PDF software to be blocked from creating child processes, typically enforced via OS/application control mechanisms (e.g

E8-RM-ML3.1	E8-RM-ML3.1 prevents Office macros from executing unless trusted via sandboxing, Trusted Locations, or trusted publisher signatures
extension Depends on (1) expand_less

E8-RA-ML3.2	E8-RA-ML3.2 requires administrative activities to be performed only from Secure Admin Workstations (SAWs) to reduce exposure to malware a...
link Related (1) expand_less

E8-AC-ML1.1	E8-AC-ML1.1 requires organisations to implement application control on workstations so only approved software can run

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.