Web Browser Hardening with Strict Guidelines
Web browsers must be set with the strictest security settings per ASD and vendor guides.
Plain language
This control means that your web browser - the program you use to browse the internet - should have the highest level of security settings according to guidelines from both the Australian Signals Directorate (ASD) and the makers of the browser. This is crucial because if your web browser isn't secure, it can be an easy way for hackers to get into your computer, leading to data theft or financial loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 May 2026
E8 maturity levels
ML2, ML3
Guideline
Guidelines for system hardeningSection
User application hardeningOfficial control statement
Web browsers are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.
Why it matters
Without ASD/vendor browser hardening (most restrictive applied), weak defaults can enable drive‑by attacks, credential theft and unauthorised data access via the browser.
Operational notes
Regularly audit browser policies against ASD and vendor baselines, applying the most restrictive setting where guidance conflicts, and rapidly update configs for new advisories.
Implementation tips
- Business IT support should familiarise themselves with the Australian Government's guidelines and the browser manufacturer's security settings documentation. Find the latest hardening guidelines from the ASD and the browser maker's official website, and compare them to ensure all recommended security settings are applied.
- The IT team should customise web browser settings to the strictest standards, as per the ASD and manufacturer guidelines. Go into the browser settings menu and adjust parameters such as enabling pop-up blockers and disabling auto-plugins to reduce security risks.
- System owners should regularly update web browsers to ensure they have the most secure version. Set up automatic updates within the browser settings and check periodically to verify the updates are proceeding without issues.
- Managers should conduct regular discussions with staff on the importance of using hardened browsers. Schedule monthly meetings or include it in existing meetings to remind staff about the reasons for these security measures and their own role in keeping systems safe.
- The IT team should perform regular checks to confirm the hardened settings are intact and functioning as intended. Use a checklist based on the ASD and browser guidelines to review each setting quarterly or after major browser updates.
Audit / evidence tips
- AskA copy of the browser hardening policy document GoodIncludes specific settings listed and a version control to show it's kept up to date
- GoodIs the settings being correctly configured according to both ASD and manufacturer guidelines
- AskRecords of recent browser update verification GoodWould show frequent updates, ideally matching the release dates of browser updates
- GoodWould include records showing meetings discussing security updates at least monthly
- AskIT team review records on browser settings GoodIncludes dates of review, findings, and actions taken
Cross-framework mappings
How ISM-1412 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-AH-ML1.4 | E8-AH-ML1.4 requires that web browser security settings are locked down so users cannot change them | |
| link Related (1) expand_less | ||
| E8-AH-ML2.1 | E8-AH-ML2.1 requires web browsers to be hardened using ASD and vendor hardening guidance, applying the most restrictive settings where gu... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.