Analyse Executable Files in Sandboxes
Files coming through gateways are tested in a safe environment to catch suspicious activities.
Plain language
This control means that any software or program files coming into your organisation should first be tested in a safe, separate environment to see if they behave badly. It's important because if these files are harmful and you don't catch them early, they could damage your systems or steal sensitive information from your business.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 May 2026
E8 maturity levels
N/A
Official control statement
Executable files imported via gateways or CDSs are automatically executed in a sandbox to detect any suspicious behaviour.
Why it matters
Without sandbox execution and analysis of gateway/CDS-imported executables, malware may bypass controls, causing data compromise and service disruption.
Operational notes
Keep sandbox images and detonation rules current, and automatically execute all gateway/CDS-imported executables to capture suspicious runtime behaviour.
Implementation tips
- IT team: Set up a sandbox environment on a separate set of computers that can safely run new or untrusted software. This means creating a secure, isolated space in your computer systems where files can be tested without risking your main business systems.
- System administrator: Use automated tools to scan and test executable files that come through your email or file transfer systems. Choose software that can automatically run and observe these files in the sandbox to look for anything unusual.
- Security officer: Monitor the results from your sandbox environment. Regularly check the reports generated by the sandbox tools to ensure no suspicious behaviour has been detected.
- Procurement team: Ensure that any software solutions purchased for sandboxing are regularly updated. This involves checking for software updates and applying them promptly to keep your security measures effective.
- Training coordinator: Educate staff about the risks of downloading random files from the Internet or suspicious emails. Conduct workshops showing them how automated sandboxing works and why it's a key part of keeping the business safe.
Audit / evidence tips
- AskSandbox environment setup documentation: Request a diagram or description that explains how the sandbox environment is set up and isolated from operational systems GoodIncludes detailed network diagrams and isolation protocols
- AskLog files from sandbox testing: Obtain copies of logs generated from executing files within the sandbox GoodOutcome includes logs indicating testing activity and results without interference
- AskSecurity tool purchase and maintenance records: Request documents that show what tools are used for sandboxing and their maintenance schedule. Ensure the tools are listed and that updates are regular GoodIncludes a list of software with dates of recent updates and licences
- AskIncident reports related to sandbox testing: Check if there are reports of potential threats that were caught in the sandbox before reaching the main systems GoodShows documented incidents where threats were contained
- AskTraining schedules and materials: Obtain records of staff training sessions covering sandbox usage and awareness GoodIncludes detailed sessions with staff feedback and improvements based on feedback
Cross-framework mappings
How ISM-1389 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.7 | ISM-1389 requires executable files imported via gateways or CDSs to be automatically executed in a sandbox to detect suspicious behaviour | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.