Routine Validation of Application Control Rulesets
Check and update app control rules at least yearly to maintain security.
Plain language
This control is about routinely checking and updating the rules that determine which applications can run on your organisation's computers. It's important because if these rules get outdated, it might let dangerous software slip through, putting your business at risk of cyber attacks.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2, ML3
Guideline
Guidelines for system hardeningSection
Operating system hardeningTopic
Application ControlOfficial control statement
Application control rulesets are validated on an annual or more frequent basis.
Why it matters
Outdated application control rules can allow unapproved or malicious executables to run, increasing the risk of compromise and disruption.
Operational notes
Validate application control rulesets at least annually and after major changes; remove stale allow rules, confirm blocks still work, and record results and exceptions.
Implementation tips
- IT team should schedule an annual review of application control rules. Create a calendar reminder at the beginning of the year to ensure this task doesn’t get missed.
- System owners should work with the IT team to identify which applications are critical and must be allowed. Hold a meeting with key team members to list all necessary software.
- Managers should communicate with their teams to collect feedback on any application usage issues. Send out a simple survey to understand what applications are needed or problematic.
- The IT team should test changes to the rules in a controlled environment before applying them organisation-wide. Set up a test computer or virtual machine to try out the new settings.
- Finally, IT staff must update the documentation to reflect any changes made to the application control rules. Use clear language and list each rule change along with reasons.
Audit / evidence tips
-
Askthe application control review schedule: See the date and frequency of planned reviews
Goodshows documented yearly or more frequent reviews
-
Askmeeting records from application control discussions: Check minutes or notes for evidence of system owner involvement
Goodshows engagement from key personnel in updated decisions
-
Asksurvey responses or feedback collection documentation: Check for details indicating team feedback on application needs
Gooddisplays comprehensive input from various users
-
Askto see a testing protocol for rule changes
Goodincludes successful test completion and modifications based on results
-
Askdocumentation on updated rules: Ensure the list is current and clearly written
Goodincludes an accessible, detailed, and current document
Cross-framework mappings
How ISM-1582 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-RM-ML3.6 | E8-RM-ML3.6 requires an annual validation of Microsoft Office’s trusted publishers list to ensure only approved macro signers remain trusted | |
| link Related (1) expand_less | ||
| E8-AC-ML2.4 | ISM-1582 requires application control rulesets to be validated on an annual or more frequent basis | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.