Skip to content
arrow_back
ISM-0958
search
ISM-0958 policy ASD Information Security Manual (ISM)

Implement Domain Name Allow and Block Lists

Create a list of approved or blocked domains for secure web traffic management.

Preventative NC OS P ASD Information Security ManualGuidelines for gatewaysweb filtering
record_voice_over

Plain language

This control is about managing which websites people in your organisation can visit. By approving or blocking specific websites, you can prevent staff from accidentally visiting harmful or inappropriate sites, which can protect your data and your organisation's reputation.

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Feb 2022

Control Stack last updated

19 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for gateways

Section

Web content filters

Topic

Allowing and Blocking Access to Domain Names

Official control statement

An organisation-approved list of domain names, or list of website categories, is implemented for all Hypertext Transfer Protocol and Hypertext Transfer Protocol Secure traffic communicated through gateways.
policy ASD Information Security Manual (ISM) ISM-0958
priority_high

Why it matters

Without managed domain allow/block lists for web gateway traffic, users may reach malicious sites, causing malware infection, credential theft and data breaches.

settings

Operational notes

Maintain allow/block and category lists on all HTTP/HTTPS gateways, review exceptions, update from threat intel, and prevent bypass via direct IP, alternate DNS or proxies.

build

Implementation tips

  • The IT team should create a list of approved websites your organisation finds safe and necessary for work. They can start by asking staff which sites are needed daily and checking these sites for safety using a reliable online tool.
  • Managers should communicate with staff about the rules on accessing websites. They should explain why certain sites are blocked and how sticking to approved websites can protect the organisation's data and prevent security breaches.
  • The IT team should use software to enforce the approved and blocked website list. They can do this by configuring the internet settings on office computers so that these settings automatically block or allow specific websites.
  • It's important for the IT team to regularly review and update the approved and blocked lists. They should schedule regular checks to ensure the lists are current, removing sites no longer needed and adding new ones as necessary.
  • The IT team should provide training sessions for staff about internet safety and the importance of following the approved site list. They can conduct these sessions quarterly to keep internet safety a top priority.
fact_check

Audit / evidence tips

  • AskThe approved and blocked website list: Request the latest version from the IT department GoodThe list is current, clearly marked as approved by management, and includes a rationale for each addition or removal
  • AskTo see the software used for web traffic management: Request a demonstration from the IT team to show how the software works GoodThe software actively enforces the approved and blocked list and shows logs of blocked access attempts
  • AskA record of regular reviews of the website lists: Check for documented reviews done by the IT team GoodThe document shows reviews are done quarterly and includes changes with reasons
  • AskTo see training records on internet safety for staff: Request evidence of training sessions conducted GoodSessions cover internet safety, and attendance records show high staff participation
  • AskManagement approval documents for the website lists: Request the signed approval or email confirmations of the list GoodThe document is signed by a manager and includes a future review date
link

Cross-framework mappings

How ISM-0958 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control Notes Details
sync_alt Partially overlaps (1) expand_less
Annex A 8.23 ISM-0958 requires an organisation-approved allow/block list of domain names or website categories for all HTTP/HTTPS traffic through gate...

E8

Control Notes Details
handshake Supports (2) expand_less
E8-AH-ML1.2 E8-AH-ML1.2 requires blocking Java execution from the internet in web browsers
E8-AH-ML1.3 E8-AH-ML1.3 requires that browsers do not process advertisements sourced from the internet

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

Mapping detail

Mapping

Direction

Controls