ISM-1408 policy ASD Information Security Manual (ISM)

Use 64-bit Operating Systems Where Supported

Use 64-bit operating systems if they are supported by your computer.

Preventative NC OS P ASD Information Security ManualGuidelines for system hardening hardening

record_voice_over

Plain language

Using a 64-bit operating system on your computer means it can handle more data and process tasks more efficiently. If you're using an older or less capable system, you might be more vulnerable to viruses and other security threats, which can slow down your business or expose your data to hackers.

01 - Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Nov 2022

Control Stack last updated

19 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for system hardening

Section

Operating system hardening

Topic

Operating System Releases and Versions

Official control statement

Where supported, 64-bit versions of operating systems are used.

policy ASD Information Security Manual (ISM) ISM-1408

priority_high

Why it matters

Failing to use 64-bit OSs reduces performance and security, increasing susceptibility to attacks like buffer overflows.

settings

Operational notes

Standardise on 64-bit OS editions where vendor-supported; block 32-bit deployments except by approved exception, and review hardware/driver/app compatibility before upgrades.

02 - Implement

build

Implementation tips

IT team should review current operating systems on all company devices to see if they are 32-bit or 64-bit. They can do this by checking system settings on each device where the operating system details are displayed.
System owner should plan an upgrade strategy for devices currently using 32-bit systems. They can do this by consulting with their IT provider to determine the steps needed to transition to a 64-bit system, including potential hardware upgrades.
Procurement should ensure future computer purchases are 64-bit capable. When buying new computers, ask vendors for confirmation that the systems support 64-bit operating systems.
IT team should update software on 64-bit systems regularly. They should set automated updates or check monthly for patches and updates to ensure security vulnerabilities are mitigated.
Managers should communicate the benefits of 64-bit systems to staff. This can be done via an email or meeting, explaining how it helps in running software efficiently and protecting company data from threats.

03 - Audit

fact_check

Audit / evidence tips

AskAn inventory list of all operating systems used GoodThe list should show all systems are 64-bit where hardware supports it
GoodA clear schedule with allocated resources and completion targets in the next 6 months
GoodPurchase orders state '64-bit' in the product specifications
AskReports from system monitoring tools. Verify if they track and alert for non-compliant 32-bit systems GoodMonitoring logs that show checks and alerts for any 32-bit systems remaining
GoodDocumented communication explaining efficiencies and security advantages

04 - Mappings

link

Cross-framework mappings

How ISM-1408 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

E8

Control	Notes	Details
handshake Supports (2) expand_less
E8-PO-ML1.8	ISM-1408 requires organisations to use 64-bit operating systems where supported
E8-PO-ML3.9	ISM-1408 requires organisations to use 64-bit versions of operating systems where supported

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.