Skip to content
arrow_back
ISM-1470policyASD Information Security Manual (ISM)

Disable Unneeded Accounts, Components, Services and Application Functionality

Unneeded user accounts, components, services and functionality within user applications must be disabled or removed so that nothing extra remains available for an attacker to misuse.

record_voice_over

Plain language

Software and systems often ship with far more than your people actually use: spare login accounts, optional add-ons (components), background services, and built-in features inside everyday programs like web browsers, email clients and office software. This control says to switch off or delete anything you do not need. Each of these four areas matters: (1) **user accounts** that are no longer used, such as leftover logins from people who have left or test accounts; (2) **components**, which are optional add-on parts of an application; (3) **services**, which are background processes the software runs; and (4) **functionality of user applications**, meaning specific features inside the programs your staff use day to day. The idea is simple. The fewer accounts, parts and features that exist, the fewer ways there are for an attacker to get in or cause harm. This is often called reducing the "attack surface". A feature that is turned off cannot be exploited, so cleaning out the unused ones makes your systems both tidier and safer.

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

June 2026

Control Stack last updated

18 June 2026

E8 maturity levels

N/A

Official control statement

Unneeded user accounts, components, services and functionality of user applications are disabled or removed.
policyASD Information Security Manual (ISM)ISM-1470
priority_high

Why it matters

Unused accounts, components, services and app features each give attackers an extra way in. Removing them shrinks the attack surface and lowers the chance of a breach.

settings

Operational notes

Treat this as ongoing, not a one-off. Re-check accounts, components, services and application features after every software update, since upgrades can re-enable items you previously removed.

build

Implementation tips

  • The IT team should build and maintain a list of every user account on each system, then disable or delete any account that no longer belongs to an active, authorised user, including leftover logins from departed staff, test accounts and default vendor accounts.
  • System owners should review the optional components and add-ons installed with each user application and remove the ones the business does not use, so that only the parts staff actually rely on remain present.
  • IT administrators should examine the background services each application or system runs and stop any that are not needed for the way your organisation uses that software, reducing the number of running processes that could be targeted.
  • Whoever configures the standard build for user applications such as web browsers, email clients and office suites should turn off built-in features that are not required, for example unused scripting, automatic content downloads or legacy file formats, and apply that hardened configuration to every machine.
  • IT should record this hardened baseline in a documented standard and re-check accounts, components, services and application features whenever software is updated or a new version is rolled out, because updates can quietly re-enable things that were previously switched off.
fact_check

Audit / evidence tips

  • Askhow the organisation identifies and removes unneeded user accountsLook ata current account list with disabled or deleted entries tied to departures, test accounts and default accountsGoodshows accounts are reviewed on a schedule and removed promptly with records kept
  • Askwhich optional components of user applications have been removed and whyLook atdocumentation listing the components removed from each applicationGoodexplains that only components the business actually uses remain installed
  • Askwhat background services have been disabled and how that decision was madeLook ata list of stopped services with a reason for eachGoodties each disabled service to it not being needed for business use
  • Askto see the hardened configuration applied to user applications such as browsers, email clients and office softwareLook ata documented standard that turns off unneeded built-in featuresGoodshows the same hardened settings applied consistently across all machines
  • Askhow the four areas are kept clean after software updatesLook atevidence that accounts, components, services and application features are re-checked after upgradesGoodshows updates do not silently re-enable removed items
link

Cross-framework mappings

How ISM-1470 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

E8

ControlNotesDetails
layersPartially meets(2)expand_less
sync_altPartially overlaps(2)expand_less
linkRelated(2)expand_less

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

See all Guidelines for system hardening controls, or browse the full ASD ISM library.

Mapping detail

Mapping

Direction

Controls