ISM-1392 policy ASD Information Security Manual (ISM)

Restrict File Modifications via Path Rules

Only certain users can change files and folders as allowed by system rules.

Preventative NC OS P ASD Information Security ManualGuidelines for system hardening access control

record_voice_over

Plain language

This control is about making sure that only the right people can change important files and folders on your computer system. It matters because if everyone could make changes, it could lead to accidental or malicious damage, like removing critical files or installing harmful programs that could disrupt your business.

01 — Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Feb 2023

Control Stack last updated

19 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for system hardening

Section

Operating system hardening

Topic

Application Control

Official control statement

When implementing application control using path rules, only approved users can modify approved files and write to approved folders.

policy ASD Information Security Manual (ISM) ISM-1392

priority_high

Why it matters

If path rules allow unauthorised changes to approved files or folders, attackers can tamper with trusted apps, causing compromise or outages.

settings

Operational notes

Review and test path rules regularly so only approved users can write to approved folders and modify approved files; monitor and audit rule changes.

02 — Implement

build

Implementation tips

IT team should define which files and folders are critical or sensitive. They can do this by listing all essential files and directories that impact business operations or hold sensitive information.
The manager should decide which staff require permission to modify these critical files. This involves assessing job roles and responsibilities to determine who truly needs access.
The system administrator should set up path rules on the operating system to enforce these permissions. They can do this by configuring the system settings so that only approved users can make changes to specified files and folders.
The HR team should ensure that permission settings are regularly reviewed and updated, especially when staff roles change. This means checking who currently has access to sensitive files and modifying permissions as needed during role changes or staff turnover.
The IT team should provide training to staff on why these rules and restrictions are in place. This can be done through regular information sessions explaining the importance of protecting digital assets and preventing unauthorised access.

03 — Audit

fact_check

Audit / evidence tips

Aska list of approved files and folders with restricted access

Goodincludes a dated document with file paths and the names of those with access permissions
Askthe access permissions report from the system

Goodshows clear rules set for specific files and users as intended
Askto see the HR process for updating user access permissions

Goodincludes documented procedures and logs showing regular updates and checks
Askrecords of training sessions on file access restrictions

Goodincludes a schedule of training sessions and outlined topics discussed with evidence of participant attendance
Aska log of access attempts to sensitive files

Goodshows proactive monitoring with irregular activities flagged for review and action

04 — Mappings

link

Cross-framework mappings

How ISM-1392 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
layers Partially meets (3) expand_less
Annex A 5.15	ISM-1392 requires a concrete access restriction outcome: only approved users can modify approved files and write to approved folders when...
Annex A 5.18	ISM-1392 requires that when application control uses path rules, only approved users can modify approved files and write to approved folders
Annex A 8.3	ISM-1392 requires enforcing that only approved users can modify approved files and write to approved folders under application control pa...
handshake Supports (1) expand_less
Annex A 8.2	ISM-1392 requires that only approved users can modify approved files and write to approved folders when path rules are used for applicati...

E8

Control	Notes	Details
sync_alt Partially overlaps (1) expand_less

E8-RM-ML3.3	ISM-1392 requires restricting who can modify files/folders covered by application control path rules
handshake Supports (4) expand_less

E8-AC-ML1.2	E8-AC-ML1.2 requires application control to be applied to user profiles and temporary folders, which are frequently writable and targeted...
E8-AC-ML1.3	E8-AC-ML1.3 requires application control to restrict execution to an organisation-approved set
E8-AC-ML2.2	E8-AC-ML2.2 requires broad application control with folder exclusions

E8-RA-ML3.1	ISM-1392 requires enforcing who can modify approved files and write to approved folders under application control path rules
extension Depends on (2) expand_less

E8-AC-ML2.1	E8-AC-ML2.1 requires application control on internet-facing servers, often relying on allow rules to constrain what can run
E8-AC-ML3.2	E8-AC-ML3.2 requires application control to restrict driver execution to an approved set, which is only effective if the allow-list canno...

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.