Controlled Unpacking of Archive Files for Filtering
Ensure unpacked archive files do not disrupt system filters or cause unavailability.
Plain language
This control is about making sure that when you open archive files, like zip files, on your computer systems, nothing from inside causes problems. If you don’t handle these properly, your system's security filters might miss harmful content, leading to viruses or malware infiltrating your systems, potentially shutting down operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Archive files are unpacked in a controlled manner to ensure content filter performance or availability is not adversely affected.
Why it matters
Uncontrolled archive unpacking can cause filter bypass or resource exhaustion (e.g., archive bombs), degrading content filter performance/availability and disrupting operations.
Operational notes
Enforce controlled unpacking limits (nesting depth, file count and total size) and regularly test with content filters to prevent archive bombs and performance degradation.
Implementation tips
- IT team should ensure that archive files are unpacked in a quarantined area: Set up a specific computer or an isolated part of your network where archive files can be opened without affecting the rest of the system. It ensures that potentially dangerous files are detected and dealt with before they interact with your primary systems.
- System administrators should verify system filter configurations: Check that your content filtering systems are updated to handle newly unpacked files effectively. This might involve regular system updates and testing with sample archive files to see how the filters react.
- Managers should establish a clear policy on handling archive files: Develop guidelines that tell employees what to do if they have to open archive files. This might involve limited access to who can unpack these files and using specialised software that performs security checks.
- Training coordinators should organise regular training sessions: Educate staff on the risks of improperly unpacking archive files and how to use company-approved systems and processes. Keep these sessions practical with scenarios and examples they might encounter in their daily work.
- Procurement should work with IT to purchase and maintain approved software: Ensure that the organisation only uses tools that handle archive files safely and are vetted by cybersecurity experts. This keeps proprietary data safe and reduces the risk of introducing malicious software.
Audit / evidence tips
- AskThe quarantine area setup documentation: Request proof of the specific system or network area used for safe file unpacking GoodA document showing a physically or virtually isolated environment with access logs and successful test results
- AskTo see content filter reports: Request logs from content filtering systems after archives are unpacked GoodLogs showing that unpacking processes are flagged and managed without disrupting services
- AskThe policy documentation on handling archive files: Request the formal policy that outlines procedures for staff when dealing with archive files GoodA dated document endorsed by management showing clear steps and staff responsibilities
- AskTraining records: Request records of staff training related to handling archive files securely GoodRecent training records with high attendance and updated content reflecting current best practices
- AskSoftware procurement and licence agreements: Request documentation showing what software has been acquired for handling archive files GoodValid licences for recommended software with recent security updates and vendor support assurance
Cross-framework mappings
How ISM-1290 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 8.7 | ISM-1290 requires controlled unpacking of archive files to prevent malicious or pathological archives from reducing filter performance or... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.