Application Control Restrictions for Users
Users can't avoid application control except for administrators and emergency accounts.
Plain language
This control means that only authorised users, like system administrators or special accounts for emergencies, can deactivate or bypass application controls. This is important because allowing regular users to disable security controls could lead to unauthorised software running on your system, which can make your computers vulnerable to attacks and data breaches.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Operating system hardeningTopic
Application ControlOfficial control statement
All users (with the exception of local administrator accounts and break glass accounts) cannot disable, bypass or be exempted from application control.
Why it matters
Allowing users to bypass application control can enable unauthorised software execution, increasing malware risk and potential data compromise.
Operational notes
Audit who can change application control: only local administrators and break glass accounts, and alert on any exemption or bypass attempts.
Implementation tips
- System administrators should ensure that application control settings are locked down so that only they can make changes. This can be achieved by configuring the system’s security settings to restrict access to application control configurations to admin accounts only.
- IT support staff should review user account permissions regularly to verify they do not have capabilities to alter application controls. This involves checking user account roles and updating them to ensure that application control settings can only be changed by authorised personnel.
- Managers should educate employees on the importance of application controls and why they cannot disable them. This can be done by organising training sessions and providing written materials that explain the purpose and benefits of these controls.
- The IT team should set up monitoring tools to alert them if any attempts to disable application controls occur. Tools like log analysis software can be configured to notify the team if an unauthorised change is attempted.
- HR should coordinate with IT to ensure that any changes in employee roles are promptly reflected in their access permissions. This requires setting up a process where HR informs IT of role changes so that access levels can be adjusted accordingly.
Audit / evidence tips
-
Askthe list of user accounts with the ability to change application controls
Goodis a short, current list with approved users only
-
Goodpolicy will explicitly include these restrictions and be formally approved by management
-
Asklogs or reports showing attempts to bypass or disable application controls
Goodresult shows no unauthorised changes have occurred
-
Goodrecord shows ongoing training with high participation
-
Goodsystem logs alerts and a process to address them
Cross-framework mappings
How ISM-0846 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 8.18 | Annex A 8.18 requires that utilities capable of overriding system and application controls are restricted and tightly controlled, which c... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-AC-ML2.2 | E8-AC-ML2.2 requires application control coverage across locations (with defined exclusions for user profiles and temporary folders) | |
| handshake Supports (4) expand_less | ||
| E8-AC-ML1.1 | E8-AC-ML1.1 requires application control to be implemented on workstations | |
| E8-AC-ML1.2 | E8-AC-ML1.2 requires enforcement of application control within user profiles and temporary folders to prevent users and malware running c... | |
| E8-AC-ML1.3 | E8-AC-ML1.3 requires restricting execution to an organisation-approved set through application control | |
| E8-AH-ML2.8 | E8-AH-ML2.8 requires enforcement that prevents PDF software from creating child processes | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.