Implement Application Control on Internet-Facing Servers
Ensure application security by using controls on servers exposed to the internet.
Plain language
This control is about making sure that only safe and approved applications can run on servers that can be accessed from the internet. It matters because if unsafe software gets onto these servers, hackers could exploit it to steal data, damage your systems, or disrupt your services.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2, ML3
Guideline
Guidelines for system hardeningSection
Operating system hardeningTopic
Application ControlOfficial control statement
Application control is implemented on internet-facing servers.
Why it matters
Without application control on internet-facing servers, unauthorised binaries and scripts can execute, enabling compromise, data exfiltration, or service disruption.
Operational notes
Maintain enforced allowlists on internet-facing servers; review and approve new binaries, test rules after patching, and monitor application-control logs for blocked or unexpected executions.
Implementation tips
- The IT team should create a list of approved applications that are allowed to run on servers facing the internet. They can do this by evaluating the software currently used and determining which ones are essential and secure.
- System owners need to work with the IT team to ensure these approved applications are installed on their internet-facing servers. This means checking current installations and removing unauthorised ones.
- The IT team should set up application control software that monitors and restricts what applications can run on the servers. They can configure this software to automatically block unauthorised applications.
- Managers should train staff on the importance of using only approved applications, explaining how unauthorised software could lead to security breaches or service interruptions.
- The IT security officer should schedule regular reviews of the application control measures in place. This involves checking logs to ensure only approved applications are running and adjusting the approved list as needed.
Audit / evidence tips
- AskThe list of approved applications for internet-facing servers GoodList is detailed, up-to-date, and includes security assessments for each application
- GoodSetup will show active monitoring and blocking capabilities
- AskTraining records for staff regarding application use
- GoodResult is logs showing unauthorised applications being effectively blocked
- AskEvidence of recent reviews of application controls GoodReport includes detailed findings and identified improvements
Cross-framework mappings
How ISM-1490 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| E8-AC-ML1.1 | ISM-1490 requires application control to be implemented on internet-facing servers to reduce the attack surface on externally exposed ser... | |
| E8-AC-ML3.1 | ISM-1490 requires application control to be implemented on internet-facing servers | |
| handshake Supports (1) expand_less | ||
| E8-AC-ML2.2 | ISM-1490 requires implementing application control on internet-facing servers | |
| link Related (1) expand_less | ||
| E8-AC-ML2.1 | E8-AC-ML2.1 requires application control to be implemented on internet-facing servers so only approved applications can execute | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.