Implementing Application Control Measures
Ensure applications are controlled using secure hashing, valid certificates, or designated paths.
Plain language
Application control is about keeping a tight grip on which programs can run on your computers or devices. This matters because letting the wrong programs run-whether accidental or malicious-can lead to data breaches, system crashes, or lost information, putting your business or school at risk.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Mar 2020
Control Stack last updated
19 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Operating system hardeningTopic
Application ControlOfficial control statement
Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules.
Why it matters
Without cryptographic hash, publisher certificate, or path rules, unauthorised software can run, causing compromise, malware infection, breaches, and instability.
Operational notes
Maintain application control by updating hash, publisher certificate and path rules, and re-validating hashes after application updates to prevent unauthorised execution.
Implementation tips
- The IT team should create a list of approved applications by evaluating which programs are necessary for daily operations. They can do this by consulting department heads and staff to understand their needs and ensuring only verified applications are listed.
- System administrators should use secure hashing to verify applications. This involves using a tool to generate a unique code for each program file and periodically checking that the code hasn't changed, which would indicate the file's been tampered with.
- Managers should ensure applications have valid publisher certificates. Request your software vendors to provide certificates for their products, and keep a record of these to verify the legitimacy of the software being used.
- The IT team should set up path rules to control where applications can run from. They should assess and lock down folders that staff use regularly, ensuring you're only using paths meant for business purposes and not allowing unknown locations.
- Managers should run regular training sessions to inform all staff about application control policies. During these sessions, explain the importance of only installing approved applications and demonstrate what steps to take if an unauthorised application is encountered.
Audit / evidence tips
- AskThe approved application list: Request the document or database showing which applications are authorised for use GoodWill include a recent update timestamp and include a signature or initials from the person responsible for maintaining it
- AskDocumented proof of secure hashing: Request evidence of hash verification processes, such as logs or screenshots GoodIncludes entries that are recent with no unresolved discrepancies
- AskCertificate records: Request to see the repository of valid certificates for each program GoodWould show matching and unexpired certificates with detailed vendor information
- AskPath rules documentation: Request configuration files or guidelines showing designated program paths GoodIs clear documentation that aligns with current system settings and is approved by IT staff
- AskTo see staff training records: Request evidence of application control training sessions held for staff GoodIncludes dated records of recent training sessions with clear attendance logs
Cross-framework mappings
How ISM-0955 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| sync_alt Partially overlaps (4) expand_less | ||
| handshake Supports (4) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.