Restrict Active Content with Web Filters
Web filters block active content from unapproved websites.
Plain language
Using web filters to restrict active content from unapproved websites is like having a security guard at the entrance of a building who only lets in trusted people. This is important because if you don't control what content can enter your organisation's computers, malicious software could slip in and cause massive problems, like slowing down important services or stealing sensitive information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Client-side active content is restricted by web content filters to an organisation-approved list of domain names.
Why it matters
Without web filters, active content from malicious sites can exploit vulnerabilities, leading to data breaches and operational disruption.
Operational notes
Maintain the organisation-approved domain allowlist, update it regularly, and review web filter logs/alerts for blocked active content to detect misuse.
Implementation tips
- The IT team should install and configure a web filtering solution. They can do this by choosing a reputable web filtering service that is compatible with existing systems and setting it to block any active content, such as JavaScript or Flash, from websites not on an approved list.
- The system owner should work with department heads to compile a list of websites that are necessary for business operations. They should identify which sites employees need for their work and ensure these are added to the 'approved' list in the web filter settings.
- The IT team should regularly update the web filter to adapt to new threats. They can do this by subscribing to threat intelligence feeds and regularly reviewing and updating the list of approved and blocked sites based on the latest security advice.
- Managers should inform employees about the web filtering policy and its purpose. They should hold brief information sessions or distribute documents explaining why certain sites are blocked and how employees can request access to additional sites when needed.
- The compliance officer should periodically check that the web filtering settings align with organisational policies. They should review the settings every three months and after any major update to the policy to ensure continued compliance with security standards.
Audit / evidence tips
- AskThe web filter configuration document: Request documentation showing how web filters are set up GoodIncludes a recent review date and a clearly defined list
- GoodOutcome is a report showing successful blocking of unauthorised sites with minimal false blocks of necessary content
- AskA list of approved websites: Ensure it matches the operational needs GoodList is current, relevant, and linked to specific business requirements
- GoodRecord shows participation and understanding by employees across teams
- AskTo see threat intelligence subscription materials: Verify that the organisation stays informed about new security threats related to web content GoodDemonstration includes regular updates to filter settings based on new intelligence
Cross-framework mappings
How ISM-0961 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.23 | ISM-0961 requires organisations to use web content filters to restrict client-side active content to an organisation-approved list of dom... | |
E8
| Control | Notes | Details |
|---|---|---|
| link Related (1) expand_less | ||
| E8-AH-ML1.2 | E8-AH-ML1.2 requires that web browsers do not process Java content from the internet | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.