Restrict Add-ons to Approved Set in Applications
Only use organisation-approved add-ons for applications to ensure security.
Plain language
This control means you should only use add-ons or extensions for software that your organisation has already approved. This is important because unapproved add-ons might introduce security risks, like opening the door to viruses or allowing sensitive data to be leaked or even stolen.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
User application hardeningOfficial control statement
Add-ons, extensions and plug-ins for office productivity suites, web browsers, email clients, PDF applications and security products are restricted to an organisation-approved set.
Why it matters
Unauthorised add-ons can introduce malware, weaken application security and enable data exfiltration via browsers, office and PDF/email clients.
Operational notes
Maintain an enforced allow-list for add-ons across browsers, office, PDF and email clients; review approvals periodically and remove unapproved or vulnerable extensions.
Implementation tips
- IT Team should create a list of approved add-ons: Compile a list of trusted add-ons and extensions that have been thoroughly reviewed and tested to be safe. Ensure this list is regularly updated and communicated to all staff.
- System Owners should collaborate with IT: Work together to identify which applications need add-ons and ensure all required extensions are on the approved list. Discuss any exceptions that might be needed and how to handle them securely.
- Managers should oversee the use of add-ons: Regularly remind team members about the importance of using only approved add-ons and check their usage. Set up regular training sessions to educate about the potential risks of unapproved add-ons.
- Procurement should coordinate with IT: Ensure that any new software being purchased includes consideration of what add-ons are necessary and viable, making sure they align with the organisation-approved list.
- Compliance Officers should establish a monitoring system: Implement a process to continuously scan and report on the use of unapproved add-ons, enabling quick action to remove any detected violations. Use straightforward reporting tools for this task.
Audit / evidence tips
-
Askthe approved add-ons list: Request the current list of organisation-approved add-ons and extensions for various applications
Goodshows a well-maintained list with clear and recent update records
-
Asktraining records: Request evidence of training sessions on safe add-on use for staff
-
Askto see software purchasing guidelines: Request documents that outline how new software purchases consider add-on approval
Goodwill include a defined procedure linking purchasing with security checks
-
Askmonitoring reports: Request reports from the monitoring system that checks for unapproved add-ons in use
Goodshows a low number of violations promptly addressed
-
Askto see exception handling procedures: Request documentation for handling exceptions when an unapproved add-on is needed
Goodis a clear process that minimises risks and gains necessary approvals
Cross-framework mappings
How ISM-1235 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (4) expand_less | ||
| handshake Supports (1) expand_less | ||
| link Related (1) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.