Implement Restrictive OS Hardening Guidelines
Ensure operating systems follow strictest security guidelines from ASD or vendors.
Plain language
This control is about making sure your computer systems are set up with the most secure settings available. It's important because if you don't use the strictest security settings, you leave the door open for hackers to get into your systems and cause harm, like stealing sensitive information or disrupting your business operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Operating system hardeningOfficial control statement
Operating systems are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.
Why it matters
Without restrictive OS hardening baselines, insecure services and settings may be enabled, increasing attack surface and enabling unauthorised access.
Operational notes
Regularly compare OS builds to ASD and vendor hardening baselines; when guidance conflicts, apply the most restrictive setting and document any exceptions.
Implementation tips
- The IT team should review security guidelines from the Australian Signals Directorate (ASD) and the system's manufacturer to ensure your operating systems have the strongest possible security settings. This involves checking for any updates to guidelines and applying them promptly.
- System administrators should establish a routine to compare security settings between the ASD guidelines and the vendor's recommendations. Where they differ, use the more restrictive setting to minimise security risks.
- Managers should ensure the IT team has the resources and time to implement these strict security settings. This might include buying software tools or allocating time for staff training.
- IT teams should deploy automated tools to monitor compliance with these security settings continuously. These tools can alert IT staff to any deviations from established security protocols.
- System owners should document all security settings applied and any justifications for their choices, especially when deviating from recommended guidelines, ensuring clarity and accountability in security practices.
Audit / evidence tips
-
Askthe documentation showing the comparison between ASD and vendor security guidelines: Ensure the comparison regularly occurs
Goodshows a consistent review process with clear justification for decisions made and the most restrictive settings applied
-
Goodis a report showing all recommended settings are in place without exceptions
-
Asklogs or reports from automated compliance monitoring tools: Review if they show ongoing compliance and alert handling
Goodis a log showing no or promptly resolved alerts
-
Goodincludes recent training sessions focusing on the security guidelines used
-
Goodexplains deviations with a strong justification supported by risk assessments
Cross-framework mappings
How ISM-1409 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.9 | ISM-1409 requires organisations to implement hardened operating system configurations using ASD and vendor guidance, applying the most re... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.19 | ISM-1409 requires operating systems to be hardened using ASD and vendor guidance, prioritising the most restrictive requirements | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| handshake Supports (2) expand_less | ||
| link Related (3) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.