Utilise Publisher and Product Names in App Control
Use known publisher and product names to control which applications can run on a system.
Plain language
This control is about letting only safe applications run on computers by checking who created the app and what it's called. It's important because if you don't manage which apps can run, you might accidentally allow harmful software that can steal information or break systems.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Operating system hardeningTopic
Application ControlOfficial control statement
When implementing application control using publisher certificate rules, publisher names and product names are used.
Why it matters
If publisher certificate rules don’t use publisher and product names, attackers can run malicious binaries under broad publisher rules, bypassing app control and enabling compromise.
Operational notes
When creating publisher certificate rules, confirm both publisher and product name values from signed binaries and routinely review/update them so overly broad publisher rules don’t allow unwanted apps.
Implementation tips
- IT team should identify trusted applications: Compile a list of software needed for business operations along with their publisher and product names. This involves checking current software inventories and discussions with department heads to ensure all necessary applications are included.
- IT manager should update policies: Develop or update existing application control policies to include rules based on publisher and product names. Outline steps for regularly updating these policies to reflect any changes in required applications, publisher updates, or associated risks.
- Procurement team should liaise with vendors: Ensure that any new software purchases are compatible with application control policies by verifying publishers and product names before buying. This can be done through direct discussions with vendors or by consulting vendor documentation.
- System administrators should configure application control settings: Use the operating system's security features to set rules allowing only approved publishers and product names. This includes regularly reviewing these settings to make sure they are up-to-date with the latest policies.
- Staff training should be conducted by HR: Organise training sessions for staff to help them recognise safe applications, explaining how to request new software installations if needed. Use simple language and real-world examples to ensure understanding and compliance.
Audit / evidence tips
- AskThe application control policy document: Request to see the formal policy that dictates how applications are approved based on publisher and product names GoodIncludes a dated policy document with detailed guidelines on allowed publishers
- AskA software inventory report: Request an inventory that lists all applications currently installed on the system GoodIs a regularly updated report with no mismatched entries
- AskA record of system configuration settings: Examine the settings that enforce application control rules on systems GoodWould show the settings correctly block unapproved applications based on the policy
- AskVendor communication records: Request emails or meeting notes regarding software procurement and check for discussions about publisher/product name verification GoodIncludes comprehensive records of these checks
- AskTraining records: Request documentation proving that staff have received training on the application control policy. Review attendance sheets and training materials GoodIncludes clear evidence of regular training sessions and feedback forms from participants
Cross-framework mappings
How ISM-1471 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| E8-AC-ML1.3 | ISM-1471 requires that when implementing application control using publisher certificate rules, organisations use publisher names and pro... | |
| E8-AC-ML2.4 | ISM-1471 requires using publisher and product names in publisher certificate rules as part of implementing application control | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.