Implement HIPS or EDR on Workstations
Ensure your computers are protected by constantly monitoring for threats.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Detective
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Feb 2025
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
A HIPS or EDR solution is implemented on workstations.
Source: ASD Information Security Manual (ISM)
Plain language
This control means you need to set up protective software on your work computers to constantly watch for signs of trouble, like viruses or hackers trying to get in. It matters because if a threat slips through unnoticed, it can lead to data breaches, financial loss, and damage to your business's reputation.
Why it matters
Without HIPS/EDR on workstations, malware may go undetected, enabling credential theft and data exfiltration before containment.
Operational notes
Monitor HIPS/EDR console daily, triage high-severity workstation alerts, and confirm agents/signatures are current and reporting to central management.
Implementation tips
- The IT team should choose software designed to spot and block threats on your computers, known as Host-based Intrusion Prevention Systems (HIPS) or Endpoint Detection and Response (EDR). To do this, research approved products from trusted sources like the Australian Cyber Security Centre (ACSC) or consult with a cyber security expert for advice.
- Once the software is chosen, the IT team should install it on all office computers. This involves downloading the software, running the installation, and ensuring it is set to start checking for issues automatically as soon as the computer is turned on.
- Managers must set up regular training sessions for staff to understand the importance of this software and how it works to protect them and the business. This could be a monthly briefing where staff learn how to respond if the software flags a potential threat.
- The IT team should set up alerts so they immediately know when the software detects something unusual. This usually involves configuring the software to send notifications via email or a dashboard update to those responsible for security oversight.
- Every six months, the IT manager should review and update the software to make sure it is still effective against the latest threats. This includes checking vendor updates and considering any new risks the business may face.
Audit / evidence tips
-
Ask: the list of all the workstations where the HIPS or EDR software is installed
Good: shows that all operational computers have the software running with no gaps
-
Good: means alerts are real-time and actionable, not delayed or ignored
-
Ask: to see the training schedule for staff on security measures
Good: shows regular training involving all relevant staff with attendance records
-
Good: includes regular updates and any changes to settings when threats evolve
-
Ask: a recent incident report involving the HIPS or EDR
Good: demonstrates a swift resolution process and follow-up actions
Cross-framework mappings
How ISM-1341 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.7 | ISM-1341 requires a Host-based Intrusion Prevention System (HIPS) or Endpoint Detection and Response (EDR) solution to be implemented on ... | |
| Supports (2) | ||
| Annex A 8.15 | ISM-1341 requires implementing HIPS or EDR on workstations, which typically generates detailed endpoint security and process/activity tel... | |
| Annex A 8.16 | ISM-1341 requires HIPS or EDR on workstations to detect suspicious activity and enable response at the endpoint | |
| Related (1) | ||
| Annex A 8.1 | Annex A 8.1 requires protecting information stored on or accessible via endpoint devices, including detecting and preventing malicious ac... | |