Disable Unneeded Software Functions and Services
Turn off or remove unnecessary parts and services of common software to improve security.
Plain language
This control is about turning off or removing parts of software that you're not using, like certain features in a web browser or email program. It matters because if you don't do this, you might accidentally leave the door open for hackers or malware, potentially leading to data being stolen or your computers being taken over.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
User application hardeningOfficial control statement
Unneeded components, services and functionality of office productivity suites, web browsers, email clients, PDF applications and security products are disabled or removed.
Why it matters
Leaving unnecessary software functions enabled increases the attack surface, exposing exploitable vulnerabilities and enabling malware or unauthorised access.
Operational notes
Regularly audit office, browser, email and PDF app settings; disable/remove unused add-ons, services and features, and prevent re-enabling without approval.
Implementation tips
- Business owners should work with their IT provider to identify software and programs that are used regularly and those that are not necessary. This can be achieved by reviewing business needs and aligning them with software capabilities.
- Office managers should regularly check with staff to gather feedback about software tools and unused features. Conduct short surveys to understand which functions are frequently used and which are rarely or never touched.
- IT teams should create a plan to disable or remove unnecessary software features or services. This involves checking settings in programs like office suites and internet browsers, then turning off or uninstalling features that are not needed for daily work.
- Procurement officers should ensure new software purchases are well-aligned with the business requirements, avoiding software filled with unnecessary features. During the acquisition process, focus on buying basic, secure versions of software that meet specific business functions.
- HR should support training sessions for staff about the importance of cybersecurity, including how disabling unused software can prevent potential online threats. Arrange these educational sessions at regular intervals as part of your cybersecurity awareness program.
Audit / evidence tips
- AskA list of all installed software and their components: Request a detailed inventory from the IT team GoodIs a regularly updated document with notes on disabled or removed components
- AskDocumentation on staff feedback regarding software use: Review any surveys or feedback reports collected by office managers. Good feedback includes responses about frequently unused features, and management's actions on this input
- GoodAudit will show both what was identified as unnecessary and the steps taken to disable or remove those features
- AskTraining records on cybersecurity awareness
Cross-framework mappings
How ISM-1470 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| sync_alt Partially overlaps (2) expand_less | ||
| link Related (2) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.