Implement HIPS or EDR on Workstations
Ensure your computers are protected by constantly monitoring for threats.
Plain language
This control means you need to set up protective software on your work computers to constantly watch for signs of trouble, like viruses or hackers trying to get in. It matters because if a threat slips through unnoticed, it can lead to data breaches, financial loss, and damage to your business's reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Operating system hardeningOfficial control statement
A HIPS or EDR solution is implemented on workstations.
Why it matters
Without HIPS/EDR on workstations, malware may go undetected, enabling credential theft and data exfiltration before containment.
Operational notes
Monitor HIPS/EDR console daily, triage high-severity workstation alerts, and confirm agents/signatures are current and reporting to central management.
Implementation tips
- The IT team should choose software designed to spot and block threats on your computers, known as Host-based Intrusion Prevention Systems (HIPS) or Endpoint Detection and Response (EDR). To do this, research approved products from trusted sources like the Australian Cyber Security Centre (ACSC) or consult with a cyber security expert for advice.
- Once the software is chosen, the IT team should install it on all office computers. This involves downloading the software, running the installation, and ensuring it is set to start checking for issues automatically as soon as the computer is turned on.
- Managers must set up regular training sessions for staff to understand the importance of this software and how it works to protect them and the business. This could be a monthly briefing where staff learn how to respond if the software flags a potential threat.
- The IT team should set up alerts so they immediately know when the software detects something unusual. This usually involves configuring the software to send notifications via email or a dashboard update to those responsible for security oversight.
- Every six months, the IT manager should review and update the software to make sure it is still effective against the latest threats. This includes checking vendor updates and considering any new risks the business may face.
Audit / evidence tips
- AskThe list of all the workstations where the HIPS or EDR software is installed GoodShows that all operational computers have the software running with no gaps
- GoodMeans alerts are real-time and actionable, not delayed or ignored
- AskTo see the training schedule for staff on security measures GoodShows regular training involving all relevant staff with attendance records
- GoodIncludes regular updates and any changes to settings when threats evolve
- AskA recent incident report involving the HIPS or EDR GoodDemonstrates a swift resolution process and follow-up actions
Cross-framework mappings
How ISM-1341 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.7 | ISM-1341 requires a Host-based Intrusion Prevention System (HIPS) or Endpoint Detection and Response (EDR) solution to be implemented on ... | |
| handshake Supports (2) expand_less | ||
| Annex A 8.15 | ISM-1341 requires implementing HIPS or EDR on workstations, which typically generates detailed endpoint security and process/activity tel... | |
| Annex A 8.16 | ISM-1341 requires HIPS or EDR on workstations to detect suspicious activity and enable response at the endpoint | |
| link Related (1) expand_less | ||
| Annex A 8.1 | Annex A 8.1 requires protecting information stored on or accessible via endpoint devices, including detecting and preventing malicious ac... | |
E8
| Control | Notes | Details |
|---|---|---|
| extension Depends on (1) expand_less | ||
| E8-RA-ML3.2 | E8-RA-ML3.2 requires privileged administration to be conducted from Secure Admin Workstations to reduce compromise pathways | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.