Skip to content
Control Stack logo Control Stack
ISM-1486 ASD Information Security Manual (ISM)

Restrict Java Processing in Web Browsers

Ensure web browsers are set to block Java from running online.

Preventative ML1 ML2 ML3 Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGovernanceApplication securityAwareness and training

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Aug 2021

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

ML1, ML2, ML3

Guideline

Guidelines for system hardening

Section

User application hardening

Topic

Hardening User Application Configurations
Official control statement
Web browsers do not process Java from the internet.

Source: ASD Information Security Manual (ISM)

Plain language

This control means you need to set up your web browsers so that they don't run Java from websites. It's important because Java can be a way for hackers to sneak into your computer and steal information or cause damage. By stopping browsers from processing Java, you reduce the risk of getting a virus or being hacked while surfing the web.

Why it matters

Allowing Java in browsers exposes systems to drive-by download attacks, risking data breaches or malware infections.

Operational notes

Verify browser policy keeps Java disabled and remove/uninstall any Java browser plug-ins. Recheck after browser updates.

Implementation tips

  • IT team should disable Java in web browsers: Go into the settings of each browser used in your organisation and turn off any options that allow Java to run. This can usually be done under the security or plugin settings in the browser's options menu.
  • System administrators should ensure regular updates: Regularly check the settings to ensure Java remains disabled after browser updates, as sometimes updates can reset settings. Keep a checklist of steps to follow after each update.
  • Train employees about Java risks: HR or IT should organise a short training session explaining why Java is blocked in browsers and the potential risks it poses. Use examples of past security breaches that happened due to Java vulnerabilities to make it clear why this is necessary.
  • Managers should review IT policies: Make sure any policies about internet use and browser settings explicitly mention the ban on Java. Update the policy documents and get them signed off by relevant authorities to ensure clarity and compliance.

  • Ask: vendors about their technology requirements before purchase and get alternatives if they rely heavily on Java

Audit / evidence tips

  • Ask: browser configuration screenshots: Request screenshots of the security settings from different web browsers used in your organisation

    Good: shows Java plugins disabled and blocked by default

  • Ask: system update logs: Request documentation showing that browser settings were checked post-updates

    Good: includes a recent log with action details and timestamps

  • Ask: training attendance records: Request evidence of training sessions held for employees about Java risks

    Good: includes records with dates, attendee lists, and training content outlines

  • Ask: internet use policy documents: Request the latest version of internet use and security policy documents. Examine these documents for clear statements about the restriction of Java in browsers

    Good: shows specific clauses mentioning Java controls, signed by management

  • Ask: software purchase records: Request recent procurement documents for new software purchases. Check these documents for vendor compliance with Java restrictions

    Good: includes vendor confirmations in writing that Java is not necessary for their products

Cross-framework mappings

How ISM-1486 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Partially meets (1)
Annex A 8.7 ISM-1486 requires that web browsers do not process Java from the internet as a measure to reduce web-borne code execution risk

E8

Control Notes Details
Partially meets (1)
E8-AH-ML2.1 ISM-1486 requires that web browsers do not process Java from the internet
Supports (1)
E8-AH-ML1.4 ISM-1486 requires that web browsers do not process Java from the internet
Related (1)
E8-AH-ML1.2 E8-AH-ML1.2 requires that web browsers do not process Java content from the internet

Mapping detail

Mapping

Direction

Controls