Restrict Java Processing in Web Browsers
Ensure web browsers are set to block Java from running online.
Plain language
This control means you need to set up your web browsers so that they don't run Java from websites. It's important because Java can be a way for hackers to sneak into your computer and steal information or cause damage. By stopping browsers from processing Java, you reduce the risk of getting a virus or being hacked while surfing the web.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2021
Control Stack last updated
18 May 2026
E8 maturity levels
ML1, ML2, ML3
Guideline
Guidelines for system hardeningSection
User application hardeningOfficial control statement
Web browsers do not process Java from the internet.
Why it matters
Allowing Java in browsers exposes systems to drive-by download attacks, risking data breaches or malware infections.
Operational notes
Verify browser policy keeps Java disabled and remove/uninstall any Java browser plug-ins. Recheck after browser updates.
Implementation tips
- IT team should disable Java in web browsers: Go into the settings of each browser used in your organisation and turn off any options that allow Java to run. This can usually be done under the security or plugin settings in the browser's options menu.
- System administrators should ensure regular updates: Regularly check the settings to ensure Java remains disabled after browser updates, as sometimes updates can reset settings. Keep a checklist of steps to follow after each update.
- Train employees about Java risks: HR or IT should organise a short training session explaining why Java is blocked in browsers and the potential risks it poses. Use examples of past security breaches that happened due to Java vulnerabilities to make it clear why this is necessary.
- Managers should review IT policies: Make sure any policies about internet use and browser settings explicitly mention the ban on Java. Update the policy documents and get them signed off by relevant authorities to ensure clarity and compliance.
Audit / evidence tips
- AskBrowser configuration screenshots: Request screenshots of the security settings from different web browsers used in your organisation GoodShows Java plugins disabled and blocked by default
- AskSystem update logs: Request documentation showing that browser settings were checked post-updates GoodIncludes a recent log with action details and timestamps
- AskTraining attendance records: Request evidence of training sessions held for employees about Java risks GoodIncludes records with dates, attendee lists, and training content outlines
- AskInternet use policy documents: Request the latest version of internet use and security policy documents. Examine these documents for clear statements about the restriction of Java in browsers GoodShows specific clauses mentioning Java controls, signed by management
- AskSoftware purchase records: Request recent procurement documents for new software purchases. Check these documents for vendor compliance with Java restrictions GoodIncludes vendor confirmations in writing that Java is not necessary for their products
Cross-framework mappings
How ISM-1486 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.7 | ISM-1486 requires that web browsers do not process Java from the internet as a measure to reduce web-borne code execution risk | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-AH-ML2.1 | ISM-1486 requires that web browsers do not process Java from the internet | |
| handshake Supports (1) expand_less | ||
| E8-AH-ML1.4 | ISM-1486 requires that web browsers do not process Java from the internet | |
| link Related (1) expand_less | ||
| E8-AH-ML1.2 | E8-AH-ML1.2 requires that web browsers do not process Java content sourced from the internet | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.