Prevent Web Browsers from Processing Ads
Block web browsers from displaying online ads to enhance security.
Plain language
This control is about stopping your web browser from showing online advertisements, which can sometimes carry harmful software or trick you into trusting malicious sites. If ads are not blocked, you might accidentally click on one that installs malware on your computer, risking your sensitive information and security.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1, ML2, ML3
Guideline
Guidelines for system hardeningSection
User application hardeningOfficial control statement
Web browsers do not process web advertisements from the internet.
Why it matters
Without blocking ads, users risk exposure to malicious software through deceptive adverts, increasing the likelihood of data breaches.
Operational notes
Deploy and regularly update browser ad-blocking or filtering so adverts from the internet are not processed; verify effectiveness after browser updates.
Implementation tips
- IT team should install ad-blocking software on all company browsers. They can do this by choosing a reliable ad blocker extension like uBlock Origin and deploying it across all browsers through central management systems.
- System administrators should configure network settings to block ad-serving domains. This can be done by updating the organisation’s firewall or DNS settings to prevent connections to known ad servers.
- Office managers should provide regular training sessions for staff on recognising malicious ads and the importance of not interacting with them. They can organise monthly workshops or provide digital learning resources.
- Procurement should ensure that any new software or browser updates support ad-blocking features. This involves checking with software vendors for compatibility with ad-blocking tools before purchase.
- Information security officers should regularly review ad-blocking effectiveness by conducting quarterly audits. They can assess IT reports to ensure that additional or updated ad scripts are consistently blocked by the system.
Audit / evidence tips
-
Aska list of installed browser extensions: Request the inventory showing ad-blocking extensions installed across organisational devices
GoodA current inventory listing the extension installed on all relevant systems with verification dates
-
Asknetwork policy documentation: Request evidence of network settings configured to block ad-serving domains
GoodDocumentation that outlines configured settings with up-to-date ad server lists
-
Asktraining materials and attendance records: Request documentation on staff training about ad risks and reporting
GoodRecords showing regular training sessions with attendance logs and feedback forms
-
Askvendor compatibility reports: Request documents from procurement regarding ad-blocking capabilities of new software
GoodReports showing all software purchases support ad-blocking, with vendor confirmations
-
Askquarterly audit reports on ad-blocking effectiveness: Request recent audits or assessments conducted by information security officers
GoodA well-documented audit trail showing adjustments and problem resolution
Cross-framework mappings
How ISM-1485 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.23 | ISM-1485 requires blocking browsers from processing web advertisements from the internet to reduce exposure to malicious content delivere... | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-AH-ML2.1 | ISM-1485 requires one specific hardening setting: preventing browsers from processing web advertisements from the internet | |
| sync_alt Partially overlaps (1) expand_less | ||
| E8-AH-ML1.2 | E8-AH-ML1.2 requires that web browsers do not process Java content from the internet to reduce the attack surface from active content exe... | |
| link Related (1) expand_less | ||
| E8-AH-ML1.3 | E8-AH-ML1.3 requires that web browsers do not process web advertisements from the internet to reduce exposure to malvertising and ad-deli... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.