Implement Firewalls to Control Network Connections
Use software firewalls to control what apps and services can connect to your network.
Plain language
Implementing software firewalls on computers and servers helps keep unwanted connections out and controls what applications can access your network. This is important because it stops hackers or harmful programs from sneaking in and causing damage or stealing information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Operating system hardeningTopic
Software FirewallOfficial control statement
A software firewall is implemented on workstations and servers to restrict inbound and outbound network connections to an organisation-approved set of applications and services.
Why it matters
Poor firewall implementation can allow unauthorised applications to access sensitive data, increasing the risk of data breaches and compromises.
Operational notes
Maintain an up-to-date allowlist for inbound/outbound rules, enforce default-deny, and routinely verify workstation/server firewall policies match approved apps/services.
Implementation tips
- IT team should install and configure a software firewall on each company computer and server. This can be done by following the setup instructions provided by the firewall software, ensuring that they allow only approved applications to communicate through the network.
- System administrators should regularly review the list of allowed applications on the firewall. They can do this by accessing the firewall settings periodically and confirming with department heads that only necessary applications are enabled.
- Managers should coordinate with the IT team to set up a policy for approving new applications. This involves creating a simple form for staff to request network access for new applications and reviewing these requests monthly.
- The security officer should conduct training sessions for employees about the importance of network security. Use easy-to-understand examples about why only approved applications should be used and how to recognise potential threats.
- Procurement should ensure that any new software or applications purchased for the organisation are assessed by the IT team for compatibility with the existing firewall settings. This means communicating with vendors about any special network requirements before purchase.
Audit / evidence tips
-
Askthe firewall configuration report: Request a document or screenshot that shows current firewall settings on a workstation and server
GoodOnly necessary and approved applications should be listed, with clear reasons for each one
-
Askto see the policy for approving new applications: Request the written policy that outlines how new applications are assessed before being approved for network access
GoodThe policy includes IT team review, manager approval, and a documented application list update
-
Askrecords of recent firewall reviews: Request evidence of the last review conducted by the IT team
GoodReviews are carried out regularly (e.g., quarterly), and any changes are documented with reasons
-
Askhow staff are trained on network security: Request details of training sessions or workshops held for employees
GoodRegular sessions with clear explanations on using only approved applications and identifying threats are carried out, and most staff attend
-
Askabout the procedure for handling unauthorised applications: Request documentation on steps taken if an unauthorised application is identified
GoodThe procedure stops an unauthorised application immediately, investigates its source, and updates future access policies
Cross-framework mappings
How ISM-1416 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.20 | ISM-1416 requires software firewalls on workstations and servers to restrict inbound and outbound network connections to an organisation-... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.