Implement Domain Name Allow and Block Lists
Create a list of approved or blocked domains for secure web traffic management.
Plain language
This control is about managing which websites people in your organisation can visit. By approving or blocking specific websites, you can prevent staff from accidentally visiting harmful or inappropriate sites, which can protect your data and your organisation's reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for gatewaysSection
Web content filtersOfficial control statement
An organisation-approved list of domain names, or list of website categories, is implemented for all Hypertext Transfer Protocol and Hypertext Transfer Protocol Secure traffic communicated through gateways.
Why it matters
Without managed domain allow/block lists for web gateway traffic, users may reach malicious sites, causing malware infection, credential theft and data breaches.
Operational notes
Maintain allow/block and category lists on all HTTP/HTTPS gateways, review exceptions, update from threat intel, and prevent bypass via direct IP, alternate DNS or proxies.
Implementation tips
- The IT team should create a list of approved websites your organisation finds safe and necessary for work. They can start by asking staff which sites are needed daily and checking these sites for safety using a reliable online tool.
- Managers should communicate with staff about the rules on accessing websites. They should explain why certain sites are blocked and how sticking to approved websites can protect the organisation's data and prevent security breaches.
- The IT team should use software to enforce the approved and blocked website list. They can do this by configuring the internet settings on office computers so that these settings automatically block or allow specific websites.
- It's important for the IT team to regularly review and update the approved and blocked lists. They should schedule regular checks to ensure the lists are current, removing sites no longer needed and adding new ones as necessary.
- The IT team should provide training sessions for staff about internet safety and the importance of following the approved site list. They can conduct these sessions quarterly to keep internet safety a top priority.
Audit / evidence tips
-
Askthe approved and blocked website list: Request the latest version from the IT department
GoodThe list is current, clearly marked as approved by management, and includes a rationale for each addition or removal
-
Askto see the software used for web traffic management: Request a demonstration from the IT team to show how the software works
GoodThe software actively enforces the approved and blocked list and shows logs of blocked access attempts
-
Aska record of regular reviews of the website lists: Check for documented reviews done by the IT team
GoodThe document shows reviews are done quarterly and includes changes with reasons
-
Askto see training records on internet safety for staff: Request evidence of training sessions conducted
GoodSessions cover internet safety, and attendance records show high staff participation
-
Askmanagement approval documents for the website lists: Request the signed approval or email confirmations of the list
GoodThe document is signed by a manager and includes a future review date
Cross-framework mappings
How ISM-0958 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.23 | ISM-0958 requires an organisation-approved allow/block list of domain names or website categories for all HTTP/HTTPS traffic through gate... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| E8-AH-ML1.2 | E8-AH-ML1.2 requires blocking Java execution from the internet in web browsers | |
| E8-AH-ML1.3 | E8-AH-ML1.3 requires that browsers do not process advertisements sourced from the internet | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.