Use SOEs for Workstations and Servers
Use pre-configured software setups for all computers and servers to ensure consistency and security.
Plain language
Standard Operating Environments (SOEs) mean setting up computers and servers to all use the same, secure software and settings. This matters because it keeps everything consistent and safe, and helps prevent hackers from finding weak spots by always having the latest protective measures in place.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
July 2020
Control Stack last updated
19 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Operating system hardeningOfficial control statement
SOEs are used for workstations and servers.
Why it matters
Without SOEs, workstations and servers diverge from approved baselines, increasing misconfiguration risk and making patching and compliance harder.
Operational notes
Maintain and version SOE images; patch and harden regularly, and verify deployed builds match the SOE to prevent configuration drift.
Implementation tips
- The IT team should create a standard setup for all computers and servers. This means choosing a specific operating system and important programs that everyone will use and ensuring they are up to date with the latest security patches.
- A manager should oversee the process to make sure all staff computers and office servers follow these standard setups. This involves regularly checking devices to ensure they haven't been changed or customised without approval.
- System owners should regularly review and update the SOE to include the latest security patches and features. They can do this by setting a schedule, like quarterly, to check for new updates or changes in security risks.
- IT staff should train employees on the importance of using the organisation's standard setups and the risks of installing unauthorised software. This can be done through periodic workshops or information sessions.
- The procurement team should ensure new equipment purchases align with the standard setups. They can achieve this by working closely with IT to select compatible hardware that supports the chosen operating systems and software.
Audit / evidence tips
- AskThe written SOE policy document: Request to see the official guidelines for standard setups GoodInvolves a detailed policy listing specific software and versions with a last updated date
- AskA list of computers and servers using the SOE: Request this list to verify compliance GoodShows a high compliance rate with explanations for any exceptions
- AskEvidence of regular SOE updates: Request to see the schedule or record of updates GoodIncludes a recent and completed update log showing no gaps beyond the planned intervals
- AskTo see training materials or records for employee education on SOEs: Request records of past training sessions or materials distributed GoodIncludes dated attendance records and training content reflecting current standards
- AskProcurement procedures aligning with SOEs: Request documentation showing how procurement ensures compatibility with the SOE GoodShows consistent procurement practices tied directly to IT requirements
Cross-framework mappings
How ISM-1406 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.9 | ISM-1406 requires organisations to use SOEs for workstations and servers to ensure consistent, secure configurations | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.19 | ISM-1406 requires organisations to use Standard Operating Environments (SOEs) for workstations and servers to enforce consistent, secure ... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| E8-AH-ML2.9 | ISM-1406 requires organisations to use SOEs for workstations and servers to provide a consistent, controlled security baseline | |
| E8-AH-ML2.10 | ISM-1406 requires organisations to use SOEs for workstations and servers to ensure consistent and secure configurations | |
| extension Depends on (1) expand_less | ||
| E8-RA-ML3.2 | E8-RA-ML3.2 requires administrative activities to be performed only from Secure Admin Workstations (dedicated, hardened endpoints) | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.